Edit tour

Windows Analysis Report
EDownloader.exe

Overview

General Information

Sample name:	EDownloader.exe
Analysis ID:	1431754
MD5:	3d92268fec3c1cf2e0e29a47d22a79fb
SHA1:	445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5
SHA256:	20475e541ca6a061eb5dc587784b9a3910bda519ccfd8d009dfcb4fd60fff0b6
Infos:

Detection

Score:	6
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to create an SMB header

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample searches for specific file, try point organization specific fake files to the analysis machine

Process Tree

System is w10x64

EDownloader.exe (PID: 3008 cmdline: "C:\Users\user\Desktop\EDownloader.exe" MD5: 3D92268FEC3C1CF2E0E29A47D22A79FB)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005E6300 GetLastError,CreateFileA,GetLastError,GetFileSizeEx,GetLastError,ReadFile,_strstr,_strstr,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,GetLastError,CloseHandle,	0_2_005E6300
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005EA450 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_005EA450
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005CE400 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,	0_2_005CE400
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005CE490 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_005CE490
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005EA580 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,	0_2_005EA580
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005CF760 GetModuleHandleA,GetProcAddress,CertOpenStore,GetLastError,CryptStringToBinaryA,CertFindCertificateInStore,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,	0_2_005CF760
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005D17C0 CryptAcquireContextA,CryptCreateHash,	0_2_005D17C0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005D1800 CryptHashData,	0_2_005D1800
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005D1820 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_005D1820
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00525CD0 CreateFileW,CloseHandle,CryptAcquireContextW,CryptCreateHash,GetFileSize,ReadFile,CryptHashData,CloseHandle,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00525CD0

Source: C:\Users\user\Desktop\EDownloader.exe	Code function: -----BEGIN PUBLIC KEY-----		0_2_005B83A0
Source: EDownloader.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: mov dword ptr [ebx+04h], 424D53FFh

0_2_005DCDB0

Source: EDownloader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: EDownloader.exe

Static PE information: certificate valid

Source: EDownloader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\PackageDownloader\mmloader\main\EDownloader\Release\EDownloader.pdb source: EDownloader.exe

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_006119B2 FindFirstFileExW,

0_2_006119B2

Source: C:\Users\user\Desktop\EDownloader.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	File opened: C:\Windows\SysWOW64\KERNELBASE.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\gdiplus.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	File opened: C:\Windows\SysWOW64\KERNEL32.DLL	Jump to behavior

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_005BED70 recv,WSAGetLastError,

0_2_005BED70

Source: EDownloader.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: EDownloader.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: EDownloader.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: EDownloader.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: EDownloader.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: EDownloader.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: EDownloader.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: EDownloader.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: EDownloader.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: EDownloader.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: EDownloader.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: EDownloader.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: EDownloader.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: EDownloader.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: EDownloader.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: EDownloader.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: EDownloader.exe	String found in binary or memory: https://www.baidu.com/
Source: EDownloader.exe	String found in binary or memory: https://www.google.com/
Source: EDownloader.exe	String found in binary or memory: https://www.google.com/https://www.baidu.com/GMT

Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005584C0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		0_2_005584C0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00558FB0 PeekMessageW,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetTickCount,_wcsstr,GetKeyState,		0_2_00558FB0

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_005EA580 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

0_2_005EA580

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_005382B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_005382B0

Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005F6065	0_2_005F6065
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005D0060	0_2_005D0060
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00610179	0_2_00610179
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005F21F1	0_2_005F21F1
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005BE200	0_2_005BE200
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005F6299	0_2_005F6299
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0057C280	0_2_0057C280
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00608326	0_2_00608326
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005A8310	0_2_005A8310
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005B03D0	0_2_005B03D0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0059C3F0	0_2_0059C3F0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005C23F0	0_2_005C23F0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005A8440	0_2_005A8440
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005F64CD	0_2_005F64CD
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005F24AC	0_2_005F24AC
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005724A0	0_2_005724A0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0056E550	0_2_0056E550
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005A0540	0_2_005A0540
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005E4500	0_2_005E4500
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005EC500	0_2_005EC500
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005A25B0	0_2_005A25B0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005947D0	0_2_005947D0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005E2860	0_2_005E2860
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00560820	0_2_00560820
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005FC8EA	0_2_005FC8EA
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005FE8E0	0_2_005FE8E0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0059E950	0_2_0059E950
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005369D0	0_2_005369D0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00574AD0	0_2_00574AD0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00584AB0	0_2_00584AB0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005ECB00	0_2_005ECB00
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0059EC80	0_2_0059EC80
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00572DB0	0_2_00572DB0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0059CE50	0_2_0059CE50
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00618EE0	0_2_00618EE0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005CCF40	0_2_005CCF40
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0053F03F	0_2_0053F03F
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00577150	0_2_00577150
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0057D11F	0_2_0057D11F
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005591B0	0_2_005591B0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00573270	0_2_00573270
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_006172EC	0_2_006172EC
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005A9370	0_2_005A9370
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00521380	0_2_00521380
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005A1380	0_2_005A1380
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005A33B0	0_2_005A33B0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00617410	0_2_00617410
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00533570	0_2_00533570
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00559520	0_2_00559520
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_006156CA	0_2_006156CA
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005CF760	0_2_005CF760
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005F17E0	0_2_005F17E0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00571910	0_2_00571910
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005F190E	0_2_005F190E
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00521A70	0_2_00521A70
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0055FAF0	0_2_0055FAF0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00613B67	0_2_00613B67
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0055DB10	0_2_0055DB10
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0059BB10	0_2_0059BB10
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005DDB30	0_2_005DDB30
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0057BBF0	0_2_0057BBF0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005E1C60	0_2_005E1C60
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005F1C80	0_2_005F1C80
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005EDDDB	0_2_005EDDDB
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00591E70	0_2_00591E70
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0052BF70	0_2_0052BF70
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0056FF70	0_2_0056FF70
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005F1F2A	0_2_005F1F2A
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00585F90	0_2_00585F90

Source: C:\Users\user\Desktop\EDownloader.exe	Code function: String function: 005A6850 appears 54 times
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: String function: 005BEB00 appears 319 times
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: String function: 005CB6F0 appears 34 times
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: String function: 00522E90 appears 249 times
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: String function: 005EF720 appears 68 times
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: String function: 005F9D38 appears 52 times
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: String function: 00522BA0 appears 94 times
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: String function: 005E83D0 appears 36 times
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: String function: 0052C890 appears 310 times
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: String function: 005CB7A0 appears 80 times
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: String function: 005BEBE0 appears 270 times
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: String function: 005C11F0 appears 36 times

Source: EDownloader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean6.winEXE@2/1@0/0

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_005E3590 GetLastError,___swprintf_l,FormatMessageA,___swprintf_l,___swprintf_l,_strncpy,GetLastError,SetLastError,

0_2_005E3590

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_005382B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_005382B0

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_00554FA0 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,

0_2_00554FA0

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_0058F650 LoadLibraryW,GetProcAddress,CoCreateInstance,

0_2_0058F650

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_005639E0 GetWindowLongW,SetWindowLongW,GetClientRect,SetWindowPos,GetModuleFileNameW,_wcsrchr,FindResourceW,LoadResource,FreeResource,SizeofResource,LockResource,FreeResource,MessageBoxW,ExitProcess,

0_2_005639E0

Source: C:\Users\user\Desktop\EDownloader.exe

File created: C:\Users\user\Desktop\EasyLog.log

Jump to behavior

Source: C:\Users\user\Desktop\EDownloader.exe

Mutant created: NULL

Source: EDownloader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EDownloader.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EDownloader.exe

String found in binary or memory: 0123456789abcdef%d.%d.%d.%dkernel32LoadLibraryExA\/AddDllDirectoryschannel

Source: C:\Users\user\Desktop\EDownloader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	Section loaded: textshaping.dll	Jump to behavior

Source: EDownloader.exe

Static PE information: certificate valid

Source: EDownloader.exe

Static file information: File size 1327952 > 1048576

Source: EDownloader.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: EDownloader.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: EDownloader.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: EDownloader.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: EDownloader.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: EDownloader.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: EDownloader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: EDownloader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\PackageDownloader\mmloader\main\EDownloader\Release\EDownloader.pdb source: EDownloader.exe

Source: EDownloader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: EDownloader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: EDownloader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: EDownloader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: EDownloader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_005287D0 RegCreateKeyExA,RegSetValueExA,RegCloseKey,LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_005287D0

Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005EF5D5 push ecx; ret	0_2_005EF5E8
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005EF766 push ecx; ret	0_2_005EF779
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005FB94E push ecx; iretd	0_2_005FB94F

Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005581C0 GetWindowRect,GetParent,GetWindow,MonitorFromWindow,GetMonitorInfoW,IsIconic,GetWindowRect,SetWindowPos,	0_2_005581C0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005591B0 IsIconic,ScreenToClient,SendMessageW,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SendMessageW,_TrackMouseEvent,GetTickCount,SendMessageW,SetFocus,SetCapture,GetTickCount,SetFocus,SetCapture,GetTickCount,ReleaseCapture,GetTickCount,SetFocus,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,GetTickCount,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,	0_2_005591B0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005591B0 IsIconic,ScreenToClient,SendMessageW,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SendMessageW,_TrackMouseEvent,GetTickCount,SendMessageW,SetFocus,SetCapture,GetTickCount,SetFocus,SetCapture,GetTickCount,ReleaseCapture,GetTickCount,SetFocus,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,GetTickCount,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,	0_2_005591B0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005591B0 IsIconic,ScreenToClient,SendMessageW,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SendMessageW,_TrackMouseEvent,GetTickCount,SendMessageW,SetFocus,SetCapture,GetTickCount,SetFocus,SetCapture,GetTickCount,ReleaseCapture,GetTickCount,SetFocus,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,GetTickCount,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,	0_2_005591B0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00563400 IsIconic,	0_2_00563400
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00525500 GetWindowLongW,SetWindowLongW,IsIconic,ScreenToClient,GetClientRect,IsIconic,GetWindowRect,OffsetRect,CreateRoundRectRgn,SetWindowRgn,DeleteObject,CallWindowProcW,	0_2_00525500
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00525500 GetWindowLongW,SetWindowLongW,IsIconic,ScreenToClient,GetClientRect,IsIconic,GetWindowRect,OffsetRect,CreateRoundRectRgn,SetWindowRgn,DeleteObject,CallWindowProcW,	0_2_00525500
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00563820 IsIconic,GetWindowRect,OffsetRect,CreateRoundRectRgn,SetWindowRgn,DeleteObject,	0_2_00563820

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_005EDDDB GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_005EDDDB

Source: C:\Users\user\Desktop\EDownloader.exe

API coverage: 2.3 %

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_006119B2 FindFirstFileExW,

0_2_006119B2

Source: C:\Users\user\Desktop\EDownloader.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	File opened: C:\Windows\SysWOW64\KERNELBASE.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\gdiplus.dll	Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe	File opened: C:\Windows\SysWOW64\KERNEL32.DLL	Jump to behavior

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_005EF77B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_005EF77B

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_005287D0 RegCreateKeyExA,RegSetValueExA,RegCloseKey,LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_005287D0

Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0060FAEA mov eax, dword ptr fs:[00000030h]	0_2_0060FAEA
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_0060FB30 mov eax, dword ptr fs:[00000030h]	0_2_0060FB30
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_00605E63 mov eax, dword ptr fs:[00000030h]	0_2_00605E63

Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005EEB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_005EEB22
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005EF77B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005EF77B
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005EF90E SetUnhandledExceptionFilter,	0_2_005EF90E
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005F3FEE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005F3FEE

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_0059E130 cpuid

0_2_0059E130

Source: C:\Users\user\Desktop\EDownloader.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_006140C0
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: EnumSystemLocalesW,	0_2_0060C26F
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: GetLocaleInfoW,MultiByteToWideChar,GetVersionExW,IsWindow,PostMessageW,	0_2_0054C350
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: EnumSystemLocalesW,	0_2_00614366
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: EnumSystemLocalesW,	0_2_006143B1
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: EnumSystemLocalesW,	0_2_0061444C
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_006144D7
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: GetLocaleInfoW,	0_2_0061472C
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00614854
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: GetLocaleInfoW,	0_2_0060C822
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: GetLocaleInfoW,	0_2_0061495C
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00614A2F
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: GetLocaleInfoW,	0_2_005394D0

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_0060C861 GetSystemTimeAsFileTime,

0_2_0060C861

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_00526920 GetUserNameW,LookupAccountNameW,IsValidSid,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,

0_2_00526920

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_0060EC7B _free,_free,_free,GetTimeZoneInformation,_free,

0_2_0060EC7B

Source: C:\Users\user\Desktop\EDownloader.exe

Code function: 0_2_0054C350 GetLocaleInfoW,MultiByteToWideChar,GetVersionExW,IsWindow,PostMessageW,

0_2_0054C350

Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005C0240 htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,		0_2_005C0240
Source: C:\Users\user\Desktop\EDownloader.exe	Code function: 0_2_005DF6C0 bind,WSAGetLastError,		0_2_005DF6C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 Input Capture	2 System Time Discovery	1 Exploitation of Remote Services	1 Input Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Access Token Manipulation	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	12 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	23 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EDownloader.exe	0%	ReversingLabs
EDownloader.exe	0%	Virustotal		Browse

Name	Source	Malicious	Reputation
https://www.google.com/https://www.baidu.com/GMT	EDownloader.exe	false	high
https://www.google.com/	EDownloader.exe	false	high
https://curl.haxx.se/docs/http-cookies.html	EDownloader.exe	false	high
https://curl.haxx.se/docs/http-cookies.html#	EDownloader.exe	false	high
https://www.baidu.com/	EDownloader.exe	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431754
Start date and time:	2024-04-25 18:17:19 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EDownloader.exe
Detection:	CLEAN
Classification:	clean6.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 35 Number of non-executed functions: 213
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size exceeded maximum capacity and may have missing disassembly code.

Process:	C:\Users\user\Desktop\EDownloader.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	113
Entropy (8bit):	4.9697947247990175
Encrypted:	false
SSDEEP:	3:bRAv+OwnvQNOo2yjEQdVMcLvQNOo2yn:bb34jT7HL4jX
MD5:	FF0DA2AA2413F1F278FFD795A4293747
SHA1:	2E10D553A646C21CFA8F0F07BDB54423F6A724DC
SHA-256:	EA9DF83AB19A8C46D7E6604C2DC87511F99044A2B0161D547CA68FD2D3EF680E
SHA-512:	D18960256B89CF86759F2EF96CD95A8A8AFC4EC3F9FE6D7DCAC220ED6C4BEFB733BA730BFD5A86C96C1D4C892384FB07E0FD4119173850548E663E0867761977
Malicious:	false
Reputation:	low
Preview:	ParseCmdLine param=...[2024.04.25 19:24:51 Thursday]..Install recomand ErrCode=3.[2024.04.25 19:24:51 Thursday]..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.591503398666959
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EDownloader.exe
File size:	1'327'952 bytes
MD5:	3d92268fec3c1cf2e0e29a47d22a79fb
SHA1:	445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5
SHA256:	20475e541ca6a061eb5dc587784b9a3910bda519ccfd8d009dfcb4fd60fff0b6
SHA512:	d378a3def28412392e4b7426e53d6c2154c1b59c85815559843084d8381f91761cf0d7fd58b88014c69ee3ef215402217249b82e4a64c00dd5dce9674beabc31
SSDEEP:	24576:95ZO2T67qsf6EbDOt20wjgrccMT8wGo20zd:927UdrccNwGo20zd
TLSH:	69558E617D42C172E1910170AEBFAFB6996DB5380B3540DBA7C00D3E9530AD2BA35B7B
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........".;.C.h.C.h.C.h.%.i.C.h.%.i C.h.%.i.C.ht..h.C.h.+.i.C.h.+.i.C.h.+.i.C.h.%.i.C.h.%.i.C.h.C.hPB.h.%.i.C.hO.i.C.hO9h.C.h.CQh.C.

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4cef5e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x657FECEB [Mon Dec 18 06:55:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	83b999c43d5940cad2066ca37770b561

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	30/08/2022 02:00:00 03/10/2025 01:59:59
Subject Chain	CN="CHENGDU YIWO Tech Development Co., Ltd.", O="CHENGDU YIWO Tech Development Co., Ltd.", L=\u6210\u90fd\u5e02, S=\u56db\u5ddd\u7701, C=CN
Version:	3
Thumbprint MD5:	A9CA0963936C7546B2348E650C8D8514
Thumbprint SHA-1:	8F5F832BA07AE78DC635886D20042C21300D5DB9
Thumbprint SHA-256:	8A6407872F4E2E95BB570B1751BED91D0B9D0BC90643F8F9E505374BF77519AB
Serial:	0AB53526DD9E3F80814952E212FFB1C4

Entrypoint Preview

Instruction
call 00007F616CE8BC39h
jmp 00007F616CE8AEBFh
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
push ebx
xor edi, edi
mov eax, dword ptr [esp+14h]
or eax, eax
jnl 00007F616CE8B056h
inc edi
mov edx, dword ptr [esp+10h]
neg eax
neg edx
sbb eax, 00000000h
mov dword ptr [esp+14h], eax
mov dword ptr [esp+10h], edx
mov eax, dword ptr [esp+1Ch]
or eax, eax
jnl 00007F616CE8B056h
inc edi
mov edx, dword ptr [esp+18h]
neg eax
neg edx
sbb eax, 00000000h
mov dword ptr [esp+1Ch], eax
mov dword ptr [esp+18h], edx
or eax, eax
jne 00007F616CE8B05Ah
mov ecx, dword ptr [esp+18h]
mov eax, dword ptr [esp+14h]
xor edx, edx
div ecx
mov ebx, eax
mov eax, dword ptr [esp+10h]
div ecx
mov edx, ebx
jmp 00007F616CE8B083h
mov ebx, eax
mov ecx, dword ptr [esp+18h]
mov edx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
shr ebx, 1
rcr ecx, 1
shr edx, 1
rcr eax, 1
or ebx, ebx
jne 00007F616CE8B036h
div ecx
mov esi, eax
mul dword ptr [esp+1Ch]
mov ecx, eax
mov eax, dword ptr [esp+18h]
mul esi
add edx, ecx
jc 00007F616CE8B050h
cmp edx, dword ptr [esp+14h]
jnbe 00007F616CE8B04Ah
jc 00007F616CE8B049h
cmp eax, dword ptr [esp+10h]
jbe 00007F616CE8B043h
dec esi
xor edx, edx
mov eax, esi
dec edi
jne 00007F616CE8B049h
neg edx
neg eax
sbb edx, 00000000h
pop ebx
pop esi
pop edi
retn 0010h
int3
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+04h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13186c	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x138000	0x5f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x141a00	0x2950	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x139000	0xc230	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x126f30	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x127040	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x126fa0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x101000	0x6c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xffb3b	0xffc00	800a547f152deb58dcc7637bebfe7b21	False	0.48263761608015643	data	6.521448412368595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x101000	0x32bde	0x32c00	8f7afa3ae6070acb034335b4e2bae657	False	0.3848041102216749	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 8589934592.000000	5.367310260450011	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x134000	0x39a4	0x2400	4b0958377ef3c5000d2a7ace9f05b544	False	0.19813368055555555	data	3.9789298039521968	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x138000	0x5f0	0x600	1752197a1bbfd2bf6b2ae489af36291f	False	0.4765625	data	4.544009189321645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x139000	0xc230	0xc400	8822af14128603b305d1eb503da79d4f	False	0.5656688456632653	data	6.587363980280129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MENU	0x138180	0x50	data	Chinese	China	0.8375
RT_DIALOG	0x1381e0	0x12c	data	Chinese	China	0.61
RT_STRING	0x138310	0x4c	data	Chinese	China	0.6710526315789473
RT_ACCELERATOR	0x1381d0	0x10	data	Chinese	China	1.25
RT_MANIFEST	0x138360	0x28b	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5529953917050692

Imports

DLL	Import
KERNEL32.dll	IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetStdHandle, GetFullPathNameW, HeapReAlloc, GetFileAttributesExW, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapAlloc, HeapFree, GetConsoleCP, ReadConsoleW, GetConsoleMode, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, GetFileInformationByHandle, GetDriveTypeW, GetModuleFileNameA, SetEnvironmentVariableW, RtlUnwind, InitializeSListHead, GetCommandLineA, GetCurrentProcessId, QueryPerformanceCounter, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, ResetEvent, SetEvent, GetCPInfo, LCMapStringW, CompareStringW, GetSystemTimeAsFileTime, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, SwitchToThread, CreateEventW, EncodePointer, GetStringTypeW, GetProcessHeap, HeapSize, GetFileSizeEx, CreateFileA, FormatMessageA, SetLastError, PeekNamedPipe, GetStdHandle, ExpandEnvironmentStringsA, VerifyVersionInfoA, GetModuleHandleA, GetSystemDirectoryA, VerSetConditionMask, GetOEMCP, GetCommandLineW, GetEnvironmentStringsW, GetCurrentThreadId, FreeEnvironmentStringsW, WaitForSingleObjectEx, GetTickCount64, SleepEx, LeaveCriticalSection, LoadLibraryW, GetPrivateProfileStringA, GetLocaleInfoW, Sleep, EnterCriticalSection, WaitForMultipleObjects, DecodePointer, DeleteCriticalSection, InitializeCriticalSectionEx, RaiseException, WaitForSingleObject, SetEndOfFile, SetFilePointerEx, OutputDebugStringW, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, DosDateTimeToFileTime, GetFileType, SystemTimeToFileTime, DuplicateHandle, WriteFile, InitializeCriticalSectionAndSpinCount, ExitProcess, LockResource, SizeofResource, FreeResource, LoadResource, FindResourceW, GetACP, GetTickCount, GetCurrentDirectoryW, GetUserDefaultUILanguage, CreateMutexW, TerminateProcess, OpenProcess, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, ReleaseMutex, GetModuleHandleW, OutputDebugStringA, LoadLibraryExW, GetLocalTime, CreateDirectoryW, GetEnvironmentVariableW, SetFilePointer, DeleteFileW, GetTempPathW, MultiByteToWideChar, GetSystemInfo, GetTimeZoneInformation, CreateThread, FreeLibrary, GetProcAddress, LoadLibraryA, GetVersionExW, GetCurrentProcess, GetExitCodeProcess, GetLastError, CreateProcessW, ReadFile, GetFileSize, CloseHandle, CreateFileW, GetModuleFileNameW, WideCharToMultiByte, MoveFileExW, WriteConsoleW
USER32.dll	GetWindowLongW, SetWindowLongW, IsIconic, ScreenToClient, SendMessageW, LoadImageW, GetParent, DestroyWindow, InvalidateRgn, GetClientRect, GetWindowRect, SetWindowRgn, MsgWaitForMultipleObjects, PeekMessageW, TranslateMessage, DispatchMessageW, ExitWindowsEx, GetSystemMetrics, KillTimer, CreateAcceleratorTableW, ClientToScreen, PtInRect, SetTimer, PostQuitMessage, MoveWindow, GetWindowDC, ReleaseDC, FindWindowW, IsWindow, SetForegroundWindow, SetFocus, GetDC, DefWindowProcW, CreateWindowExW, ShowWindow, GetWindow, EnableWindow, GetMessageW, GetMonitorInfoW, MonitorFromWindow, SetWindowPos, LoadCursorW, RegisterClassW, GetClassInfoExW, RegisterClassExW, CallWindowProcW, SetPropW, GetPropW, PostMessageW, AdjustWindowRectEx, GetGUIThreadInfo, IsZoomed, GetWindowTextW, GetWindowTextLengthW, SetWindowTextW, GetCaretBlinkTime, GetSysColor, SetCaretPos, GetCaretPos, HideCaret, ShowCaret, CreateCaret, CharPrevW, SetRect, DrawTextW, FillRect, MessageBoxW, SetCursor, wvsprintfW, OffsetRect, CharNextW, ReleaseCapture, GetMenu, GetKeyState, GetActiveWindow, BeginPaint, EndPaint, IsRectEmpty, GetUpdateRect, IsWindowVisible, IntersectRect, MapWindowPoints, GetCursorPos, GetFocus, InvalidateRect, UnionRect, SetCapture
GDI32.dll	CombineRgn, ExtSelectClipRgn, CreateRectRgnIndirect, GetClipBox, SelectClipRgn, GetObjectA, GetTextMetricsW, SetWindowOrgEx, Rectangle, RestoreDC, BitBlt, SaveDC, CreateDIBSection, CreateCompatibleDC, DeleteDC, CreatePen, CreateFontIndirectW, GetStockObject, GetObjectW, GetTextExtentPoint32W, CreateFontW, GetTextExtentPointW, SelectObject, DeleteObject, CreateRoundRectRgn, StretchBlt, SetStretchBltMode, SetBkColor, ExtTextOutW, CreateSolidBrush, CreatePenIndirect, MoveToEx, LineTo, RoundRect, SetBkMode, SetTextColor, GetCharABCWidthsW, TextOutW, GdiFlush, GetDeviceCaps, CreateCompatibleBitmap, CreatePatternBrush
ADVAPI32.dll	RegOpenKeyExW, RegEnumKeyExW, RegSetValueExA, RegCreateKeyExA, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, GetSidSubAuthority, GetSidSubAuthorityCount, GetSidIdentifierAuthority, IsValidSid, LookupAccountNameW, GetUserNameW, RegCloseKey, RegQueryValueExW, CryptReleaseContext, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptAcquireContextW, CryptGenRandom, CryptDestroyKey, CryptImportKey, CryptEncrypt, CryptAcquireContextA
SHELL32.dll	SHBrowseForFolderW, ShellExecuteW, SHGetSpecialFolderPathW, SHGetSpecialFolderLocation, SHGetPathFromIDListW
ole32.dll	CreateStreamOnHGlobal, CoCreateInstance, CLSIDFromProgID, CLSIDFromString, CoUninitialize, CoInitialize, OleLockRunning, CoCreateGuid
OLEAUT32.dll	VariantClear, VariantInit, SysAllocString, SysFreeString
gdiplus.dll	GdipAlloc, GdipLoadImageFromStream, GdipImageSelectActiveFrame, GdipGetImageHeight, GdipGetImageWidth, GdipGetPropertyItem, GdipGetPropertyItemSize, GdipImageGetFrameCount, GdipImageGetFrameDimensionsList, GdipImageGetFrameDimensionsCount, GdipDrawImage, GdipGraphicsClear, GdipDrawImageRectI, GdipDrawString, GdipGetFamily, GdipDeleteFontFamily, GdipSetPixelOffsetMode, GdipSetInterpolationMode, GdipSetCompositingQuality, GdipSetSmoothingMode, GdipGetImageGraphicsContext, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromScan0, GdipFree, GdipDeleteBrush, GdipCreateLineBrushI, GdipSetStringFormatAlign, GdipSetStringFormatLineAlign, GdipDeleteStringFormat, GdipCreateStringFormat, GdipSetTextRenderingHint, GdipDeleteGraphics, GdipCreateFromHDC, GdipDeleteFont, GdipCreateFontFromLogfontA, GdipCreateFontFromDC, GdiplusShutdown, GdiplusStartup
COMCTL32.dll	_TrackMouseEvent
IMM32.dll	ImmGetContext, ImmSetCompositionFontW, ImmReleaseContext, ImmSetCompositionWindow
CRYPT32.dll	CryptQueryObject, CertGetNameStringA, CertAddCertificateContextToStore, CertFreeCertificateChainEngine, CertFreeCertificateContext, CertFindCertificateInStore, CertCloseStore, CertOpenStore, CertCreateCertificateChainEngine, CertGetCertificateChain, CryptStringToBinaryA, CertFreeCertificateChain
WS2_32.dll	connect, ntohl, htonl, ioctlsocket, sendto, recvfrom, listen, accept, freeaddrinfo, getaddrinfo, WSAIoctl, socket, setsockopt, ntohs, htons, getsockopt, getsockname, getpeername, closesocket, bind, send, recv, WSASetLastError, select, __WSAFDIsSet, WSAGetLastError, WSACleanup, gethostname, WSAStartup
WLDAP32.dll

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Target ID:	0
Start time:	18:18:05
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\EDownloader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EDownloader.exe"
Imagebase:	0x520000
File size:	1'327'952 bytes
MD5 hash:	3D92268FEC3C1CF2E0E29A47D22A79FB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	37

Executed Functions

Function 005639E0 Relevance: 35.5, APIs: 14, Strings: 6, Instructions: 472
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00563A15
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00563A2B
GetClientRect.USER32(?,?), ref: 00563A3B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000020), ref: 00563A68

Part of subcall function 00558F20: GetDC.USER32(?), ref: 00558F8C

GetModuleFileNameW.KERNEL32(00520000,?,00000104), ref: 00563B3F
_wcsrchr.LIBVCRUNTIME ref: 00563B76
FindResourceW.KERNEL32(00000000,00000000), ref: 00563CE4
LoadResource.KERNEL32(00000000,00000000), ref: 00563D04
FreeResource.KERNEL32(00000000), ref: 00563D15
SizeofResource.KERNEL32(00000000,00000000), ref: 00563D2F
LockResource.KERNEL32(?,00000000), ref: 00563D58
MessageBoxW.USER32(00000000,0063F87C,Duilib,00000010), ref: 00563FD0
ExitProcess.KERNEL32 ref: 00563FD8
FreeResource.KERNEL32(00000000), ref: 00563D6E

Part of subcall function 005F41FD: _free.LIBCMT ref: 005F4210

Strings

ZIPRES, xrefs: 00563CD3
xml, xrefs: 00563E56
membuffer, xrefs: 00563D7A, 00563DD5
\, xrefs: 00563C99
Duilib, xrefs: 00563FC5
dJe, xrefs: 00563ACE, 00563C5A, 00563C64, 00563CA4, 00563EF4

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Resource$Window$FreeLong$ClientExitFileFindLoadLockMessageModuleNameProcessRectSizeof_free_wcsrchr
String ID: Duilib$ZIPRES$\$dJe$membuffer$xml
API String ID: 111627710-3905235569
Opcode ID: 47b4c30d92ecc54e3015bfb2e82aecaa1410db6a1c5d8a818925d25652389470
Instruction ID: ea0515c0a6d32a24d3af5f44c13db7ed355ae475b8e6dc4bca6c4178fd9599d3
Opcode Fuzzy Hash: 47b4c30d92ecc54e3015bfb2e82aecaa1410db6a1c5d8a818925d25652389470
Instruction Fuzzy Hash: 9A02C971A002169FDB25DF24DC59BAA7BBABF54305F0405A8E906E7291EF31AF84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00526920 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(?,00000104), ref: 0052696D
LookupAccountNameW.ADVAPI32(00000000,?,?,00000208,?,00000104,?), ref: 005269EE
IsValidSid.ADVAPI32(?), ref: 00526A03
GetSidIdentifierAuthority.ADVAPI32(?), ref: 00526A19
GetSidSubAuthorityCount.ADVAPI32(?), ref: 00526AB7
GetSidSubAuthority.ADVAPI32(?,00000000), ref: 00526AD9

Strings

S-%lu-, xrefs: 00526A2B
-%lu, xrefs: 00526AF2
%-lu, xrefs: 00526A8F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Authority$Name$AccountCountIdentifierLookupUserValid
String ID: %-lu$-%lu$S-%lu-
API String ID: 3075695049-474367829
Opcode ID: 6e51cfe307fad3aca5d75cc1a6ba9f5f7bb62ff46af4757466081fb5511eb4ea
Instruction ID: 77c1ab69d08ce2e4d8c5651c602bcd24ec29ca5772a8ce577834ed72dc1b85f1
Opcode Fuzzy Hash: 6e51cfe307fad3aca5d75cc1a6ba9f5f7bb62ff46af4757466081fb5511eb4ea
Instruction Fuzzy Hash: C251B5B1A402285BDB209F64DC49BDABBBDBF89310F0402E6E519D71C2DB719A95CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0060EC7B Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 376
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 0060ECFD
_free.LIBCMT ref: 0060ED21
_free.LIBCMT ref: 0060EEB0
GetTimeZoneInformation.KERNELBASE(?,00000000,00000000,00000000,?,00632C3C), ref: 0060EEC2
_free.LIBCMT ref: 0060F07E

Strings

W. Europe Summer Time, xrefs: 0060EF60
W. Europe Standard Time, xrefs: 0060EF31
<,c, xrefs: 0060EFE1

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _free$InformationTimeZone
String ID: <,c$W. Europe Standard Time$W. Europe Summer Time
API String ID: 597776487-2240955746
Opcode ID: f3ecf1d5204a4a34b8be240cde2754b8ea8fb17d0cbad31060e87473f85dc144
Instruction ID: 85963cf578f292f5c53d49234422c249efa96752e63695e5339d79abc067c903
Opcode Fuzzy Hash: f3ecf1d5204a4a34b8be240cde2754b8ea8fb17d0cbad31060e87473f85dc144
Instruction Fuzzy Hash: C6C138719842299BDB2CDF78DC41AFB7BABEF55310F1449AAE445973C2E6328E01C750

Uniqueness

Uniqueness Score: -1.00%

Function 0060A524 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 274
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0060A1BF: CreateFileW.KERNELBASE(00000000,00000000,?,0060A5CD,?,?,00000000,?,0060A5CD,00000000,0000000C), ref: 0060A1DC

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0060A638
__dosmaperr.LIBCMT ref: 0060A63F
GetFileType.KERNELBASE(00000000), ref: 0060A64B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0060A655
__dosmaperr.LIBCMT ref: 0060A65E
CloseHandle.KERNEL32(00000000), ref: 0060A67E
CloseHandle.KERNEL32(?), ref: 0060A7CB
GetLastError.KERNEL32 ref: 0060A7FD
__dosmaperr.LIBCMT ref: 0060A804

Strings

H, xrefs: 0060A789

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: fba36d1762c6650c5994d6c485536437bf683035df3e9128abe61f361d49ef07
Instruction ID: 0e91a80e95e4b4e1659b80538c5df9d8f76a14537532864b88a9832fc3c3501a
Opcode Fuzzy Hash: fba36d1762c6650c5994d6c485536437bf683035df3e9128abe61f361d49ef07
Instruction Fuzzy Hash: D3A11132A542458FCF2DDFA8DC957AE3BB2AB06360F18415DE811AF3D1DB358912CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00526110 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 005261B3
GetLastError.KERNEL32 ref: 005261BD

Part of subcall function 005A6850: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,00000000,6F923D37,?,75922EE0), ref: 005A68EF

GetExitCodeProcess.KERNEL32(00000008,?), ref: 00526203
GetLastError.KERNEL32 ref: 0052620D

Strings

Install recomand ErrCode=%d, xrefs: 005261D9
Install recomand return=%ld, xrefs: 00526286
Install recomand ErrCode= %ld, xrefs: 00526229

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLastProcess$ByteCharCodeCreateExitMultiWide
String ID: Install recomand ErrCode= %ld$Install recomand ErrCode=%d$Install recomand return=%ld
API String ID: 1556569005-1404938810
Opcode ID: c7588ac9e641e37d56351a6b2aea8fd7afdf601419b0cfd5359dada3090d5d1a
Instruction ID: d0aba138e56beba04df928a735596e5884cd7de64b8a856fc800c619bed7c55a
Opcode Fuzzy Hash: c7588ac9e641e37d56351a6b2aea8fd7afdf601419b0cfd5359dada3090d5d1a
Instruction Fuzzy Hash: 91510F719002499BDB14DFA4CD8579E7FB6FF9A308F20425CE800AF286D7759A41CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00557EC0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 131
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoExW.USER32(00000000,00000000), ref: 00557F0C
GetClassInfoExW.USER32(00520000,00000000), ref: 00557F2C
RegisterClassExW.USER32(00000030), ref: 00557F69
GetLastError.KERNEL32 ref: 00557F74
LoadCursorW.USER32 ref: 00557FE2
RegisterClassW.USER32(00000000), ref: 0055800D
GetLastError.KERNEL32(?,?,?,00000000,00007F00), ref: 00558018
CreateWindowExW.USER32(00000000,00000000,?,?,?,?,?,?,005252B6,?,00639F54,96C80000), ref: 00558055

Strings

0, xrefs: 00557EF3

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Class$ErrorInfoLastRegister$CreateCursorLoadWindow
String ID: 0
API String ID: 1185170849-4108050209
Opcode ID: 0243cfdd9b42da74e1d56370a7caabe9f3071e9258763b58a2ad55aae3b92436
Instruction ID: ce3c5697bc712d4b1b686498f9290c321dc762eefe104f750c465971e9cb1bd1
Opcode Fuzzy Hash: 0243cfdd9b42da74e1d56370a7caabe9f3071e9258763b58a2ad55aae3b92436
Instruction Fuzzy Hash: D951AC706083069FDB00DF68DC54B6ABBE9FF98345F04152AF918D7260EB70EA19CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005586B0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 219
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStockObject.GDI32(00000011), ref: 00558A3F
GetObjectW.GDI32(00000000), ref: 00558A46
CreateFontIndirectW.GDI32(?), ref: 00558A54
CreatePen.GDI32(00000000,00000001,000000DC), ref: 00558AF5
#17.COMCTL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6F923D37), ref: 00558B00
LoadLibraryW.KERNELBASE(msimg32.dll), ref: 00558B0B

Strings

msimg32.dll, xrefs: 00558B06
Dve, xrefs: 005589E6, 00558A5F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CreateObject$FontIndirectLibraryLoadStock
String ID: Dve$msimg32.dll
API String ID: 2150769274-627266902
Opcode ID: 0cb045c9e351c78a6a95169a1b52952bb7903844ac6947ea174e9e3366b8498b
Instruction ID: ad637e73de5791c97704f6792d8860f1cd8f68fa504cb85fdece92330d7b28d5
Opcode Fuzzy Hash: 0cb045c9e351c78a6a95169a1b52952bb7903844ac6947ea174e9e3366b8498b
Instruction Fuzzy Hash: 90C113B0905B458FE361DF34D9597DBBBE8BB09304F10891DE4AE9B291D7B62248CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00574920 Relevance: 12.2, APIs: 8, Instructions: 156
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00000104,00000138,00000000,?,00000000,00000000,?,005794D7,?,00000000,00000002,?), ref: 00574948
GetFileType.KERNEL32(00000000,?,005794D7,?,00000000,00000002,?), ref: 00574970
CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,005794D7,?,00000000), ref: 005749CB
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005794D7,?,00000000), ref: 005749F7
GetCurrentProcess.KERNEL32(00000000,00000000,?,005794D7,?,00000000), ref: 005749FD
DuplicateHandle.KERNEL32(00000000,?,005794D7,?,00000000), ref: 00574A00

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Current$FileProcess$CreateDirectoryDuplicateHandleType
String ID:
API String ID: 790408133-0
Opcode ID: 4e9b090c664a12a5c23e3e68e24542c61c6515ce0bbdf8af806a3c3b2e5e0d41
Instruction ID: 2383afc9229160f36e1c992c31e963aa324690846664357228fc4d1fc6b1b6d9
Opcode Fuzzy Hash: 4e9b090c664a12a5c23e3e68e24542c61c6515ce0bbdf8af806a3c3b2e5e0d41
Instruction Fuzzy Hash: 1E51A432740204DBDB30CF58F845B9EBBA6FB95321F10816AFA48DB280D371A951DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00554810 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 333
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005544C0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,6F923D37,00000000), ref: 00554519

Part of subcall function 00553D60: GetPrivateProfileStringA.KERNEL32(?,00000000,00000000,?,00000800,?), ref: 00553DEC

GetUserDefaultUILanguage.KERNEL32 ref: 0055496C

Strings

.ini, xrefs: 00554A1D, 00554A96
LanguageTransfor.ini, xrefs: 005548B5
InitConfigure.ini, xrefs: 00554859
Language, xrefs: 00554907
English, xrefs: 005549B5, 00554A83

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: DefaultFileLanguageModuleNamePrivateProfileStringUser
String ID: .ini$English$InitConfigure.ini$Language$LanguageTransfor.ini
API String ID: 3017490691-2628276212
Opcode ID: 9501b2aa205059736ac8cfbc153236d74956fea6b834e5831a00188a084a4433
Instruction ID: 1f4aa3db5a5ecf4c8f6f95d9788dbff83061e72adfbc83cf9feb5ae2fa861839
Opcode Fuzzy Hash: 9501b2aa205059736ac8cfbc153236d74956fea6b834e5831a00188a084a4433
Instruction Fuzzy Hash: 00C14870A001449BDF08EB78CD5A7ADBF72BFC5309F14815DE405AB2C7DB759A888B92

Uniqueness

Uniqueness Score: -1.00%

Function 0060EE58 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 173
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTimeZoneInformation.KERNELBASE(?,00000000,00000000,00000000,?,00632C3C), ref: 0060EEC2
_free.LIBCMT ref: 0060EEB0

Part of subcall function 0060AEA3: HeapFree.KERNEL32(00000000,00000000,?,006131DE,?,00000000,?,00654B9C,?,00613483,?,00000007,?,?,0061383A,?), ref: 0060AEB9
Part of subcall function 0060AEA3: GetLastError.KERNEL32(?,?,006131DE,?,00000000,?,00654B9C,?,00613483,?,00000007,?,?,0061383A,?,?), ref: 0060AECB

_free.LIBCMT ref: 0060F07E

Strings

W. Europe Summer Time, xrefs: 0060EF60
W. Europe Standard Time, xrefs: 0060EF31
<,c, xrefs: 0060EFE1

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID: <,c$W. Europe Standard Time$W. Europe Summer Time
API String ID: 2155170405-2240955746
Opcode ID: 5be430940e239adae4ccd8c4854e2cb3edc8d64a0e39d7146b934335c5644af6
Instruction ID: 81bc2bccf092219ba15fd58373a6a716dd13dfb92d99f3078be304522e10f92e
Opcode Fuzzy Hash: 5be430940e239adae4ccd8c4854e2cb3edc8d64a0e39d7146b934335c5644af6
Instruction Fuzzy Hash: D5512A71D4432A9BCB18DF64DC418AF7BBFEF40311F100AAAE514972D1EB715E458B50

Uniqueness

Uniqueness Score: -1.00%

Function 00600F6D Relevance: 9.3, APIs: 6, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__allrem.LIBCMT ref: 006010F7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00601113
__allrem.LIBCMT ref: 0060112A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00601148
__allrem.LIBCMT ref: 0060115F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0060117D

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: ff444ecfa856059cc41c698195f07ca9e7e510eb19e685656b9e2395aebca895
Instruction ID: dd2f3dd5d283fe7d6f0a7a11a2ccdb248e65c6596fd851507fcd44bc91d52aa6
Opcode Fuzzy Hash: ff444ecfa856059cc41c698195f07ca9e7e510eb19e685656b9e2395aebca895
Instruction Fuzzy Hash: 648129726807079BE72CAE69CC41BAB77EAAF45760F14462EF511DB7C1EB70DA008790

Uniqueness

Uniqueness Score: -1.00%

Function 005A6850 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,00000000,6F923D37,?,75922EE0), ref: 005A68EF
_strftime.LIBCMT ref: 005A6BBC

Strings

[%Y.%m.%d %X %A], xrefs: 005A6BB1
EasyLog.log, xrefs: 005A6BD5
4dd, xrefs: 005A6A98

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ByteCharMultiWide_strftime
String ID: [%Y.%m.%d %X %A]$4dd$EasyLog.log
API String ID: 1930796987-2667214093
Opcode ID: 5e0240ab1f9dd93c787500f22c0e314fd48bf2d0bee2aad0c2b6db174d947720
Instruction ID: b9151712a2f1b3056b8ec3ab7e240ff90a72f07c558fe02f790ca3b028b795d1
Opcode Fuzzy Hash: 5e0240ab1f9dd93c787500f22c0e314fd48bf2d0bee2aad0c2b6db174d947720
Instruction Fuzzy Hash: CAF1BE70A012599FEB14DF24CC48B9EBBF5BF45314F1481E9E449AB292EB359E84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 005A8100 Relevance: 9.1, APIs: 6, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005A8135
std::_Lockit::_Lockit.LIBCPMT ref: 005A8157
std::_Lockit::~_Lockit.LIBCPMT ref: 005A8177
__Getcvt.LIBCPMT ref: 005A8210
std::_Facet_Register.LIBCPMT ref: 005A8247
std::_Lockit::~_Lockit.LIBCPMT ref: 005A825F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcvtRegister
String ID:
API String ID: 3552396256-0
Opcode ID: 74f5bf99fec6945f4bd2f3b355d049ff3143346f93a088d2521b272c6d85f502
Instruction ID: 17b261f11b9d9312bd5dbe175ec1859c91e723caabb9ba337868a5736abd2c6f
Opcode Fuzzy Hash: 74f5bf99fec6945f4bd2f3b355d049ff3143346f93a088d2521b272c6d85f502
Instruction Fuzzy Hash: D141FD719002568FCB15CF68C845ABEBBB5FF99304F14465DE846AB252EB30FE46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00607786 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0060B17A: RtlAllocateHeap.NTDLL(00000000,00639F54,00521057,?,0060E7B7,00521057,00654B98,?,0055ED42,00639F54,00639F56,?,?,?,00654B98), ref: 0060B1AC

_free.LIBCMT ref: 00607895
_free.LIBCMT ref: 006078AC
_free.LIBCMT ref: 006078CB
_free.LIBCMT ref: 006078E6
_free.LIBCMT ref: 006078FD

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: f75db5c672fcab958dd6c77dffa2740de3c793df9f555589a020298a33931120
Instruction ID: bd3b427876f6a86fe4f34c6611b67c75bfed5e6eff6e6a66226f3ee6fd6df1d6
Opcode Fuzzy Hash: f75db5c672fcab958dd6c77dffa2740de3c793df9f555589a020298a33931120
Instruction Fuzzy Hash: 8C51BF71E44305AFDB28DF69CC41AAB77F6EF55720F1446ADE809DB290E731AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00558330 Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00558350
GetWindowLongW.USER32(?,000000EB), ref: 00558372
CallWindowProcW.USER32(?,?,?,?,?), ref: 00558391
SetWindowLongW.USER32(?,000000EB,00000000), ref: 005583A0
DefWindowProcW.USER32(?,?,?,?), ref: 005583D3

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Window$Long$Proc$Call
String ID:
API String ID: 1819824282-0
Opcode ID: 56d64f0f8c1dd52711585debac97a9048c0ecf59540992ecc66d38d7e7fd7b86
Instruction ID: 2cb773014f63ee158fc28a5aa663528dbdb6726bb1bc2e84040e0c6b56bde9fe
Opcode Fuzzy Hash: 56d64f0f8c1dd52711585debac97a9048c0ecf59540992ecc66d38d7e7fd7b86
Instruction Fuzzy Hash: 5621EB32204214AFCB219F45DC58E6FBFA9FF99B71F04491AF955A7161C7319C10DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0060EFB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0060F028
_free.LIBCMT ref: 0060F07E

Part of subcall function 0060EE58: _free.LIBCMT ref: 0060EEB0
Part of subcall function 0060EE58: GetTimeZoneInformation.KERNELBASE(?,00000000,00000000,00000000,?,00632C3C), ref: 0060EEC2

Strings

<,c, xrefs: 0060EFE1

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _free$InformationTimeZone
String ID: <,c
API String ID: 597776487-1069194922
Opcode ID: 4d7c15b62266c9fc2cabceb5bf8ef4925ed64a13a0f6b9e26aa83f13fc92223e
Instruction ID: 41c039bf03b7d8c703ed651762ba7871b2f4ff3e48837d8f92579e7ab683e114
Opcode Fuzzy Hash: 4d7c15b62266c9fc2cabceb5bf8ef4925ed64a13a0f6b9e26aa83f13fc92223e
Instruction Fuzzy Hash: C6216B32C8032996CB7897248C45AEF777FCF91760F1002E9E496A32C2EF705E8586A4

Uniqueness

Uniqueness Score: -1.00%

Function 006099C1 Relevance: 4.7, APIs: 3, Instructions: 178fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00609154: GetConsoleCP.KERNEL32(005F96C3,00000000,?), ref: 0060919C

WriteFile.KERNEL32(?,?,00000000,006513D0,00000000,00000000,00000000,00000000,?,006513D0,00000010,005F96C3,00000000,00000000,00000000,?), ref: 00609B12
GetLastError.KERNEL32(?,00000000), ref: 00609B1C
__dosmaperr.LIBCMT ref: 00609B61

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID:
API String ID: 251514795-0
Opcode ID: 6b2abd30ff3e834c6451caccd866c169f7609d0454cb6964cf5c9a0109236e78
Instruction ID: 7a125fbc4cb81b2414aa0a05297387cdb53bfc0e30060dee09249035d88e324f
Opcode Fuzzy Hash: 6b2abd30ff3e834c6451caccd866c169f7609d0454cb6964cf5c9a0109236e78
Instruction Fuzzy Hash: A5518071A8420AAFDB19DBA8CC45BEFBBBBEF49314F040055E400A72D2D7749D418B70

Uniqueness

Uniqueness Score: -1.00%

Function 005FA337 Relevance: 4.6, APIs: 3, Instructions: 143COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0060AC51: GetLastError.KERNEL32(?,00000000,?,005F5049,00000000,?,?,?,005F46C8,?,?,00000000), ref: 0060AC56
Part of subcall function 0060AC51: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005F46C8,?,?,00000000), ref: 0060ACF4

_free.LIBCMT ref: 005FA3E8
_free.LIBCMT ref: 005FA416
_free.LIBCMT ref: 005FA45E

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 4b2351d6c3f8aadeea9972d3485bc021dfedc674738f11cb7ab2d0ba01a7431a
Instruction ID: 172114dd33e1494ed9efe8f9f62d56140a84b30f0c5238a4141bc0e21ece2355
Opcode Fuzzy Hash: 4b2351d6c3f8aadeea9972d3485bc021dfedc674738f11cb7ab2d0ba01a7431a
Instruction Fuzzy Hash: 9741AE716002099FDB25DFACC889A79BBF6FF48310B2409ADE609C7391E775EC109B52

Uniqueness

Uniqueness Score: -1.00%

Function 005FA49D Relevance: 4.6, APIs: 3, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 005FA4C9
__cftoe.LIBCMT ref: 005FA4FB
_free.LIBCMT ref: 005FA521

Part of subcall function 005F41C9: IsProcessorFeaturePresent.KERNEL32(00000017,005F419B,00000000,?,00000004,00000004,?,?,?,005F41A8,00000000,00000000,00000000,00000000,00000000,00615519), ref: 005F41CB
Part of subcall function 005F41C9: GetCurrentProcess.KERNEL32(C0000417), ref: 005F41EE
Part of subcall function 005F41C9: TerminateProcess.KERNEL32(00000000), ref: 005F41F5

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Process__cftoe$CurrentFeaturePresentProcessorTerminate_free
String ID:
API String ID: 3294049834-0
Opcode ID: 6c4d6ba4781bc4090d013d71b8b04a60aa8f6833bf2349692bff5decaff2eea7
Instruction ID: 28ef57d31ffc86b86a0c68daec1b8e3781784bd4bcb532c354e8eb186c032ce4
Opcode Fuzzy Hash: 6c4d6ba4781bc4090d013d71b8b04a60aa8f6833bf2349692bff5decaff2eea7
Instruction Fuzzy Hash: 5421C9B280410C7ACF24AA959C45DFF7FE9EB85330F20415AFA18D6181FE35DA5486A7

Uniqueness

Uniqueness Score: -1.00%

Function 00609CB6 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,0025003D,?,00609BEC,0025003D,006513F0,0000000C,00609C94,00000000), ref: 00609D0C
GetLastError.KERNEL32(?,00609BEC,0025003D,006513F0,0000000C,00609C94,00000000), ref: 00609D16
__dosmaperr.LIBCMT ref: 00609D41

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: dfa437638f1889d1f920a09a8ad728bbb6d6d2bbba5d94e9cd0a01be36f0e9d6
Instruction ID: 52c965150b3d8f7d9957ce793ea58b8ad25b4917d676211a027ea4a2bc98a9c1
Opcode Fuzzy Hash: dfa437638f1889d1f920a09a8ad728bbb6d6d2bbba5d94e9cd0a01be36f0e9d6
Instruction Fuzzy Hash: 83012B32AD491016D73C6374AC4A7FF6B9B5F82B34F29012DF8088B7D3DA2188428174

Uniqueness

Uniqueness Score: -1.00%

Function 00603B70 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,00603C1F,00000000,00000000,00000002,00000000), ref: 00603BA9
GetLastError.KERNEL32(?,00603C1F,00000000,00000000,00000002,00000000,?,00609A4A,00000000,00000000,00000000,00000002,00000000,00000000,00000000,?), ref: 00603BB3
__dosmaperr.LIBCMT ref: 00603BBA

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: daa735b971f13f5e93f22e1343151830a566cf0b8449a8c7b62b113a45abf1fe
Instruction ID: 24ccbfa3179021d34faeb59e6c8fd6c402b1d11e2cf60a20ec61a236a7fb91b1
Opcode Fuzzy Hash: daa735b971f13f5e93f22e1343151830a566cf0b8449a8c7b62b113a45abf1fe
Instruction Fuzzy Hash: 0A012D326545256BCB299FA9DC098AF372FDF95321B24024AF810DB3D0EB71DE014790

Uniqueness

Uniqueness Score: -1.00%

Function 00545670 Relevance: 3.2, APIs: 2, Instructions: 204COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00545819
ShowWindow.USER32(?,00000000), ref: 00545828

Part of subcall function 005F41FD: _free.LIBCMT ref: 005F4210

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Window$Show_free
String ID:
API String ID: 1511249164-0
Opcode ID: a7aeac561df12bbdfe7559a9c43a7b99f512debd01e78fd754cca064365764b0
Instruction ID: 6380d0bee952f724fb279218dd47556a08d519c17ff7995e3e49e384aa322b75
Opcode Fuzzy Hash: a7aeac561df12bbdfe7559a9c43a7b99f512debd01e78fd754cca064365764b0
Instruction Fuzzy Hash: 4271AE70A102199BEB18DF24CC86BDE7BA5FF44314F104669F91A97292EB34AA84CB40

Uniqueness

Uniqueness Score: -1.00%

Function 006095DD Relevance: 3.1, APIs: 2, Instructions: 81fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,005F96C3,00000000,?,?,00609AF6,?,00000000,?,00000000,00000000,00000000), ref: 00609679
GetLastError.KERNEL32(?,00609AF6,?,00000000,?,00000000,00000000,00000000,00000000,?,006513D0,00000010,005F96C3,00000000,00000000,00000000), ref: 0060969F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 9410cfc9e0f5e386da3610b62978e5ccdda93bbd78889f8d960c78b9fd098a24
Instruction ID: 6efec6dede774dae2c7fea908609bf8c91f992aec92fbe3cbcefe9d87faeca01
Opcode Fuzzy Hash: 9410cfc9e0f5e386da3610b62978e5ccdda93bbd78889f8d960c78b9fd098a24
Instruction Fuzzy Hash: EE21D630A102199FDF19CF69DC809EEB7BBEB49301F1440E9E945D7252D6319E42CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00523A90 Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00523AB6
std::_Lockit::~_Lockit.LIBCPMT ref: 00523B4A

Part of subcall function 005F41FD: _free.LIBCMT ref: 005F4210

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_dtorLockitLockit::~__free
String ID:
API String ID: 2189227594-0
Opcode ID: 89702abf3a7af80b25a4708ccd372e96a41ab079f5a414c90d5e3a460f45bf80
Instruction ID: 36491d7bafaa222f5bb858c1ef53e3739178dad3db4b916c0488c4add9c16b6e
Opcode Fuzzy Hash: 89702abf3a7af80b25a4708ccd372e96a41ab079f5a414c90d5e3a460f45bf80
Instruction Fuzzy Hash: 901160F1A007455BEB20DF25D80AF27BBECBF14754F044968E84AC7680EB79E505CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00564070 Relevance: 1.8, APIs: 1, Instructions: 250COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,00000000,?,?,?), ref: 005642B2

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7d3280fc22b98894412a89f163c1ce2f6175ff59db86d0d2f8a671db252ad343
Instruction ID: 5a2ceab8d4a8403a82d65679861b4c848876e9235dd5804f625a1189ddb65cc9
Opcode Fuzzy Hash: 7d3280fc22b98894412a89f163c1ce2f6175ff59db86d0d2f8a671db252ad343
Instruction Fuzzy Hash: 5581F4B5204108EFEB18DB94C898DBEBBBEFFD0B04F218949F1519B155D7B0AE409B60

Uniqueness

Uniqueness Score: -1.00%

Function 00553D60 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(?,00000000,00000000,?,00000800,?), ref: 00553DEC

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 9885e20067a965d533feeaaa6d606644fd6b0f6df119481aec1e4936bb1cbe24
Instruction ID: c2e522f2e932439a85ca42d5b15ddeea953f9b541a31eb5b083e883f6cae175a
Opcode Fuzzy Hash: 9885e20067a965d533feeaaa6d606644fd6b0f6df119481aec1e4936bb1cbe24
Instruction Fuzzy Hash: A131F671A002049FEB14CF18CDC5B597BB9FB49710F6082A9ED059B2C6DB75E984CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0060DFDE Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 0060E018

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 83068cbb46842507fb804f0d167d614ebc4086db43f351d7099926d32c2f30e1
Instruction ID: 4a622675563dddbdf13d6f53c2998f68aab4f2fc6c0603aaae28c77aab3096bb
Opcode Fuzzy Hash: 83068cbb46842507fb804f0d167d614ebc4086db43f351d7099926d32c2f30e1
Instruction Fuzzy Hash: 74114C7190420AAFCB09DF58E94099B7BF6EF48300F014499F909AB351D771DE21CB65

Uniqueness

Uniqueness Score: -1.00%

Function 005F9C47 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b27a94fd7f7e179ed52a43b6d80de6a70897a9f9bef7ba59bd2e9ef67df7ce
Instruction ID: fa85a515373f24440b9f824851405dc540b4d5b7c266bce3fde794d8e77668d1
Opcode Fuzzy Hash: 50b27a94fd7f7e179ed52a43b6d80de6a70897a9f9bef7ba59bd2e9ef67df7ce
Instruction Fuzzy Hash: 5BF0F932541A1816D6352B698C45B7B3BDAAF51374F100729FA24921D1DB78DC019695

Uniqueness

Uniqueness Score: -1.00%

Function 00606E85 Relevance: 1.5, APIs: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0060C205: HeapAlloc.KERNEL32(00000008,00521057,00000000,?,0060ADF3,00000001,00000364,00000006,000000FF,?,0055ED42,00639F54,00639F56), ref: 0060C246

_free.LIBCMT ref: 00606EA5

Part of subcall function 0060AEA3: HeapFree.KERNEL32(00000000,00000000,?,006131DE,?,00000000,?,00654B9C,?,00613483,?,00000007,?,?,0061383A,?), ref: 0060AEB9
Part of subcall function 0060AEA3: GetLastError.KERNEL32(?,?,006131DE,?,00000000,?,00654B9C,?,00613483,?,00000007,?,?,0061383A,?,?), ref: 0060AECB

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Heap$AllocErrorFreeLast_free
String ID:
API String ID: 3091179305-0
Opcode ID: 2369ad8576c190b71131374dc0a9bf9fcbed54944f5c31b3abb38eea69c43639
Instruction ID: cbc01880231b5a6fe012bbdaa2893e599d8f1dcf41c8f167554ea84850bb3fa6
Opcode Fuzzy Hash: 2369ad8576c190b71131374dc0a9bf9fcbed54944f5c31b3abb38eea69c43639
Instruction Fuzzy Hash: 49010C76D40219AFCB50DFA9C441ADEBBB8FB48710F10426AE914E7380E771AA55CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0060A494 Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0060A4F7

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c256890aaff1d49386c0b5e4001380d5a62ac8e3746fd226d33b80f694566961
Instruction ID: bb28ed52e1b169602cc05c6d0c8545d5d4e8e43cef48d54ba4a551196546851e
Opcode Fuzzy Hash: c256890aaff1d49386c0b5e4001380d5a62ac8e3746fd226d33b80f694566961
Instruction Fuzzy Hash: 0C011E72C4025DAFCF41AFE88D059EE7FB6BB08350F144165BE18A2191E6758A609B92

Uniqueness

Uniqueness Score: -1.00%

Function 005EE3A7 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 005EF716

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: c8ee851c4276518795a20efc6116e26b5eda34f1c7ae03fa1d4c484203453fbf
Instruction ID: dd2829aacbb07fb716c81230531b2c0ee5200ec0ef6717a464ef3cf1e5e6924b
Opcode Fuzzy Hash: c8ee851c4276518795a20efc6116e26b5eda34f1c7ae03fa1d4c484203453fbf
Instruction Fuzzy Hash: A9E0923580064EB68B1C7AA6DC0A46A3F6D7E00360B244631B99A9A4E1EF30EE598591

Uniqueness

Uniqueness Score: -1.00%

Function 0060B17A Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00639F54,00521057,?,0060E7B7,00521057,00654B98,?,0055ED42,00639F54,00639F56,?,?,?,00654B98), ref: 0060B1AC

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ea53193f7d1b3b92c970064192c2ec070ee54d8f079a338bf81bfab8ce898c92
Instruction ID: 785b8b436a285c2e8941bad9b655474269e7ab2e47c3705e577f298c112e9a72
Opcode Fuzzy Hash: ea53193f7d1b3b92c970064192c2ec070ee54d8f079a338bf81bfab8ce898c92
Instruction Fuzzy Hash: E7E02B316C46126AE73937659C15BDB364F9F117A1F1461A4AC16963C0CF60EC0186E9

Uniqueness

Uniqueness Score: -1.00%

Function 0060A1BF Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,0060A5CD,?,?,00000000,?,0060A5CD,00000000,0000000C), ref: 0060A1DC

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 83423179f2ad1c88925ca8c85a26406f50550f44b3e96e67a4f8ab4a37985680
Instruction ID: 94540992537f9a818f3a36ab923ad3c579381a0f2c6cfa3fcf96ba5b74118396
Opcode Fuzzy Hash: 83423179f2ad1c88925ca8c85a26406f50550f44b3e96e67a4f8ab4a37985680
Instruction Fuzzy Hash: 8BD06C3201020DBBDF128F84DC06EDA3BAAFB88714F018050BA1856020C732E862AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00521270 Relevance: 1.5, APIs: 1, Instructions: 9synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(00000000,00000000,00000000), ref: 00521276

Part of subcall function 005EEA1F: __onexit.LIBCMT ref: 005EEA25

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CreateMutex__onexit
String ID:
API String ID: 732330502-0
Opcode ID: e4a0d521ba380856e556f1cad0664cfbe1071f3cceb9963f63f75d87294d3843
Instruction ID: c37040ef5f33d0bd87f9cddcc49012873da2eb0e4b771123c8ec0e7a74a221e1
Opcode Fuzzy Hash: e4a0d521ba380856e556f1cad0664cfbe1071f3cceb9963f63f75d87294d3843
Instruction Fuzzy Hash: 5DC092B968474466E724ABA07C0FF043A52BB60B02F602059F3066E8D2CBE050415A04

Uniqueness

Uniqueness Score: -1.00%

Function 00521230 Relevance: 1.5, APIs: 1, Instructions: 9synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(00000000,00000000,00000000), ref: 00521236

Part of subcall function 005EEA1F: __onexit.LIBCMT ref: 005EEA25

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CreateMutex__onexit
String ID:
API String ID: 732330502-0
Opcode ID: d03ea06c90f81fcc8f94b589a3ba6450af66ec330f518901e7c119a2780a50b5
Instruction ID: 92a9cc0c7c59a27ab5971145d0c2fbad6553f622badaea5b2a3be34a6f1da5ec
Opcode Fuzzy Hash: d03ea06c90f81fcc8f94b589a3ba6450af66ec330f518901e7c119a2780a50b5
Instruction Fuzzy Hash: 39C092B9A84741A6E724ABA06C0FF043A527B40B12F712059B3066E8D2CAA050816A04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 005C23F0 Relevance: 120.8, APIs: 5, Strings: 63, Instructions: 1808COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 005C294B
___from_strstr_to_strchr.LIBCMT ref: 005C2958
_strstr.LIBCMT ref: 005C2ABF
_strstr.LIBCMT ref: 005C2BF4
___swprintf_l.LIBCMT ref: 005C2C6A

Strings

Expect, xrefs: 005C3575, 005C36EE
Failed sending HTTP request, xrefs: 005C3A08
multipart/form-data, xrefs: 005C2769, 005C2783
0, xrefs: 005C3847, 005C3922
Content-Range: bytes 0-%I64d/%I64d, xrefs: 005C2F52
HEAD, xrefs: 005C252C
x,b, xrefs: 005C2A32
Failed sending HTTP POST request, xrefs: 005C39AC
/, xrefs: 005C2C48
Proxy-Connection, xrefs: 005C305F
Referer, xrefs: 005C25F6
Content-Range: bytes %s%I64d/%I64d, xrefs: 005C2F8C
Could only read %I64d bytes from the input, xrefs: 005C2E7B
%s%s, xrefs: 005C3317
Content-Type: application/x-www-form-urlencoded, xrefs: 005C36D8
ftp://, xrefs: 005C2BC9
Transfer-Encoding: chunked, xrefs: 005C286E
ftp://%s:%s@%s, xrefs: 005C3018
OPTIONS, xrefs: 005C2556
Content-Length: %I64d, xrefs: 005C3406, 005C3528, 005C36B0
Content-Length: 0, xrefs: 005C34B5
%s , xrefs: 005C2FDB
Content-Range, xrefs: 005C2F03
Failed sending PUT request, xrefs: 005C346D
Host, xrefs: 005C28B7
Chunky upload is not supported by HTTP 1.0, xrefs: 005C2880
Referer: %s, xrefs: 005C260E
Could not seek stream, xrefs: 005C2D5E
Content-Type, xrefs: 005C2732, 005C36C6
Transfer-Encoding:, xrefs: 005C27EB
User-Agent, xrefs: 005C2566
100-continue, xrefs: 005C3587, 005C3700
Accept: */*, xrefs: 005C2CA6
GET, xrefs: 005C255F
P;b, xrefs: 005C306D
Content-Length, xrefs: 005C33ED, 005C3510, 005C3698
t,b, xrefs: 005C2A50
%s%s=%s, xrefs: 005C32A3
Accept-Encoding: %s, xrefs: 005C269F
Host: %s%s%s, xrefs: 005C2A3B
x,b, xrefs: 005C2A64
upload completely sent off: %I64d out of %I64d bytes, xrefs: 005C3A98
Host:%s, xrefs: 005C29B3
Host:, xrefs: 005C2981
Content-Range: bytes %s/%I64d, xrefs: 005C2F9E
Accept, xrefs: 005C2C93
File already completely uploaded, xrefs: 005C2E55
Failed sending POST request, xrefs: 005C3640
Host: %s%s%s:%d, xrefs: 005C2A6D
Cookie: , xrefs: 005C3273, 005C32EB
%s, xrefs: 005C3552
Transfer-Encoding, xrefs: 005C27D4
Range, xrefs: 005C2EB9
%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 005C3172
Accept-Encoding, xrefs: 005C2669
;type=%c, xrefs: 005C2C62
Cookie, xrefs: 005C264E
;type=, xrefs: 005C2BEE
t,b, xrefs: 005C2A24
%x, xrefs: 005C37E3
chunked, xrefs: 005C27E6
Range: bytes=%s, xrefs: 005C2EDD
Expect:, xrefs: 005C358C, 005C3705

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ___from_strstr_to_strchr_strstr$___swprintf_l
String ID: %s$%s $%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s$%s%s$%s%s=%s$%x$/$0$100-continue$;type=$;type=%c$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: */*$Chunky upload is not supported by HTTP 1.0$Content-Length$Content-Length: %I64d$Content-Length: 0$Content-Range$Content-Range: bytes %s%I64d/%I64d$Content-Range: bytes %s/%I64d$Content-Range: bytes 0-%I64d/%I64d$Content-Type$Content-Type: application/x-www-form-urlencoded$Cookie$Cookie: $Could not seek stream$Could only read %I64d bytes from the input$Expect$Expect:$Failed sending HTTP POST request$Failed sending HTTP request$Failed sending POST request$Failed sending PUT request$File already completely uploaded$GET$HEAD$Host$Host:$Host: %s%s%s$Host: %s%s%s:%d$Host:%s$OPTIONS$P;b$Proxy-Connection$Range$Range: bytes=%s$Referer$Referer: %s$Transfer-Encoding$Transfer-Encoding:$Transfer-Encoding: chunked$User-Agent$chunked$ftp://$ftp://%s:%s@%s$multipart/form-data$t,b$t,b$upload completely sent off: %I64d out of %I64d bytes$x,b$x,b
API String ID: 3454564989-190793851
Opcode ID: 4dd8ac049907f30fa198e500397e3fc1246d00aff67ba0ec0d2ad2138d9704cc
Instruction ID: efc8025a87c9a6dece726547f036a2c5b42623fed8e734b489b1894d72cf1d1d
Opcode Fuzzy Hash: 4dd8ac049907f30fa198e500397e3fc1246d00aff67ba0ec0d2ad2138d9704cc
Instruction Fuzzy Hash: A0E2D270A0061AAFDF14DFA4D849FAEBFB5BF45304F08416DE809AB242E7759E50CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005591B0 Relevance: 95.6, APIs: 53, Strings: 1, Instructions: 1113windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(00000000), ref: 005592A9
ScreenToClient.USER32(00000000,?), ref: 0055933F

Strings

tooltips_class32, xrefs: 0055B32F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ClientIconicScreen
String ID: tooltips_class32
API String ID: 3037509956-1918224756
Opcode ID: 631f43d84d1c7fd15e6c4cc34bf2bc28b50ebe3b01aa0c5b2a752d265b650425
Instruction ID: a1ce2e04fe73baf5898bd4d3b039c79464086d7e8adf91450aaebacea78971b7
Opcode Fuzzy Hash: 631f43d84d1c7fd15e6c4cc34bf2bc28b50ebe3b01aa0c5b2a752d265b650425
Instruction Fuzzy Hash: 56B23C70A00719DFEB24CF64C898BEABBF5BF49301F10459AE85AE7250DB70A985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0057C280 Relevance: 84.1, APIs: 46, Strings: 1, Instructions: 1835COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 0057C302
GetClipBox.GDI32(?,?), ref: 0057C3E9
CreateRectRgnIndirect.GDI32(?), ref: 0057C3F9
CreateRectRgnIndirect.GDI32(?), ref: 0057C407
ExtSelectClipRgn.GDI32(?,00000000,00000001), ref: 0057C41C
SelectObject.GDI32(?,00000000), ref: 0057C493
SetBkMode.GDI32(?,00000001), ref: 0057C4A2
SetTextColor.GDI32(?), ref: 0057C4C6
SetBkColor.GDI32(?), ref: 0057C4ED
PtInRect.USER32(?,?,?), ref: 0057C693
CharNextW.USER32(?), ref: 0057C8E7
CharNextW.USER32(?), ref: 0057C94D
SetTextColor.GDI32(?), ref: 0057CA4E
SelectObject.GDI32(?,00000000), ref: 0057CB23
SelectObject.GDI32(?,00000000), ref: 0057CC6C
CharNextW.USER32(?), ref: 0057DE42
CharNextW.USER32(?), ref: 0057DE64
SetTextColor.GDI32(?), ref: 0057DF2F
CharNextW.USER32(?), ref: 0057E234
CharNextW.USER32(?), ref: 0057E247
GetTextExtentPoint32W.GDI32(?,0000002F,00000001,?), ref: 0057E2C6
TextOutW.GDI32(?,?,?,?,00000001), ref: 0057E377
GetTextExtentPoint32W.GDI32(?,0063CE3C,00000001,?), ref: 0057E3F8
TextOutW.GDI32(?,?,?,0063CE3C,00000001), ref: 0057E493
GetTextExtentPoint32W.GDI32(?,?,00000000,?), ref: 0057E5B3
CharNextW.USER32(?), ref: 0057E61B
GetTextExtentPoint32W.GDI32(?,?,00000000,?), ref: 0057E666
CharNextW.USER32(?), ref: 0057E6DA
CharPrevW.USER32(?,?), ref: 0057E763
CharPrevW.USER32(?,00000000), ref: 0057E77B
TextOutW.GDI32(?,?,?,?,00000000), ref: 0057E829
TextOutW.GDI32(?,?,?,...,00000003), ref: 0057E8C7
SetRect.USER32(?,?,?,?,?), ref: 0057E99F
SetTextColor.GDI32(?), ref: 0057ED2F
SelectObject.GDI32(?,00000000), ref: 0057ED73
SetBkMode.GDI32(?,00000002), ref: 0057ED85
SelectClipRgn.GDI32(?,?), ref: 0057EF08
DeleteObject.GDI32(?), ref: 0057EF15
DeleteObject.GDI32(?), ref: 0057EF1D
SelectObject.GDI32(?,?), ref: 0057EF2B

Strings

..., xrefs: 0057E853

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Text$Char$Next$ObjectSelect$ColorRect$ExtentPoint32$Clip$CreateDeleteIndirectModePrev$Empty
String ID: ...
API String ID: 74705592-440645147
Opcode ID: 21b597813135f3971819e2e7bf8e162e8701a1fd297c256dff274e333f2d75bd
Instruction ID: 3b1cb7f0324e0e682c6ce1a139a38af2da47d07598f96d4195a4ab202f1b4d95
Opcode Fuzzy Hash: 21b597813135f3971819e2e7bf8e162e8701a1fd297c256dff274e333f2d75bd
Instruction Fuzzy Hash: D8035E709002298FDF24CF24DC45BA9BBB6BF99314F0485D9E84DA7251DB32AEA1DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00577150 Relevance: 66.2, APIs: 4, Strings: 33, Instructions: 1462COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,6F923D37,?,?), ref: 0057761F
CharNextW.USER32(?,6F923D37,?,?), ref: 005776B0
_wcschr.LIBVCRUNTIME ref: 0057780E
_wcschr.LIBVCRUNTIME ref: 005781DE

Strings

focusbordercolor, xrefs: 0057765A
colorhsl, xrefs: 005776EB
float, xrefs: 00578153
pos, xrefs: 0057719A
text, xrefs: 00577D45
bkcolor2, xrefs: 0057742F
bordersize, xrefs: 00577787
enabled, xrefs: 00577ED5
shortcut, xrefs: 00578300
borderstyle, xrefs: 005778FB
minwidth, xrefs: 00577B25
bkcolor1, xrefs: 005773DC
bkcolor3, xrefs: 005774FE
tooltip, xrefs: 00577DA5
width, xrefs: 00577A45
visible, xrefs: 005780B3
height, xrefs: 00577AB5
borderround, xrefs: 0057795E
virtualwnd, xrefs: 00578403
name, xrefs: 00577CE5
bordercolor, xrefs: 005775C4
maxwidth, xrefs: 00577C05
userdata, xrefs: 00577E08
minheight, xrefs: 00577B95
mouse, xrefs: 00577F73
menu, xrefs: 0057836B
bkcolor, xrefs: 00577385
maxheight, xrefs: 00577C75
bkimage, xrefs: 005779E7
tag, xrefs: 00577E68
padding, xrefs: 0057729B
true, xrefs: 0057773A, 00577F28, 00577F67, 00577FC8, 00578007, 00578068, 005780A7, 00578108, 00578147, 00578299, 005782D7, 005783BA, 005783F7
keyboard, xrefs: 00578013

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CharNext_wcschr
String ID: bkcolor$bkcolor1$bkcolor2$bkcolor3$bkimage$bordercolor$borderround$bordersize$borderstyle$colorhsl$enabled$float$focusbordercolor$height$keyboard$maxheight$maxwidth$menu$minheight$minwidth$mouse$name$padding$pos$shortcut$tag$text$tooltip$true$userdata$virtualwnd$visible$width
API String ID: 1162395192-3287978572
Opcode ID: f3136d518c9a7f1b1b4c7ac18f189b70c3a5dd3ea1983ec4d9eb029cd5ad5424
Instruction ID: 1237a6c8ca26df3394083d35687e0f2d6c5e977a0648c088d60a234a75e7438a
Opcode Fuzzy Hash: f3136d518c9a7f1b1b4c7ac18f189b70c3a5dd3ea1983ec4d9eb029cd5ad5424
Instruction Fuzzy Hash: FEC20536A042198EDF389F20E814BBABB71FF55B04F5980D9D54FAB280EB715D80DB42

Uniqueness

Uniqueness Score: -1.00%

Function 0054C350 Relevance: 62.9, APIs: 5, Strings: 30, Instructions: 1601windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005EE6C3: EnterCriticalSection.KERNEL32(00656968,?,?,?,005249F6,006578D0,6F923D37,?,?,00619FAA,000000FF), ref: 005EE6CE
Part of subcall function 005EE6C3: LeaveCriticalSection.KERNEL32(00656968,?,?,?,005249F6,006578D0,6F923D37,?,?,00619FAA,000000FF), ref: 005EE70B

Part of subcall function 005EEA1F: __onexit.LIBCMT ref: 005EEA25

Part of subcall function 005EE679: EnterCriticalSection.KERNEL32(00656968,?,?,00524AA9,006578D0,00620570,00000000,00000000), ref: 005EE683
Part of subcall function 005EE679: LeaveCriticalSection.KERNEL32(00656968,?,?,00524AA9,006578D0,00620570,00000000,00000000), ref: 005EE6B6

GetLocaleInfoW.KERNEL32(00000400,00001002,?,00000104,?,?,0000000F), ref: 0054C806
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,?,?,Timezone,00000008,?,0063AB04,00000002,?,Install_Path,0000000C,?), ref: 0054CDD9
GetVersionExW.KERNEL32(0000011C,?,?,0000000B), ref: 0054D2E2
IsWindow.USER32(?), ref: 0054DAB3
PostMessageW.USER32(?,00000010,00000001,00000000), ref: 0054DAC6

Part of subcall function 00545930: GetClientRect.USER32(?,?), ref: 0054596B
Part of subcall function 00545930: GetWindowLongW.USER32(?,000000F0), ref: 0054599D
Part of subcall function 00545930: GetMenu.USER32(?), ref: 005459AD
Part of subcall function 00545930: GetWindowLongW.USER32(?,000000EC), ref: 005459CC
Part of subcall function 00545930: GetWindowLongW.USER32(?,000000F0), ref: 005459DC
Part of subcall function 00545930: AdjustWindowRectEx.USER32(?,00000000), ref: 005459E8
Part of subcall function 00545930: SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000016), ref: 00545A0F
Part of subcall function 00545930: GetWindowRect.USER32(?,?), ref: 00545A1D
Part of subcall function 00545930: MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00545A34

Strings

Version_Num, xrefs: 0054CDF8
Home_Installer, xrefs: 0054D16E, 0054D727
Country, xrefs: 0054C938
Click_Reinstall, xrefs: 0054D142
QuitTipsDetail, xrefs: 0054D85B
Click_Update, xrefs: 0054D150
DOWNLOAD_VERSION, xrefs: 0054C41E, 0054D39E
Button, xrefs: 0054D9D4
Click_Install, xrefs: 0054D108
Version, xrefs: 0054C9E7
QuitDilaog, xrefs: 0054D970
Language, xrefs: 0054C88F
Timezone, xrefs: 0054CC67
Click_Exit, xrefs: 0054D6FA, 0054DACC
TrialVersionName, xrefs: 0054D33D
QuitInstallDialog.xml, xrefs: 0054D82A
DIR, xrefs: 0054C679
Install_Path, xrefs: 0054CA96
QuitTips, xrefs: 0054D8A1
Pageid, xrefs: 0054CE9E
Exit_Prompt, xrefs: 0054DAEA
productContrastPage, xrefs: 0054C3CE
wizardTab, xrefs: 0054D440
LANG, xrefs: 0054C541
FreeVersionName, xrefs: 0054C4DB
exeNumber, xrefs: 0054CEDE
Canncel, xrefs: 0054D8E7
Quit, xrefs: 0054D930
Home_Click_Exit, xrefs: 0054DAD9
ProOnServer, xrefs: 0054D290

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Window$CriticalSection$LongRect$EnterLeave$AdjustByteCharClientInfoLocaleMenuMessageMoveMultiPostVersionWide__onexit
String ID: Button$Canncel$Click_Exit$Click_Install$Click_Reinstall$Click_Update$Country$DIR$DOWNLOAD_VERSION$Exit_Prompt$FreeVersionName$Home_Click_Exit$Home_Installer$Install_Path$LANG$Language$Pageid$ProOnServer$Quit$QuitDilaog$QuitInstallDialog.xml$QuitTips$QuitTipsDetail$Timezone$TrialVersionName$Version$Version_Num$exeNumber$productContrastPage$wizardTab
API String ID: 3742564273-1649923944
Opcode ID: b1f3c2a2a9e3572d692c71f22fa4d38f5be7b8a0b2b789f1c3219b3295c47ab8
Instruction ID: e3d36a1427b98f8b9aab44050c3ae6393c5aaf6b1a16a28bfdbfbdb110c7f09f
Opcode Fuzzy Hash: b1f3c2a2a9e3572d692c71f22fa4d38f5be7b8a0b2b789f1c3219b3295c47ab8
Instruction Fuzzy Hash: F5E2E1709012599BDF24DB64DC89BDDBFB6BF85308F1041D8E408AB2D2DB75AB84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005E6300 Relevance: 49.3, APIs: 15, Strings: 13, Instructions: 254fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,005E67A8,00000000), ref: 005E6326

Part of subcall function 005E3C50: GetLastError.KERNEL32(00000000,?,?,?,?,005C01F7,?,?,?,?,?,?,?,?,?,?), ref: 005E3C57
Part of subcall function 005E3C50: _strncpy.LIBCMT ref: 005E3C95
Part of subcall function 005E3C50: GetLastError.KERNEL32(?,?,?,?,005C01F7,?,?,?,?,?,?,?,?,?,?,005B90AB), ref: 005E3D30
Part of subcall function 005E3C50: SetLastError.KERNEL32(00000000,?,?,?,?,005C01F7,?,?,?,?,?,?,?,?,?,?), ref: 005E3D3B

CreateFileA.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 005E6360
GetLastError.KERNEL32(?,?,?,?,?,?,005E67A8,00000000), ref: 005E636E

Strings

schannel: failed to extract certificate from CA file '%s': %s, xrefs: 005E6596
schannel: invalid path name for CA file '%s': %s, xrefs: 005E6337
schannel: added %d certificate(s) from CA file '%s', xrefs: 005E65D6
schannel: CA file '%s' is not correctly formatted, xrefs: 005E65A1
schannel: failed to open CA file '%s': %s, xrefs: 005E637F
schannel: CA file exceeds max size of %u bytes, xrefs: 005E63E6
schannel: failed to determine size of CA file '%s': %s, xrefs: 005E63B7
-----END CERTIFICATE-----, xrefs: 005E6495
schannel: failed to read from CA file '%s': %s, xrefs: 005E6534
schannel: failed to add certificate from CA file '%s'to certificate store: %s, xrefs: 005E6562
schannel: unexpected content type '%d' when extracting certificate from CA file '%s', xrefs: 005E656E
schannel: did not add any certificates from CA file '%s', xrefs: 005E65C3
-----BEGIN CERTIFICATE-----, xrefs: 005E6468

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLast$CreateFile_strncpy
String ID: -----END CERTIFICATE-----$-----BEGIN CERTIFICATE-----$schannel: CA file '%s' is not correctly formatted$schannel: CA file exceeds max size of %u bytes$schannel: added %d certificate(s) from CA file '%s'$schannel: did not add any certificates from CA file '%s'$schannel: failed to add certificate from CA file '%s'to certificate store: %s$schannel: failed to determine size of CA file '%s': %s$schannel: failed to extract certificate from CA file '%s': %s$schannel: failed to open CA file '%s': %s$schannel: failed to read from CA file '%s': %s$schannel: invalid path name for CA file '%s': %s$schannel: unexpected content type '%d' when extracting certificate from CA file '%s'
API String ID: 496561694-1680000615
Opcode ID: 41341722e86daadba921911e1162f4aec4688259f65065b1b5b2685496d5e15b
Instruction ID: 7cb6156e6663f211f8c4184f098a2939da0dcf36ca173370fada66ec39073fb4
Opcode Fuzzy Hash: 41341722e86daadba921911e1162f4aec4688259f65065b1b5b2685496d5e15b
Instruction Fuzzy Hash: DF81D1B1A00655BBDF149F51DC4AFAE7F7AFF54780F54042AF946E6192DB30AE008B60

Uniqueness

Uniqueness Score: -1.00%

Function 0053F03F Relevance: 46.4, APIs: 7, Strings: 19, Instructions: 908COMMON

Download Yara Rule

APIs

Part of subcall function 005EE6C3: EnterCriticalSection.KERNEL32(00656968,?,?,?,005249F6,006578D0,6F923D37,?,?,00619FAA,000000FF), ref: 005EE6CE
Part of subcall function 005EE6C3: LeaveCriticalSection.KERNEL32(00656968,?,?,?,005249F6,006578D0,6F923D37,?,?,00619FAA,000000FF), ref: 005EE70B

WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,?,ProductID), ref: 0053F2E8
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 0053F421
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,?,RecommendProductID), ref: 0053F555
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 0053F688
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 0053F111

Part of subcall function 005EEA1F: __onexit.LIBCMT ref: 005EEA25

Part of subcall function 005EE679: EnterCriticalSection.KERNEL32(00656968,?,?,00524AA9,006578D0,00620570,00000000,00000000), ref: 005EE683
Part of subcall function 005EE679: LeaveCriticalSection.KERNEL32(00656968,?,?,00524AA9,006578D0,00620570,00000000,00000000), ref: 005EE6B6

WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,?,00000009), ref: 0053F825
GetVersionExW.KERNEL32(0000011C,?,?,00000009), ref: 0053F920

Strings

cE, xrefs: 0053F4F8
RecommendProductID, xrefs: 0053F4D5
ProductID, xrefs: 0053F268
tid, xrefs: 0053F568
%<, xrefs: 0053F6F6
pid, xrefs: 0053F2FB
server, xrefs: 0053F92D, 0053F95A, 0053F95B
DownloadInfoUrl, xrefs: 0053F9E9
`9, xrefs: 0053F9BB
+@, xrefs: 0053FA30
home, xrefs: 0053F932
version, xrefs: 0053F434
LANG, xrefs: 0053F173
exeNumber, xrefs: 0053F73A, 0053F838
lang, xrefs: 0053F69B
-@, xrefs: 0053F36E
the DOWNLOAD_VESION read result is :%s., xrefs: 0053F138
pcVersion, xrefs: 0053F96D
X=, xrefs: 0053F5C3

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ByteCharMultiWide$CriticalSection$EnterLeave$Version__onexit
String ID: DownloadInfoUrl$LANG$ProductID$RecommendProductID$exeNumber$home$lang$pcVersion$pid$server$the DOWNLOAD_VESION read result is :%s.$tid$version$%<$+@$-@$X=$`9$cE
API String ID: 1524573255-692924076
Opcode ID: 6151c9ab535555ad9fd8259a408146af6e59a8e0291e0d8353ccf61ccb2d4d59
Instruction ID: 6bdb5d4a1356c62fb6e86fe79de79354231cddb61e0027d34066dd04121827fa
Opcode Fuzzy Hash: 6151c9ab535555ad9fd8259a408146af6e59a8e0291e0d8353ccf61ccb2d4d59
Instruction Fuzzy Hash: 2F721230D002599BEB29DB64CC49BDEBFB9BF86304F20419CE4456B2D2DBB15B45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005E2860 Relevance: 42.0, Strings: 33, Instructions: 726COMMON

Download Yara Rule

Strings

SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%zu], xrefs: 005E290E
Connection time-out, xrefs: 005E2949
Undocumented SOCKS5 mode attempted to be used by server., xrefs: 005E2DA6
Failed to send SOCKS5 connect request., xrefs: 005E31F9
Unable to receive initial SOCKS5 response., xrefs: 005E322A
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.), xrefs: 005E2D9B, 005E2DA0
No authentication method was acceptable., xrefs: 005E2D94
SOCKS5: connecting to HTTP proxy %s port %d, xrefs: 005E28EE
SOCKS5 read timeout, xrefs: 005E2B1C
Failed to receive SOCKS5 connect request ack., xrefs: 005E2F80
Failed to resolve "%s" for SOCKS5 connect., xrefs: 005E3206
SOCKS5 read error occurred, xrefs: 005E2B45
SOCKS5: error occurred during connection, xrefs: 005E29D6
SOCKS5: connection timeout, xrefs: 005E29AD
Unable to send initial SOCKS5 request., xrefs: 005E3231
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d), xrefs: 005E3082
SOCKS5 request granted., xrefs: 005E31CB
Unable to receive SOCKS5 sub-negotiation response., xrefs: 005E2D5D
SOCKS5 connect to IPv4 %s (locally resolved), xrefs: 005E2EBC
SOCKS5: no connection here, xrefs: 005E299D
SOCKS5 GSS-API protection not yet implemented., xrefs: 005E2F1F, 005E2F72
SOCKS5 connection to %s not supported, xrefs: 005E2ED2
Unable to negotiate SOCKS5 GSS-API context., xrefs: 005E2BF7
Can't complete SOCKS5 connection to %02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%d. (%d), xrefs: 005E31A7
Failed to send SOCKS5 sub-negotiation request., xrefs: 005E2D67
SOCKS5 reply has wrong version, version should be 5., xrefs: 005E2FBE
SOCKS5 communication to %s:%d, xrefs: 005E2A85
Can't complete SOCKS5 connection to %s:%d. (%d), xrefs: 005E30E7
SOCKS5 nothing to read, xrefs: 005E2B0C
SOCKS5 GSSAPI per-message authentication is not supported., xrefs: 005E2D79
User was rejected by the SOCKS5 server (%d %d)., xrefs: 005E2D39
Received invalid version in initial SOCKS5 response., xrefs: 005E2BB4
warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu, xrefs: 005E29F1

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ioctlsocket
String ID: Can't complete SOCKS5 connection to %02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%d. (%d)$Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)$Can't complete SOCKS5 connection to %s:%d. (%d)$Connection time-out$Failed to receive SOCKS5 connect request ack.$Failed to resolve "%s" for SOCKS5 connect.$Failed to send SOCKS5 connect request.$Failed to send SOCKS5 sub-negotiation request.$No authentication method was acceptable.$No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)$Received invalid version in initial SOCKS5 response.$SOCKS5 GSS-API protection not yet implemented.$SOCKS5 GSSAPI per-message authentication is not supported.$SOCKS5 communication to %s:%d$SOCKS5 connect to IPv4 %s (locally resolved)$SOCKS5 connection to %s not supported$SOCKS5 nothing to read$SOCKS5 read error occurred$SOCKS5 read timeout$SOCKS5 reply has wrong version, version should be 5.$SOCKS5 request granted.$SOCKS5: connecting to HTTP proxy %s port %d$SOCKS5: connection timeout$SOCKS5: error occurred during connection$SOCKS5: no connection here$SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%zu]$Unable to negotiate SOCKS5 GSS-API context.$Unable to receive SOCKS5 sub-negotiation response.$Unable to receive initial SOCKS5 response.$Unable to send initial SOCKS5 request.$Undocumented SOCKS5 mode attempted to be used by server.$User was rejected by the SOCKS5 server (%d %d).$warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu
API String ID: 3577187118-3450089137
Opcode ID: 9d138138968b0ecb5b8be66b33d0273b97403fe3cf01f33ba80df102a699f163
Instruction ID: 641cc1d70f7264037d8847817f07c532d06673c1e6ad3949a18ad53e8b6ed412
Opcode Fuzzy Hash: 9d138138968b0ecb5b8be66b33d0273b97403fe3cf01f33ba80df102a699f163
Instruction Fuzzy Hash: 75422871A046A9AEDF259B159C5ABFEBFBDBF85301F1400E5E48DA2182D7315F808F21

Uniqueness

Uniqueness Score: -1.00%

Function 0057D11F Relevance: 41.2, APIs: 17, Strings: 6, Instructions: 902COMMON

Download Yara Rule

APIs

_wcsstr.LIBVCRUNTIME ref: 0057D2C2
_wcsstr.LIBVCRUNTIME ref: 0057D2D9
CharNextW.USER32(?), ref: 0057D39C
CharNextW.USER32(?), ref: 0057D3D7
CharNextW.USER32(?), ref: 0057D45E
SelectObject.GDI32(?,00000000), ref: 0057D987
CharNextW.USER32(?), ref: 0057D49A

Part of subcall function 0055D430: SelectObject.GDI32(?,00000000), ref: 0055D4B1
Part of subcall function 0055D430: GetTextMetricsW.GDI32(?,00000000), ref: 0055D4C5
Part of subcall function 0055D430: SelectObject.GDI32(?,00000000), ref: 0055D4D5

CharNextW.USER32(?), ref: 0057D4DA

Strings

res=', xrefs: 0057D2CE
restype, xrefs: 0057D5DF
file=', xrefs: 0057D2B7
res, xrefs: 0057D5A3
file, xrefs: 0057D565
, xrefs: 0057D71D

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CharNext$ObjectSelect$_wcsstr$MetricsText
String ID: $file$file='$res$res='$restype
API String ID: 1690279798-2820399831
Opcode ID: 6dc6ad85be771ef034544a65003dde8a46460a96564976ab71c3cb8defd4886f
Instruction ID: ca51b64dcd0a8803e5348173d15badce7f3159c5245f09f17be6a6bc323e4b02
Opcode Fuzzy Hash: 6dc6ad85be771ef034544a65003dde8a46460a96564976ab71c3cb8defd4886f
Instruction Fuzzy Hash: 61825D75D002298BDF24DF24DC45BA9BBB6BF94310F0485E9E84DA7250EB329E91DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00584AB0 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 336timewindowCOMMON

Download Yara Rule

APIs

GetCaretBlinkTime.USER32(00000000), ref: 00584AFD
SetTimer.USER32(?,00000014,00000000), ref: 00584B09
CallWindowProcW.USER32(?,?,?,?,?), ref: 00584B1D
DefWindowProcW.USER32(?,?,?,?), ref: 00584B43
SendMessageW.USER32(?,00000008,?,?), ref: 00584B75
GetClientRect.USER32(?,?), ref: 00584D55
InvalidateRect.USER32(?,?,00000000), ref: 00584D65

Part of subcall function 00584EB0: GetWindowTextLengthW.USER32(?), ref: 00584ED2
Part of subcall function 00584EB0: GetWindowTextW.USER32(?,?,00000001), ref: 00584EEE

SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00584B84

Part of subcall function 0055C680: GetWindowRect.USER32(?,?), ref: 0055C6AF
Part of subcall function 0055C680: ScreenToClient.USER32(?,?), ref: 0055C6C5
Part of subcall function 0055C680: ScreenToClient.USER32(?,?), ref: 0055C6D1

Strings

return, xrefs: 00584C01

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Window$ClientRect$MessageProcScreenSendText$BlinkCallCaretInvalidateLengthTimeTimer
String ID: return
API String ID: 2606525845-2812165903
Opcode ID: cd79113ebe44cc6b8a3eb1ce83440a503ed268399257bd75b2e32a706b3328d2
Instruction ID: 4dcf0261aa583efd228f917bfe459255917f25e2aa1d20e63ae34cbcaafe4bef
Opcode Fuzzy Hash: cd79113ebe44cc6b8a3eb1ce83440a503ed268399257bd75b2e32a706b3328d2
Instruction Fuzzy Hash: 89C19F75604602AFDB14EF68D949B69BBF5FF99301F000A69F949DB2A0CB30EC50CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005369D0 Relevance: 30.9, APIs: 3, Strings: 14, Instructions: 1118sleepCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,DownloadThreadCount), ref: 00536A9E

Part of subcall function 00521300: MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,?,?), ref: 0052131E

SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00537442

Part of subcall function 00521340: WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,?,?,00000000,00000000), ref: 00521361

Part of subcall function 005267E0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00526887

Sleep.KERNEL32(?), ref: 0053784B

Strings

Downloading, xrefs: 00536CED, 00536E55, 00536F4E, 00537162, 005371F2, 00537399, 00537460
Result_iTunesdevicedriver, xrefs: 00536CC3, 00536E2B, 00537155, 005371E5, 0053738C, 00537453
progressValue, xrefs: 0053773C
text, xrefs: 00537714
DownloadThreadCount, xrefs: 00536A1C
Failed, xrefs: 00536B3F, 00537073, 005372D3
Info_iTunesdevicedriver, xrefs: 00536F41
Errorinfo, xrefs: 00536BE9, 005370F8, 0053733E
Result, xrefs: 00536B18, 00536DAF, 00537050, 005371AA, 005372B0, 0053741A
Success, xrefs: 00536DD6, 005371CD, 0053743B
slrProgress, xrefs: 00537826
value, xrefs: 005377FE
InstallIntervalTime, xrefs: 00537591
Stopped, xrefs: 005369EF, 005370F0, 00537133

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ByteCharMultiWide$Ios_base_dtorSimpleSleepString::operator=std::ios_base::_
String ID: DownloadThreadCount$Downloading$Errorinfo$Failed$Info_iTunesdevicedriver$InstallIntervalTime$Result$Result_iTunesdevicedriver$Stopped$Success$progressValue$slrProgress$text$value
API String ID: 1622151193-399109315
Opcode ID: 6885832ddf4e84a2ebe5ab422993bef6dd908d0fb90f7e1a48ba30c92dbd83de
Instruction ID: 19b7889290e19870589e35042f8acf4a3fd70ce7ebd4fe819eff4b11d6a29974
Opcode Fuzzy Hash: 6885832ddf4e84a2ebe5ab422993bef6dd908d0fb90f7e1a48ba30c92dbd83de
Instruction Fuzzy Hash: 3792DD70D00359ABDF14DFA4D849BEDBFB2BF8A304F148158E4456B2C2DB746A09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00560820 Relevance: 30.9, Strings: 24, Instructions: 864COMMON

Download Yara Rule

Strings

Tree, xrefs: 00560FF9
Default, xrefs: 0056090A
IContainer, xrefs: 0056202F
Combo, xrefs: 0056114D
?d, xrefs: 005610CA
cover, xrefs: 00561ECE
TreeNode, xrefs: 00560B23, 00560B3F, 00561FF4
MultiLanguage, xrefs: 00560920
count, xrefs: 005609B4
VBox, xrefs: 0056110F
Label, xrefs: 00561187
source, xrefs: 005609E8
T8d, xrefs: 00561050
Include, xrefs: 00560936
List, xrefs: 00560F12
Font, xrefs: 005608F4
L8d, xrefs: 0056105A
true, xrefs: 00561EE6
TreeNodeUI, xrefs: 00560D32
HBox, xrefs: 0056108C
Text, xrefs: 00560F4C
Edit, xrefs: 00560DB2
Image, xrefs: 005608D8
TreeView, xrefs: 00560D58

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CharNext
String ID: ?d$Combo$Default$Edit$Font$HBox$IContainer$Image$Include$L8d$Label$List$MultiLanguage$T8d$Text$Tree$TreeNode$TreeNodeUI$TreeView$VBox$count$cover$source$true
API String ID: 3213498283-692308923
Opcode ID: b3be5904db14335f7cb4630a4ac21c6fea7260cab67de9e05efa89701d557a06
Instruction ID: f3d5c08d22ea3da3b99036adcbb3e2048e689502e5295e0965dd55a932d1baa2
Opcode Fuzzy Hash: b3be5904db14335f7cb4630a4ac21c6fea7260cab67de9e05efa89701d557a06
Instruction Fuzzy Hash: 6E72B670A016199FDB24DF24CC45BAABBF5BF94300F1445ECE849A7292EB719E85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 005A8310 Relevance: 28.7, APIs: 8, Strings: 8, Instructions: 720synchronizationthreadCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 005A839F
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,005A8C6E,000000FF,00000000,00000000,00000000,00000000,6F923D37,00000018,00620238), ref: 005A84BE
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,005A8C6E,000000FF,00000000,00000000,00000000,00000000), ref: 005A84FF

Part of subcall function 005A8310: Sleep.KERNEL32(00000064), ref: 005A87BD

WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 005A8569
CreateThread.KERNEL32(00000000,00000000,005A8C00,00000000,00000000,00000000), ref: 005A8ADD
WaitForSingleObject.KERNEL32(00000000,00002710,?,?,?,?,?,?,?,?,00000004), ref: 005A8AEF
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000004), ref: 005A8AF6

Strings

&downloader_num=, xrefs: 005A8987
uid=, xrefs: 005A88FA
GUID, xrefs: 005A88C4
&install_finish_downloader=true, xrefs: 005A8A18
&url=, xrefs: 005A8915
UpdateEventUrl, xrefs: 005A8A43
iTry=%d,lastCode=%d, xrefs: 005A8686
&install_start_downloader=true, xrefs: 005A89FA

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ByteCharMultiWide$CloseCreateHandleObjectSingleSleepThreadWait
String ID: &downloader_num=$&install_finish_downloader=true$&install_start_downloader=true$&url=$GUID$UpdateEventUrl$iTry=%d,lastCode=%d$uid=
API String ID: 4137312769-3209941931
Opcode ID: 96b67ce3e493f61ab800d00cf696553f02ad0ea193483adf8108742e1dbd7c7b
Instruction ID: e6ac14c4613411bdd686b5d6e11bfcd3eaf940235bce20a76584cad42f68d6ac
Opcode Fuzzy Hash: 96b67ce3e493f61ab800d00cf696553f02ad0ea193483adf8108742e1dbd7c7b
Instruction Fuzzy Hash: 3F423671A002499BDF14DF64DC4ABAE7FB2FF8A304F10465CE405AB2D1EB75AA44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005382B0 Relevance: 28.5, APIs: 5, Strings: 11, Instructions: 453shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000F01FF,?), ref: 00538849
OpenProcessToken.ADVAPI32(00000000), ref: 00538850
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00538865
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0053888C
ExitWindowsEx.USER32(00000006,00040000), ref: 0053889D

Strings

Downloading, xrefs: 0053868F
wizardTab, xrefs: 00538455, 005384AB
Errorinfo, xrefs: 00538619
Result, xrefs: 005385A9
failed, xrefs: 005385CF
Result_Loading, xrefs: 00538682
File MD5 can't pass, xrefs: 00538638
Download_Failed, xrefs: 00538341
Auto_Retry, xrefs: 005382F2, 00538322, 00538323
SeShutdownPrivilege, xrefs: 0053885E
Click_Retry, xrefs: 005382ED

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueWindows
String ID: Auto_Retry$Click_Retry$Download_Failed$Downloading$Errorinfo$File MD5 can't pass$Result$Result_Loading$SeShutdownPrivilege$failed$wizardTab
API String ID: 1314775590-1435622279
Opcode ID: c858744d70ee5715cc95329f55c72d83c0b1e529e130cf443cada16d38946176
Instruction ID: e13c7a3bf19889151ae78ccc0d2be2cc1bfb00db9681c72a52618f2464f4f186
Opcode Fuzzy Hash: c858744d70ee5715cc95329f55c72d83c0b1e529e130cf443cada16d38946176
Instruction Fuzzy Hash: 82F1E571A002099BDF08DBA4DC8ABADBF76FF85300F608518F415AB2D2DB756A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005C0240 Relevance: 28.4, APIs: 8, Strings: 8, Instructions: 356networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 005C047B
bind.WS2_32(?,?,00000000), ref: 005C05BD
htons.WS2_32(?), ref: 005C0603
bind.WS2_32(?,00000002,00000000), ref: 005C061E
getsockname.WS2_32(?,?,00000080), ref: 005C0657
WSAGetLastError.WS2_32 ref: 005C0665
WSAGetLastError.WS2_32 ref: 005C06A5

Strings

Local Interface %s is ip %s using address family %i, xrefs: 005C04FB
getsockname() failed with errno %d: %s, xrefs: 005C0681
Couldn't bind to interface '%s', xrefs: 005C0532
Bind to local port %hu failed, trying next, xrefs: 005C05E9
Local port: %hu, xrefs: 005C06E9
bind failed with errno %d: %s, xrefs: 005C06C1
Name '%s' family %i resolved to '%s' family %i, xrefs: 005C042A
Couldn't bind to '%s', xrefs: 005C0557

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLastbindhtons$getsockname
String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s
API String ID: 1307802678-2769131373
Opcode ID: 6fe2b286e57cb490a9696899e22f84d45922c15573a55c3da8b571e6e6423ddc
Instruction ID: 18370e166b2bef06ab68a45948f15a3dff71accc002585d98e3464eef8f90439
Opcode Fuzzy Hash: 6fe2b286e57cb490a9696899e22f84d45922c15573a55c3da8b571e6e6423ddc
Instruction Fuzzy Hash: 8FC1C275A00219AFDF209F64DC5AFEA7BB8FF45304F0440E9E909A7282EB715E458F90

Uniqueness

Uniqueness Score: -1.00%

Function 005A8440 Relevance: 26.9, APIs: 7, Strings: 8, Instructions: 631sleepCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,005A8C6E,000000FF,00000000,00000000,00000000,00000000,6F923D37,00000018,00620238), ref: 005A84BE
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,005A8C6E,000000FF,00000000,00000000,00000000,00000000), ref: 005A84FF
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 005A8569
Sleep.KERNEL32(00000064), ref: 005A87BD

Strings

&downloader_num=, xrefs: 005A8987
uid=, xrefs: 005A88FA
GUID, xrefs: 005A88C4
&install_finish_downloader=true, xrefs: 005A8A18
&url=, xrefs: 005A8915
UpdateEventUrl, xrefs: 005A8A43
iTry=%d,lastCode=%d, xrefs: 005A8686
&install_start_downloader=true, xrefs: 005A89FA

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ByteCharMultiWide$Sleep
String ID: &downloader_num=$&install_finish_downloader=true$&install_start_downloader=true$&url=$GUID$UpdateEventUrl$iTry=%d,lastCode=%d$uid=
API String ID: 556109852-3209941931
Opcode ID: 25b2d34471f5a80c9be82e4481234fdab6aa7d5f45ddab816b9346f3bb1c0fba
Instruction ID: 18f19c90bc41318c5ebbfae05dbb695a5b379bd8346930ba918875ae899d4556
Opcode Fuzzy Hash: 25b2d34471f5a80c9be82e4481234fdab6aa7d5f45ddab816b9346f3bb1c0fba
Instruction Fuzzy Hash: 18322771E00249ABDB14DF64DC4ABAE7F72FF8A314F104658F405AB2D1EB75AA40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00554FA0 Relevance: 21.4, APIs: 5, Strings: 7, Instructions: 361processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005550C6
Process32FirstW.KERNEL32(00000000,?), ref: 0055518B
CloseHandle.KERNEL32(00000000), ref: 0055519A
Process32NextW.KERNEL32(00000000,0000022C), ref: 00555277
CloseHandle.KERNEL32(00000000), ref: 0055528B

Strings

ProductEventName, xrefs: 00555054
ProductProcess, xrefs: 00554FE9
RegistryName, xrefs: 0055578B
hha, xrefs: 005556B8
RegistryAddress, xrefs: 00555741
kernel32, xrefs: 005556E1
GetNativeSystemInfo, xrefs: 005556DC

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID: GetNativeSystemInfo$ProductEventName$ProductProcess$RegistryAddress$RegistryName$hha$kernel32
API String ID: 1789362936-1369795354
Opcode ID: aff50e9f5eeda81cb0bf92f751b331cfed28d66f78c6f9a770e4135fbd817556
Instruction ID: 72c347de1ee38729180302cc980704aa41b462725298a9b9d5a4490304909bb2
Opcode Fuzzy Hash: aff50e9f5eeda81cb0bf92f751b331cfed28d66f78c6f9a770e4135fbd817556
Instruction Fuzzy Hash: 72D114709006058FDF24DF74CC6DB9DBFB5BF49301F144699E849AB391E774AA888B90

Uniqueness

Uniqueness Score: -1.00%

Function 005D0060 Relevance: 20.5, Strings: 16, Instructions: 509COMMON

Download Yara Rule

Strings

schannel: received incomplete message, need more data, xrefs: 005D06AF
schannel: SNI or certificate check failed: %s, xrefs: 005D063D, 005D0646
schannel: failed to receive handshake, SSL/TLS connection failed, xrefs: 005D04AF
schannel: SSL/TLS connection with %s port %hu (step 2/3), xrefs: 005D00D8
schannel: encrypted data got %zd, xrefs: 005D0280
schannel: failed to receive handshake, need more data, xrefs: 005D04E6
schannel: sending next handshake data: sending %lu bytes..., xrefs: 005D03E3
schannel: SSL/TLS handshake complete, xrefs: 005D055D
schannel: encrypted data length: %lu, xrefs: 005D0456
SSL: public key does not match pinned public key!, xrefs: 005D05C1
schannel: a client certificate has been requested, xrefs: 005D067B
schannel: encrypted data buffer: offset %zu length %zu, xrefs: 005D029A
schannel: failed to send next handshake data: sent %zd of %lu bytes, xrefs: 005D050F
schannel: unable to re-allocate memory, xrefs: 005D01E1
schannel: unable to allocate memory, xrefs: 005D0147
schannel: next InitializeSecurityContext failed: %s, xrefs: 005D0638

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLastrecv
String ID: SSL: public key does not match pinned public key!$schannel: SNI or certificate check failed: %s$schannel: SSL/TLS connection with %s port %hu (step 2/3)$schannel: SSL/TLS handshake complete$schannel: a client certificate has been requested$schannel: encrypted data buffer: offset %zu length %zu$schannel: encrypted data got %zd$schannel: encrypted data length: %lu$schannel: failed to receive handshake, SSL/TLS connection failed$schannel: failed to receive handshake, need more data$schannel: failed to send next handshake data: sent %zd of %lu bytes$schannel: next InitializeSecurityContext failed: %s$schannel: received incomplete message, need more data$schannel: sending next handshake data: sending %lu bytes...$schannel: unable to allocate memory$schannel: unable to re-allocate memory
API String ID: 2514157807-2923914744
Opcode ID: 31ccf7529ff4ab9352414e4f901df5c9bbdf5fe7d5efad184e68deb1e6c2bee4
Instruction ID: 2d634369077057eb6862636a7bcda89ad665d520fc5bc0805405ab96207597a0
Opcode Fuzzy Hash: 31ccf7529ff4ab9352414e4f901df5c9bbdf5fe7d5efad184e68deb1e6c2bee4
Instruction Fuzzy Hash: 4012A171A00205AFDB24DF98D886FED7BB5FF48318F54057AF90A9B282DB31A951CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005287D0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 151registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 005287FF
RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?), ref: 0052882B
RegCloseKey.ADVAPI32(00000000), ref: 00528839
LoadLibraryA.KERNEL32(Wininet.dll,00000000), ref: 00528916
GetProcAddress.KERNEL32(00000000,InternetCheckConnectionA), ref: 00528929
FreeLibrary.KERNEL32(00000000), ref: 0052895A

Strings

https://www.google.com/, xrefs: 00528939
InternetCheckConnectionA, xrefs: 00528923
https://www.baidu.com/, xrefs: 00528947
Wininet.dll, xrefs: 00528911

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Library$AddressCloseCreateFreeLoadProcValue
String ID: InternetCheckConnectionA$Wininet.dll$https://www.baidu.com/$https://www.google.com/
API String ID: 325391000-516931071
Opcode ID: 9faccfd32b85b4a2c62a57ae527784fff73c1d20becb323f7fadbf54b1163032
Instruction ID: 13bdd5449599251fef5974777563d9c28a0cb32258ced5b7b1dea52bba4c29bb
Opcode Fuzzy Hash: 9faccfd32b85b4a2c62a57ae527784fff73c1d20becb323f7fadbf54b1163032
Instruction Fuzzy Hash: CF414471211209ABEB28CF68EC89FAD3F66FF86740F904518F804EA2D1DB75D981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00558FB0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 162keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 005590C3
GetKeyState.USER32(00000002), ref: 005590D2
GetKeyState.USER32(00000001), ref: 005590DE
GetKeyState.USER32(00000010), ref: 005590EA
GetKeyState.USER32(00000012), ref: 005590F6
GetTickCount.KERNEL32 ref: 00559104
_wcsstr.LIBVCRUNTIME ref: 0055916D
GetKeyState.USER32(00000010), ref: 0055918A

Strings

RichEdit, xrefs: 00559162

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: State$CountTick_wcsstr
String ID: RichEdit
API String ID: 732035549-1265552804
Opcode ID: 6f695f1e587d5aee9bcce27f44c9706040e59bef7414d3b1f95e5cb79ee82131
Instruction ID: 042f81f02b6ba71e44f6b4329f584106f162f5a039d73734fa19fca997428329
Opcode Fuzzy Hash: 6f695f1e587d5aee9bcce27f44c9706040e59bef7414d3b1f95e5cb79ee82131
Instruction Fuzzy Hash: A4510A3560070ADFDB10CF64C899BF97BA1FF88301F00846AED5AAB251DB75AD45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 005581C0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 123windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005581F2
GetParent.USER32(?), ref: 00558204
GetWindow.USER32(?,00000004), ref: 0055820F
MonitorFromWindow.USER32 ref: 0055823F
GetMonitorInfoW.USER32(00000000), ref: 00558246
IsIconic.USER32(00000000), ref: 00558260
GetWindowRect.USER32(00000000,?), ref: 00558270
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 00558313

Strings

(, xrefs: 00558237

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Window$MonitorRect$FromIconicInfoParent
String ID: (
API String ID: 1680950861-3887548279
Opcode ID: a66cbaacc019e0cb14930f35a677e2c6f25fa581db4dbe1500e7d20b8230a884
Instruction ID: 0d2e9fc12ce90f74a559642ffc4311c73c68f14897542901229b953c233df574
Opcode Fuzzy Hash: a66cbaacc019e0cb14930f35a677e2c6f25fa581db4dbe1500e7d20b8230a884
Instruction Fuzzy Hash: BA41CF31508B419BD710CF3CC846AAABBFABFD9315F145A19F994D7160EB30E8468B81

Uniqueness

Uniqueness Score: -1.00%

Function 0056E550 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 305COMMON

Download Yara Rule

APIs

CLSIDFromString.OLE32(?,?), ref: 0056E6F3
CLSIDFromProgID.OLE32(?,?), ref: 0056E6FB

Strings

clsid, xrefs: 0056E683
autonavi, xrefs: 0056E5D5
homepage, xrefs: 0056E578
true, xrefs: 0056E60F, 0056E823
delaycreate, xrefs: 0056E7E5
modulename, xrefs: 0056E786

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: From$ProgString
String ID: autonavi$clsid$delaycreate$homepage$modulename$true
API String ID: 2510552579-3099872486
Opcode ID: 52fa0a5b861908de964b18198a7f48114ce499ae39a82d0ade85b99c8c6a779f
Instruction ID: 14c34c29a6871339f11fa19a59538150b2dee17e646b790336b93e24574b2e2e
Opcode Fuzzy Hash: 52fa0a5b861908de964b18198a7f48114ce499ae39a82d0ade85b99c8c6a779f
Instruction Fuzzy Hash: 4EA13B367162439AD724AF24D8137FBBBA2FFB5314F84496AD8468B241FB32D940C391

Uniqueness

Uniqueness Score: -1.00%

Function 005EC500 Relevance: 12.9, Strings: 10, Instructions: 382COMMON

Download Yara Rule

Strings

blank, xrefs: 005EC7CA
print, xrefs: 005EC6D0
upper, xrefs: 005EC81B
alnum, xrefs: 005EC5DD
alpha, xrefs: 005EC62E
graph, xrefs: 005EC721
space, xrefs: 005EC779
lower, xrefs: 005EC86C
xdigit, xrefs: 005EC67F
digit, xrefs: 005EC58A

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID: alnum$alpha$blank$digit$graph$lower$print$space$upper$xdigit
API String ID: 0-2602438971
Opcode ID: 424687559025e1274798b5cc233be01b0ad40ce0b872c9b0eea2cf8a26eb4c51
Instruction ID: 79378a0bf0e41eb0bd13783d420cbabdf4a65f4f891f10025129662c6ba0f154
Opcode Fuzzy Hash: 424687559025e1274798b5cc233be01b0ad40ce0b872c9b0eea2cf8a26eb4c51
Instruction Fuzzy Hash: A9C1C561A081C54ACB198F7A95A17FA7FA3FB66314F5804EAC8C6DB242D713DD0A8750

Uniqueness

Uniqueness Score: -1.00%

Function 006140C0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 253COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0060AC51: GetLastError.KERNEL32(?,00000000,?,005F5049,00000000,?,?,?,005F46C8,?,?,00000000), ref: 0060AC56
Part of subcall function 0060AC51: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005F46C8,?,?,00000000), ref: 0060ACF4

GetACP.KERNEL32(00000055,?,?,?,?,?,0060748B,?,?,?,?,?,?,00000004), ref: 00614181
IsValidCodePage.KERNEL32(00000000,00000055,?,?,?,?,?,0060748B,?,?,?,?,?,?,00000004), ref: 006141AC
_wcschr.LIBVCRUNTIME ref: 00614240
_wcschr.LIBVCRUNTIME ref: 0061424E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,0060748B,00000000,006075AB), ref: 00614311

Strings

utf8, xrefs: 0061427E
X2c, xrefs: 00614137

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: X2c$utf8
API String ID: 4147378913-1921029068
Opcode ID: 71b69bc81da5b04e16964b82417e9f5eba6d95afedd3fd5c8182e6cd8c4c38ad
Instruction ID: a2236a5735c6456e6765e8268d2261835a9d9fb01af74a93de7deacdfa57ad2e
Opcode Fuzzy Hash: 71b69bc81da5b04e16964b82417e9f5eba6d95afedd3fd5c8182e6cd8c4c38ad
Instruction Fuzzy Hash: 17712831600306AADB24AB35CC46BF773AAEF45710F184469FA05DB281EF70EEC18795

Uniqueness

Uniqueness Score: -1.00%

Function 00614A2F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 184COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0060AC51: GetLastError.KERNEL32(?,00000000,?,005F5049,00000000,?,?,?,005F46C8,?,?,00000000), ref: 0060AC56
Part of subcall function 0060AC51: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005F46C8,?,?,00000000), ref: 0060ACF4

Part of subcall function 0060AC51: _free.LIBCMT ref: 0060ACB3
Part of subcall function 0060AC51: _free.LIBCMT ref: 0060ACE9

GetUserDefaultLCID.KERNEL32(00000055,?,?), ref: 00614B3B
IsValidCodePage.KERNEL32(00000000), ref: 00614B86
IsValidLocale.KERNEL32(?,00000001), ref: 00614B95
GetLocaleInfoW.KERNEL32(?,00001001,00607484,00000040,?,006075A4,00000055,00000000,?,?,00000055,00000000), ref: 00614BDD
GetLocaleInfoW.KERNEL32(?,00001002,00607504,00000040), ref: 00614BFC

Strings

X2c, xrefs: 00614AE8

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID: X2c
API String ID: 949163717-2753938057
Opcode ID: 7e604d8b20b129a437fe107b2377d2581a765679e21ad8b9df35806ae03d7ae0
Instruction ID: e965be827e588b99c45d90eb79250d8a14945c12b73ba1e571d76510b925aea9
Opcode Fuzzy Hash: 7e604d8b20b129a437fe107b2377d2581a765679e21ad8b9df35806ae03d7ae0
Instruction Fuzzy Hash: 91518F71A04209AFEB10DFA5CC45BFAB7BAFF44700F1D4469A915EB290DB70DA808B65

Uniqueness

Uniqueness Score: -1.00%

Function 005CE490 Relevance: 10.6, APIs: 7, Instructions: 74encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,?,F0000000), ref: 005CE4D7
CryptCreateHash.ADVAPI32(00000000,?,00000000,00000000,00000000), ref: 005CE4EF
CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000), ref: 005CE504
CryptGetHashParam.ADVAPI32(00000000,00000004,00000000,00000004,00000000), ref: 005CE51D
CryptGetHashParam.ADVAPI32(00000000,00000002,00000004,?,00000000), ref: 005CE53A
CryptDestroyHash.ADVAPI32(00000000), ref: 005CE548
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 005CE558

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
String ID:
API String ID: 3606780921-0
Opcode ID: b3f16c71c72692ada65721a3e953b9b25d7ce11e43fd01d8f96e5a16964fd7ed
Instruction ID: b3c569df2ea55a41556101f4878b7ebf81d8bf5af45a35f9e1379ecab64e52eb
Opcode Fuzzy Hash: b3f16c71c72692ada65721a3e953b9b25d7ce11e43fd01d8f96e5a16964fd7ed
Instruction Fuzzy Hash: 31212571A00209BBEF209F90DD4AFEE7B79FB04700F140054FA00EA190EB75AA51DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 005EA450 Relevance: 9.1, APIs: 6, Instructions: 96encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,?,?,?,?,00000000,?), ref: 005EA4CC
CryptCreateHash.ADVAPI32(00000000,00008002,00000000,00000000,?,?,?,?,?,?,00000000,?), ref: 005EA4E9
CryptHashData.ADVAPI32(?,00000000,00000000,00000000,?,?,?,?), ref: 005EA501
CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000,?,?,?,?), ref: 005EA513
CryptDestroyHash.ADVAPI32(?,?,?,?,?), ref: 005EA51C
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,00000000,?), ref: 005EA527

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID:
API String ID: 3186506766-0
Opcode ID: ffcab465d37ab876879682a217f4d4c2012b1be377305db6831d650d41072df4
Instruction ID: 155851f109cb51c6404ea62257e7731bca663734ad3bd08961d8b21fb1fd7f20
Opcode Fuzzy Hash: ffcab465d37ab876879682a217f4d4c2012b1be377305db6831d650d41072df4
Instruction Fuzzy Hash: A5312532900248BBDB209FA4EC49FDE7F7DFF45715F100066F945A61D0DBB1AA158BA2

Uniqueness

Uniqueness Score: -1.00%

Function 005EA580 Relevance: 9.1, APIs: 6, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,0000000E,?), ref: 005EA5AE
CryptImportKey.ADVAPI32(00000000,00000208,00000014,00000000,00000000,?), ref: 005EA603
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 005EA611
CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,0000000E,00000008,00000008), ref: 005EA647
CryptDestroyKey.ADVAPI32(?), ref: 005EA650
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 005EA65B

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Crypt$Context$Release$AcquireDestroyEncryptImport
String ID:
API String ID: 3016261861-0
Opcode ID: c09529533073f6c062a86ea7997b13d2ad87e2e0748a20cd8715b7028e50b581
Instruction ID: 8812aea2caa7b12614de8708cfbade41015581e2193fde32f0f06b55d9baa9e5
Opcode Fuzzy Hash: c09529533073f6c062a86ea7997b13d2ad87e2e0748a20cd8715b7028e50b581
Instruction Fuzzy Hash: 48318E31A4024DABDF10DFA5DC46FEEBBB9FF59700F204059FA04BA290DB7169858B64

Uniqueness

Uniqueness Score: -1.00%

Function 00614854 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,00614B7A,?,00000000), ref: 006148ED
GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,00614B7A,?,00000000), ref: 00614916
GetACP.KERNEL32(?,?,00614B7A,?,00000000), ref: 0061492B

Strings

ACP, xrefs: 00614872
OCP, xrefs: 006148A8

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 53f8036d3d0d8a4c460e3ed4f2be076eedee8f152f69e6767bd8c00178da2313
Instruction ID: 9276a801f5bcf634775eb29e9bbf9a0980d154c2e0d202347d7b1fc82938b52f
Opcode Fuzzy Hash: 53f8036d3d0d8a4c460e3ed4f2be076eedee8f152f69e6767bd8c00178da2313
Instruction Fuzzy Hash: 8321B322A05105A6DB74CF65C901BE7B3A7EF51B60B5E8865E90ADB310EF32DEC1C350

Uniqueness

Uniqueness Score: -1.00%

Function 005A0540 Relevance: 8.4, Strings: 6, Instructions: 861COMMON

Download Yara Rule

Strings

DNEI, xrefs: 005A062B
SNRt, xrefs: 005A0B30
IBgC, xrefs: 005A0613
RDHI, xrefs: 005A0601
ETLP, xrefs: 005A0B24
TADI, xrefs: 005A061F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID: DNEI$ETLP$IBgC$RDHI$SNRt$TADI
API String ID: 0-81932513
Opcode ID: 178093d71cda729e451bc27d2bb85e01f00579b880a5f6fe4e77d37b3990dd4a
Instruction ID: fcff4173b03a781044bfa61d123b8848c7137474fbacc5e0ddaa6750c369752c
Opcode Fuzzy Hash: 178093d71cda729e451bc27d2bb85e01f00579b880a5f6fe4e77d37b3990dd4a
Instruction Fuzzy Hash: E272BF34A007458FCB25CF29C8947AABFE1BF4B340F1499ADD49A87392D730A985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 005BE200 Relevance: 7.8, APIs: 5, Instructions: 309networkCOMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,00000000), ref: 005BE4BA
WSAGetLastError.WS2_32 ref: 005BE4C9
__WSAFDIsSet.WS2_32(?,?), ref: 005BE5C5
__WSAFDIsSet.WS2_32(?,?), ref: 005BE5DB
__WSAFDIsSet.WS2_32(?,?), ref: 005BE5F2

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: 28eb2156f2d06c77ebf5ab018247b10644e19a41479297fd686b39a3b124c313
Instruction ID: 1ad0c940a3817f6be674803b59791ffa237f1f3658c4fad218fd1bb4879e2ef7
Opcode Fuzzy Hash: 28eb2156f2d06c77ebf5ab018247b10644e19a41479297fd686b39a3b124c313
Instruction Fuzzy Hash: 0CC142749002198BDF25CF29C9867EDBBB9BF98310F5849E9D859A7241D730AFC18F50

Uniqueness

Uniqueness Score: -1.00%

Function 005584C0 Relevance: 7.5, APIs: 5, Instructions: 33keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 005584CC
GetKeyState.USER32(00000002), ref: 005584DB
GetKeyState.USER32(00000001), ref: 005584E7
GetKeyState.USER32(00000010), ref: 005584F3
GetKeyState.USER32(00000012), ref: 005584FF

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: cf2d8ee1f580c170df160aac9ae4612a52806b6ae81d3e71137e7aa4d1f4c146
Instruction ID: f1696334641c026382654bf44b4c6aec8c10fee52b8e56ef6a7ab04f747e181b
Opcode Fuzzy Hash: cf2d8ee1f580c170df160aac9ae4612a52806b6ae81d3e71137e7aa4d1f4c146
Instruction Fuzzy Hash: 06E0656BF8027B50EE2032D89C01FB58D106FA4BD9F430166EE48FB0881DC2284328B0

Uniqueness

Uniqueness Score: -1.00%

Function 005B83A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

_strstr.LIBCMT ref: 005B83C0
_strstr.LIBCMT ref: 005B83E5

Strings

-----END PUBLIC KEY-----, xrefs: 005B83DC
-----BEGIN PUBLIC KEY-----, xrefs: 005B83BA

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _strstr
String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----
API String ID: 2882301372-1157147699
Opcode ID: 53ea3bd3852a7c45fd506b19262db720dcc97750ade097545849249c7723dd05
Instruction ID: 8292c52ff0a459c3cd01ec627884aabde3ea079dfa83193971485d63056b79e8
Opcode Fuzzy Hash: 53ea3bd3852a7c45fd506b19262db720dcc97750ade097545849249c7723dd05
Instruction Fuzzy Hash: 39213772A0021667CF205F6DBC457F9BFDDFB45255F8416B6ED08C7201EA22AC50C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 005CCF40 Relevance: 6.6, Strings: 5, Instructions: 386COMMON

Download Yara Rule

Strings

%02d:%02d:%02d%n, xrefs: 005CD0A1
+, xrefs: 005CD19D
<, xrefs: 005CD2C9
%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 005CCFE4
%02d:%02d%n, xrefs: 005CD0CE

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$+$<
API String ID: 0-2356964677
Opcode ID: 09a3d68d9e618e22dc01181029a826c0fe57d9c00eb48dd07dd92185b436001d
Instruction ID: b9345412fbfbc9029af96dbf16c3d361bb5836503dd649196b65d063c9309b2a
Opcode Fuzzy Hash: 09a3d68d9e618e22dc01181029a826c0fe57d9c00eb48dd07dd92185b436001d
Instruction Fuzzy Hash: CED18E71E002599EDF14DFE8C885AADBBB5BF85320F24423EE425E72C1E7309D468B61

Uniqueness

Uniqueness Score: -1.00%

Function 005CE400 Relevance: 6.0, APIs: 4, Instructions: 31encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040), ref: 005CE41A
CryptGenRandom.ADVAPI32(00000000,?,?), ref: 005CE42D
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 005CE43C
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 005CE44B

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Crypt$Context$Release$AcquireRandom
String ID:
API String ID: 2916321625-0
Opcode ID: b4dfb578a03a355578c9489c4d1ff1e872430aa353ffda9ee9dc6d4729f0c686
Instruction ID: 4bfab8897a369bf78b4ebf891adba545653c65070af2e42ab68cfec47050f764
Opcode Fuzzy Hash: b4dfb578a03a355578c9489c4d1ff1e872430aa353ffda9ee9dc6d4729f0c686
Instruction Fuzzy Hash: 23F01C3074824DFBEF208FA0DD0AFA97B79FB05741F104095FA08E9190EA769A519B55

Uniqueness

Uniqueness Score: -1.00%

Function 006144D7 Relevance: 4.7, APIs: 3, Instructions: 206COMMON

Download Yara Rule

APIs

Part of subcall function 0060AC51: GetLastError.KERNEL32(?,00000000,?,005F5049,00000000,?,?,?,005F46C8,?,?,00000000), ref: 0060AC56
Part of subcall function 0060AC51: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005F46C8,?,?,00000000), ref: 0060ACF4

Part of subcall function 0060AC51: _free.LIBCMT ref: 0060ACB3
Part of subcall function 0060AC51: _free.LIBCMT ref: 0060ACE9

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0061452B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00614575
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0061463B

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: 4fee15ec7da1ceb5cfc05e1858861e46d64b5c9bcb983cc1d0c5687b39940100
Instruction ID: 9785774b0aabc06a24d78beece9f3546b07668f488f7ff7b19f860e0baf93630
Opcode Fuzzy Hash: 4fee15ec7da1ceb5cfc05e1858861e46d64b5c9bcb983cc1d0c5687b39940100
Instruction Fuzzy Hash: 3061C17155021B9BDB289F28CC82BFA77AAEF06314F184179E905C7281EF34D9D1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005FE8E0 Relevance: 3.5, APIs: 2, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781217d3a5e987a853bb72d1d7e692ab5c74a05dc2f45d69b00546a7a43613b5
Instruction ID: f5cf8208e8ba16aba764fdbc85eaf119b44aa39a389fbe694e4aa03a02594973
Opcode Fuzzy Hash: 781217d3a5e987a853bb72d1d7e692ab5c74a05dc2f45d69b00546a7a43613b5
Instruction Fuzzy Hash: FA024E71E002199FDF14CFA8C9816AEBBB1FF88314F158269E919EB355D735AE01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00574AD0 Relevance: 3.4, APIs: 2, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cb9b481fb92fb133a201edfaae208439ade023558bf8016386526ecaa2c207
Instruction ID: e92c649177c4a0ac5cb2896b581ba04ae53cc930a7c1d1cd8d940fda8d410b9c
Opcode Fuzzy Hash: 35cb9b481fb92fb133a201edfaae208439ade023558bf8016386526ecaa2c207
Instruction Fuzzy Hash: C4E1B0716043418FD724CF28E4857AABBE1FB89314F448A6DEC9D8B382D731E945DB92

Uniqueness

Uniqueness Score: -1.00%

Function 005DCDB0 Relevance: 3.0, APIs: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(0000FEED), ref: 005DCDDC
GetCurrentProcessId.KERNEL32(?,?,005DD13B,0000FF0D,?,?,?,?,?), ref: 005DCE13

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CurrentProcesshtons
String ID:
API String ID: 2530476045-0
Opcode ID: 36af99b4087dbed31c7bd2c475e189606e651ed0e8c7c9c9a73de334f59baa99
Instruction ID: 870aa15dacdd2b2dc3042ad955075766b131881ecb64cbd06b0382ede424a7fd
Opcode Fuzzy Hash: 36af99b4087dbed31c7bd2c475e189606e651ed0e8c7c9c9a73de334f59baa99
Instruction Fuzzy Hash: A3017C795143948BCB00CF69D4806A6B7E4FF19310F05A68AEC489F357E370EA90C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 005E4500 Relevance: 3.0, Strings: 2, Instructions: 528COMMON

Download Yara Rule

Strings

WDigest, xrefs: 005E454B, 005E48E6
digest_sspi: MakeSignature failed, error 0x%08lx, xrefs: 005E477E

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID: WDigest$digest_sspi: MakeSignature failed, error 0x%08lx
API String ID: 0-280454364
Opcode ID: 00d43c3546ff6b829351a50820cc2a98230a462f523509ba330515b320032af3
Instruction ID: a7f51f07576783f7be301fb66473f462aaf2d9eabfdbb8012289ccb92937f96b
Opcode Fuzzy Hash: 00d43c3546ff6b829351a50820cc2a98230a462f523509ba330515b320032af3
Instruction Fuzzy Hash: DB129B70A003498FDB24CFA9DC85BAEBBB5FF49305F144069E94AEB251EB35A944CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005BED70 Relevance: 3.0, APIs: 2, Instructions: 23networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000104,00000000), ref: 005BED7E
WSAGetLastError.WS2_32(?,005E32B3,00000104,?,?,?,?,?,?,?,?,00000104,00000008,?), ref: 005BED8B

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: 55e35cfda303dc2846f017e25197312e0b04af4ec4a66d8593512d1a774caf51
Instruction ID: 60f8a63a9db867b8b94e21e9621e375860263c2b7092627b9ee24bd141036a2b
Opcode Fuzzy Hash: 55e35cfda303dc2846f017e25197312e0b04af4ec4a66d8593512d1a774caf51
Instruction Fuzzy Hash: 0EE026302082086FDF089FA0EC057AD3BA7EB85320F504178FA1ECA6E0C632DD519B00

Uniqueness

Uniqueness Score: -1.00%

Function 00608326 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00608321,?,?,00000008,?,?,00617C8B,00000000), ref: 00608553

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: af0c6460fd57abf6c78298e35c86de3b0b34ff970fa770a4be074dceb8f373ff
Instruction ID: 885aa4056d1a4dafdc52c09a544aa13545beea41735f0b5d08fa7620707e0e46
Opcode Fuzzy Hash: af0c6460fd57abf6c78298e35c86de3b0b34ff970fa770a4be074dceb8f373ff
Instruction Fuzzy Hash: 13B11831250605CFD719CF28C486AA67BE1FF45364F298658E8DACF2E1CB35E992CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0061472C Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 0060AC51: GetLastError.KERNEL32(?,00000000,?,005F5049,00000000,?,?,?,005F46C8,?,?,00000000), ref: 0060AC56
Part of subcall function 0060AC51: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005F46C8,?,?,00000000), ref: 0060ACF4

Part of subcall function 0060AC51: _free.LIBCMT ref: 0060ACB3
Part of subcall function 0060AC51: _free.LIBCMT ref: 0060ACE9

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00614780

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: fc02d8d914c4712736ce6c40da5ebdbd997acea1561f996bdc6646c1c56497d5
Instruction ID: 6a4c342ce6d926c1784c54c0c3fb56f0ed2cb3274846901e81c636107a6a040f
Opcode Fuzzy Hash: fc02d8d914c4712736ce6c40da5ebdbd997acea1561f996bdc6646c1c56497d5
Instruction Fuzzy Hash: BC21F27265520AABDB289A25DC82AFA37AEEF45310F14017EFE05D7281EF34ED818750

Uniqueness

Uniqueness Score: -1.00%

Function 006143B1 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0060AC51: GetLastError.KERNEL32(?,00000000,?,005F5049,00000000,?,?,?,005F46C8,?,?,00000000), ref: 0060AC56
Part of subcall function 0060AC51: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005F46C8,?,?,00000000), ref: 0060ACF4

EnumSystemLocalesW.KERNEL32(006144D7,00000001,00000000,?,00607484,?,00614B0F,00000000,00000055,?,?), ref: 00614423

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c0839bebdce473f57942dc36eaf08863e544060a5c5a0240ce31772b315cbb0e
Instruction ID: 69c6b017148d063dc4638e04a6bf70d74af4376f118f59f0ce56b31093edc557
Opcode Fuzzy Hash: c0839bebdce473f57942dc36eaf08863e544060a5c5a0240ce31772b315cbb0e
Instruction Fuzzy Hash: E611293A2007015FDB18AF39C8916FAB7A2FF80358B19442CEA4687B40D771B983C740

Uniqueness

Uniqueness Score: -1.00%

Function 0061495C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0060AC51: GetLastError.KERNEL32(?,00000000,?,005F5049,00000000,?,?,?,005F46C8,?,?,00000000), ref: 0060AC56
Part of subcall function 0060AC51: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005F46C8,?,?,00000000), ref: 0060ACF4

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,006146F3,00000000,00000000,?), ref: 00614988

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 42e75cf0b417f53053b4fa99da846842cf843818c94f190b9a8505ebeb1d4eb6
Instruction ID: 9544648f44d88af8473d5bbcc60da76f709e6ca625c5fbb6218bcc2796548694
Opcode Fuzzy Hash: 42e75cf0b417f53053b4fa99da846842cf843818c94f190b9a8505ebeb1d4eb6
Instruction Fuzzy Hash: A7F0F932A00115BBDB289A64C805BFB77AAEF40754F194929EC09A3280DE71FD81C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 0061444C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0060AC51: GetLastError.KERNEL32(?,00000000,?,005F5049,00000000,?,?,?,005F46C8,?,?,00000000), ref: 0060AC56
Part of subcall function 0060AC51: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005F46C8,?,?,00000000), ref: 0060ACF4

EnumSystemLocalesW.KERNEL32(0061472C,00000001,00000005,?,00607484,?,00614AD3,00607484,00000055,?,?,?,?,00607484,?,?), ref: 00614496

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 03ce8fd72f653b677d60a28357a02e848e68da01cdcb11dcc766742b6c7aaf82
Instruction ID: ea52fe047ad41f736d5250ebc16f6a159af324ae719fcf091946acb6d134c9bf
Opcode Fuzzy Hash: 03ce8fd72f653b677d60a28357a02e848e68da01cdcb11dcc766742b6c7aaf82
Instruction Fuzzy Hash: ECF046362003045FDB24AF789885BFA7BD6EFC0368B19842CFA4A4B690CA719C82C600

Uniqueness

Uniqueness Score: -1.00%

Function 00614366 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0060AC51: GetLastError.KERNEL32(?,00000000,?,005F5049,00000000,?,?,?,005F46C8,?,?,00000000), ref: 0060AC56
Part of subcall function 0060AC51: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005F46C8,?,?,00000000), ref: 0060ACF4

EnumSystemLocalesW.KERNEL32(006142BD,00000001,00000005,?,?,00614B31,00607484,00000055,?,?,?,?,00607484,?,?,?), ref: 0061439D

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: dcbf281d8077aa1da13ce34697ef0f34b306e6d9d0fb23d9a937cc8ec5501ddf
Instruction ID: 209623419520fefcf8af81108f7187790783d8d4e86a5e21bed6859250f506ad
Opcode Fuzzy Hash: dcbf281d8077aa1da13ce34697ef0f34b306e6d9d0fb23d9a937cc8ec5501ddf
Instruction Fuzzy Hash: 59F0E53634020557CB14AF76D859AEA7F96EFC1754B0B405CFB298B290CA719983C790

Uniqueness

Uniqueness Score: -1.00%

Function 0060C26F Relevance: 1.5, APIs: 1, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00603D1B: EnterCriticalSection.KERNEL32(-0001CE9C,?,00605B23,00000000,006512B0,0000000C,00605AEA,00521057,?,0060C238,00521057,?,0060ADF3,00000001,00000364,00000006), ref: 00603D2A

EnumSystemLocalesW.KERNEL32(0060C262,00000001,00651530,0000000C,0060C6C5,00000000), ref: 0060C2A7

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 8ea18561f39e116ac8534a693a19df9cf0d97803853fe082a2f014b8d0957225
Instruction ID: 398911c7e44096f0468524a5c04136b68709101175eb395ad46c4ea5dd8446eb
Opcode Fuzzy Hash: 8ea18561f39e116ac8534a693a19df9cf0d97803853fe082a2f014b8d0957225
Instruction Fuzzy Hash: 2BF03A71980305EFD704EFA8D806B5E7BE2FB45726F104169F5109B2E1DB744A018F44

Uniqueness

Uniqueness Score: -1.00%

Function 0060C822 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,?,?,006075B3,?,20001004,?,00000002,00000000,?,?), ref: 0060C856

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 866cc993705ddc0604f52766e32a63988d6401f1f2daf8b5686e76d8d4dd43be
Instruction ID: 1859fd815d41db7416575bc14ce1ae0bfa8af3a55fcc8cf736f5c9d9893fff55
Opcode Fuzzy Hash: 866cc993705ddc0604f52766e32a63988d6401f1f2daf8b5686e76d8d4dd43be
Instruction Fuzzy Hash: CBE0DF3518061CFBCF262F24DC08AAF3F1BEF44760F008224FD05652A1CB318921AAD8

Uniqueness

Uniqueness Score: -1.00%

Function 005F6299 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

0, xrefs: 005F6415

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: dce2a003d242416303bf4556f46a9ca60f79195e98dac8c23b45ceef41149dab
Instruction ID: f10a1e460ce3e277147033a28283a2ad2c198240431e0517a1c602836f31da70
Opcode Fuzzy Hash: dce2a003d242416303bf4556f46a9ca60f79195e98dac8c23b45ceef41149dab
Instruction Fuzzy Hash: 6B518B7060464D56DF389A2885DD7BEAF9ABB52300F180C2DEB83D72C2C61DDD49D356

Uniqueness

Uniqueness Score: -1.00%

Function 0060C861 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

GetSystemTimePreciseAsFileTime, xrefs: 0060C867, 0060C871

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID: GetSystemTimePreciseAsFileTime
API String ID: 0-595813830
Opcode ID: c5e8e8913220a95675eaffc016b576c143c0e457816686295a02d9beed85a2fa
Instruction ID: 7df863ed2b6d733111be6e31fb92313423109749bc0cec8ab176ff9336d861e3
Opcode Fuzzy Hash: c5e8e8913220a95675eaffc016b576c143c0e457816686295a02d9beed85a2fa
Instruction Fuzzy Hash: B0E0C232AC062567C33467886C16EAA7A47D761BB2F090172FA08792D2C565189186E4

Uniqueness

Uniqueness Score: -1.00%

Function 005A25B0 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e89f8df998ef39cda61aa4940436cb7644fb446e7947a10fc9fb3fc849b1d496
Instruction ID: 51b98289235c15339e5202be1fe4ba4b101e6a1bb5e61863b2c74acbb71de95d
Opcode Fuzzy Hash: e89f8df998ef39cda61aa4940436cb7644fb446e7947a10fc9fb3fc849b1d496
Instruction Fuzzy Hash: 8E524971A007059FCB25CF69C4917AEBFF1BF8A300F14896ED49A97311EB30A949CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00618EE0 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7f92e76aa5629ee0ca48da02a74e54bffcb2ae4fc08d953792af9e8f617537
Instruction ID: 2e6d561f1b101f37feca75f23b5bd88f8070012a1f77e97fdc01db7a8b579486
Opcode Fuzzy Hash: bf7f92e76aa5629ee0ca48da02a74e54bffcb2ae4fc08d953792af9e8f617537
Instruction Fuzzy Hash: F7322525D28F010DD7239634C832375A28BAFB73C4F58E737F81AB5AA6EB2984C34151

Uniqueness

Uniqueness Score: -1.00%

Function 00610179 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bae86785045852086359f9037415ec19c04b0766b0ee89c54bcc3b1586d164c
Instruction ID: 759316f87f4f83ff08e7ff1bfeccf636859335245d70d9cd5820879e70151fba
Opcode Fuzzy Hash: 7bae86785045852086359f9037415ec19c04b0766b0ee89c54bcc3b1586d164c
Instruction Fuzzy Hash: BC32F431D29F014DEB639634C932379624AAFB73D4F19E727E819B5AA6EF29C4C34140

Uniqueness

Uniqueness Score: -1.00%

Function 0059C3F0 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37911cc4e675449085dc4e44f0e56f9c8ef1f8c3548651b190c6dafd2cb2ae12
Instruction ID: 4f55138341ca0f2dd912d17859a7d86f8c284efbc49af4e27b2ce5697f7b0346
Opcode Fuzzy Hash: 37911cc4e675449085dc4e44f0e56f9c8ef1f8c3548651b190c6dafd2cb2ae12
Instruction Fuzzy Hash: 4B029D71B00616AFDB18CF69C4947A9FFE0FF5A300F24466AD49ADB741EB30A855CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0059CE50 Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02c86a6f740c1c816c78fa070b0f12809949643631bff2b04aaf23b24c8b0d2
Instruction ID: edc1f70ccae44be48ca31f9dce1ed6b622929b553e8f90cbaa78e12e11fc4952
Opcode Fuzzy Hash: a02c86a6f740c1c816c78fa070b0f12809949643631bff2b04aaf23b24c8b0d2
Instruction Fuzzy Hash: 4B0227B1A00B02DFDB24CF69C8847AABBF1FF49301F14896ED49AC7651E734A945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 005724A0 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18f3b050c1ca96af957f96a261b8b59958bd7c2c52be06a0ffffb0258353930
Instruction ID: dfa770840e2d841c910c779408b0c7124616e09f801bd1202492b8a9acf9b30f
Opcode Fuzzy Hash: f18f3b050c1ca96af957f96a261b8b59958bd7c2c52be06a0ffffb0258353930
Instruction Fuzzy Hash: 11F11871E002298FDB24CF58D990BACBBB1FF98310F1581EAD90DA7351DA30AE859F50

Uniqueness

Uniqueness Score: -1.00%

Function 0059EC80 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1529f0649473d87c9dba84ae8fff22cbdae1dfce663ebcad4ee59a2d4481a81
Instruction ID: ad9b986dd672e1e1e1fdfd76f6f4f9491d63eae2b7bccff1863f655ca4e86d0a
Opcode Fuzzy Hash: d1529f0649473d87c9dba84ae8fff22cbdae1dfce663ebcad4ee59a2d4481a81
Instruction Fuzzy Hash: 6DD19571E006158FDB24CF19C882A69BBF6FFD9310F24886ED09AD7752E674E9858F40

Uniqueness

Uniqueness Score: -1.00%

Function 0059E950 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc03e3b8062e616ce021f41c39d35b6c729dfda96af153250887f4cc239753ca
Instruction ID: 35846fa53d5d163495470690902dfe869c308d4d9b4327d01b30473a7e93688b
Opcode Fuzzy Hash: bc03e3b8062e616ce021f41c39d35b6c729dfda96af153250887f4cc239753ca
Instruction Fuzzy Hash: 03B17F71A00A058FCF28CF29C88656ABBF2FFD9310B28892ED49AD7751D774E945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005B03D0 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0975f99126439cf93ab5a7a91bd5b4179bf0e935006390bf583b87df5a66e5
Instruction ID: 7306e30fe0ea790d144638fe54cd22fbb599e675d0baca3a4bb53adf05f08d23
Opcode Fuzzy Hash: 2f0975f99126439cf93ab5a7a91bd5b4179bf0e935006390bf583b87df5a66e5
Instruction Fuzzy Hash: ADA18971E002198BDF24CF69C8807EEBBB5BF98314F255169E949E72D1EB30ED518B90

Uniqueness

Uniqueness Score: -1.00%

Function 005F21F1 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: c9405f82d3b805114e036de1e44250a0f4adf80e64ef6aeeec0c5ab70e27c78c
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: EB9188B62090A74ADB2D467E847803EFFE17A513A1B1A0B9DE5F2CF1C5EE2CC554D620

Uniqueness

Uniqueness Score: -1.00%

Function 005F24AC Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 52178ea560b8b4a99a7effd279f14a522a2d30d302eb658362d4f8d2b129e900
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: E59177B21090E74ADB69427A857403EFFE17A523A1B1A079DE5F2CF1C5EE18C964D630

Uniqueness

Uniqueness Score: -1.00%

Function 005F64CD Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6791724bec605d0563dc2eaf52bae31e99a178788eaa9c9eec765dbde87890fd
Instruction ID: 7c14c8f6eaac7f4a48e8e90d082c963dcf10fb51c8e6881703b0ff9b4419621a
Opcode Fuzzy Hash: 6791724bec605d0563dc2eaf52bae31e99a178788eaa9c9eec765dbde87890fd
Instruction Fuzzy Hash: FF617AB064020E56DF38AA2898A5B7E7FA5FF45704F94092EE742FB289DB2DDD41C701

Uniqueness

Uniqueness Score: -1.00%

Function 005F6065 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0befea5ea1242b632676d328104bfe891dfe4a705b9c268123eb1d1380f1100e
Instruction ID: 8e213774a5d8d1afe38e0070c142a5c3a1eb6b6c6d93ea78b818b02ffb8247e0
Opcode Fuzzy Hash: 0befea5ea1242b632676d328104bfe891dfe4a705b9c268123eb1d1380f1100e
Instruction Fuzzy Hash: B5514C7460064D5ADF389A28899EFBF6F9EBB92304F24491ED742D7283CA1DDD48C352

Uniqueness

Uniqueness Score: -1.00%

Function 005947D0 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91887ab2d7718b14461dd593c4bd07837b908799bb3e6d6111a1b414f6945e9
Instruction ID: 4934a4d8c3ee35688557b63f393651e4cd669ed40511f13a6072621ff059d95a
Opcode Fuzzy Hash: c91887ab2d7718b14461dd593c4bd07837b908799bb3e6d6111a1b414f6945e9
Instruction Fuzzy Hash: C5B19D74411705AED342CF34C5987D17BE5BF5A308F6994BEC8898F222FB72A54ACB11

Uniqueness

Uniqueness Score: -1.00%

Function 005FC8EA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9547aa6da537c62f744b59c3f1d91c173588a566f287075b76e6c18a33521964
Instruction ID: 001a8bf7841957a13af895151b5fc1decc1a70b33ca5e15d68ece65fedce1402
Opcode Fuzzy Hash: 9547aa6da537c62f744b59c3f1d91c173588a566f287075b76e6c18a33521964
Instruction Fuzzy Hash: 49513C71E0011DAFDB04CF99CA41ABEBFB2FF88310F1980A9E555AB201C735AE51DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00572DB0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921676ad2905b4fcf0a965e603ec31bf7f19d21626121235af1938c05256430a
Instruction ID: 9aae3c8191916435ec609f3341e01fab2ce4c4040ab044cf83d99d526f9ed00f
Opcode Fuzzy Hash: 921676ad2905b4fcf0a965e603ec31bf7f19d21626121235af1938c05256430a
Instruction Fuzzy Hash: 8B2133305240B54AC74C4B69BC21436FF95EF4621338B52ABD9CBDA4C2C529D564E7E0

Uniqueness

Uniqueness Score: -1.00%

Function 005ECB00 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c68a8d4a0846ebc4b09b0a145e38f1195cbc43887bcb385cbd8187a09426d5f
Instruction ID: 1844cd0d0d601063b7884f06718d0f414b3286fea5a757b8e819b21f40aff6c6
Opcode Fuzzy Hash: 9c68a8d4a0846ebc4b09b0a145e38f1195cbc43887bcb385cbd8187a09426d5f
Instruction Fuzzy Hash: 3AF0E22200292007EF13583E70C1AF3AB8BCFE6964BE1206194CC435D2865F780FD3E4

Uniqueness

Uniqueness Score: -1.00%

Function 0059E130 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63be74787ca6cafde852f93c6401074a94fcb0620eda273b6d7aea0933a15498
Instruction ID: d5fbbc6e5cfd7ec1741d544403c77dd5afa795ead7daec5fe446ae0b5126d703
Opcode Fuzzy Hash: 63be74787ca6cafde852f93c6401074a94fcb0620eda273b6d7aea0933a15498
Instruction Fuzzy Hash: ACF096F1506605EBDB089F1CE589692FFF4FB01314F01C25AEA1C4B201D3716854CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 005E4140 Relevance: 94.7, APIs: 4, Strings: 50, Instructions: 156COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,?,005E3CAB,005C01F7,?,000000FF,?,?,005C01F7,?,?), ref: 005E4145
_strncpy.LIBCMT ref: 005E4372
GetLastError.KERNEL32(005C01F7,?,?,?,?,?,?,?,?,?,?,005B90AB), ref: 005E4392
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,005B90AB), ref: 005E439D

Strings

Timed out, xrefs: 005E42B5
Bad file, xrefs: 005E4193
Bad protocol, xrefs: 005E41F7
Socket has been shut down, xrefs: 005E42A1
Bad access, xrefs: 005E419D
Protocol option is unsupported, xrefs: 005E4201
Need destination address, xrefs: 005E41E3
Bad argument, xrefs: 005E41A7
Blocking call in progress, xrefs: 005E41CF
Operation not supported, xrefs: 005E421F
Network down, xrefs: 005E4251
Call interrupted, xrefs: 005E4189
No buffer space, xrefs: 005E4283
Protocol is unsupported, xrefs: 005E420B
Descriptor is not a socket, xrefs: 005E41D9
Winsock library is not ready, xrefs: 005E431F
No data record of requested type, xrefs: 005E4354
Bad quota, xrefs: 005E4303
Host unreachable, xrefs: 005E42E7
Call would block, xrefs: 005E41C5
Remote error, xrefs: 005E4311
Connection refused, xrefs: 005E42BF
Winsock library not initialised, xrefs: 005E4326
Socket is already connected, xrefs: 005E428D
Network has been reset, xrefs: 005E4265
Address not available, xrefs: 005E4247
Loop??, xrefs: 005E42C9
Network unreachable, xrefs: 005E425B
Bad message size, xrefs: 005E41ED
Socket is not connected, xrefs: 005E4297
Socket is unsupported, xrefs: 005E4215
Winsock version not supported, xrefs: 005E432D
Invalid arguments, xrefs: 005E41B1
Protocol family not supported, xrefs: 005E4233
Connection was reset, xrefs: 005E4279
Host not found, xrefs: 005E4334
Unrecoverable error in call to nameserver, xrefs: 005E435B, 005E4370
Not empty, xrefs: 005E42EE
Address already in use, xrefs: 005E423D
Too many references, xrefs: 005E42AB
Connection was aborted, xrefs: 005E426F
Too many users, xrefs: 005E42FC
Address family not supported, xrefs: 005E4229
Host not found, try again, xrefs: 005E4362
Out of file descriptors, xrefs: 005E41BB
Something is stale, xrefs: 005E430A
Process limit reached, xrefs: 005E42F5
Name too long, xrefs: 005E42D3
Disconnected, xrefs: 005E4318
Host down, xrefs: 005E42DD

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLast$_strncpy
String ID: Address already in use$Address family not supported$Address not available$Bad access$Bad argument$Bad file$Bad message size$Bad protocol$Bad quota$Blocking call in progress$Call interrupted$Call would block$Connection refused$Connection was aborted$Connection was reset$Descriptor is not a socket$Disconnected$Host down$Host not found$Host not found, try again$Host unreachable$Invalid arguments$Loop??$Name too long$Need destination address$Network down$Network has been reset$Network unreachable$No buffer space$No data record of requested type$Not empty$Operation not supported$Out of file descriptors$Process limit reached$Protocol family not supported$Protocol is unsupported$Protocol option is unsupported$Remote error$Socket has been shut down$Socket is already connected$Socket is not connected$Socket is unsupported$Something is stale$Timed out$Too many references$Too many users$Unrecoverable error in call to nameserver$Winsock library is not ready$Winsock library not initialised$Winsock version not supported
API String ID: 3397631897-3442644082
Opcode ID: 699b89d66a0cbdcbed353f2ce2175b9d4f1e220f596b15ab12e9fde04ea3ed16
Instruction ID: 606f05d2f2704bc165b7e96384d2ad6684eb2e6a58ac31977d2d83077ed06c1f
Opcode Fuzzy Hash: 699b89d66a0cbdcbed353f2ce2175b9d4f1e220f596b15ab12e9fde04ea3ed16
Instruction Fuzzy Hash: DB4196317089E287831C8D9A650493DAD97FB99B0ABA54DA675C38FF00C295CDC1EE53

Uniqueness

Uniqueness Score: -1.00%

Function 00534700 Relevance: 49.1, APIs: 4, Strings: 24, Instructions: 147fileCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,6F923D37), ref: 0053478A
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000002,00000080,00000000,?,?,0063CEDC,00000001,?,?,SetupLogName), ref: 00534851
CloseHandle.KERNEL32(00000000), ref: 0053486D
DeleteFileW.KERNEL32(?), ref: 0053487E

Strings

%s\MobiMover\InstallProc\Download\, xrefs: 005352A1
Downloading, xrefs: 00535CB4, 00536068, 005361DE, 00536415, 005367D4, 0053690E
Result_iTunesdevicedriver, xrefs: 0053603E, 005361B4
C:, xrefs: 00537BD8
ProductID, xrefs: 005353A9
Result_Youtubedll, xrefs: 005367AA, 00536901
SetupLogName, xrefs: 005347AB
Failed, xrefs: 00535E8B, 005365EC
_easeus.exe, xrefs: 00534F04
Info_iTunesdevicedriver, xrefs: 00535C87
ProductName, xrefs: 00534E22
Errorinfo, xrefs: 00535F49, 005366C5
PH', xrefs: 00535182
DOWNLOAD_VERSION, xrefs: 00534DC0
Result, xrefs: 00535E64, 00536138, 005365C5, 005368C5
Success, xrefs: 0053615F, 005368E9
%s\MobiMover\InstallProc\, xrefs: 00535276
trial, xrefs: 00534DF7
EXEDIR, xrefs: 00534D79
Info_Youtubedll, xrefs: 005363E8
%s\MobiMover, xrefs: 005351DD
%s\MobiMover\Download\, xrefs: 0053521E
APPDATA, xrefs: 005351CB
Stopped, xrefs: 00535F39, 00535F91, 00535F92, 005366B2, 00536706, 00536707

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: File$CloseCreateDeleteHandlePathTemp
String ID: %s\MobiMover$%s\MobiMover\Download\$%s\MobiMover\InstallProc\$%s\MobiMover\InstallProc\Download\$APPDATA$DOWNLOAD_VERSION$Downloading$EXEDIR$Errorinfo$Failed$Info_Youtubedll$Info_iTunesdevicedriver$ProductID$ProductName$PH'$Result$Result_Youtubedll$Result_iTunesdevicedriver$SetupLogName$Stopped$Success$_easeus.exe$trial$C:
API String ID: 2085881213-3646548034
Opcode ID: 6739ebce8d8eb8b538b3e08217bf070be59bd3f01cd02b2132e29f90c612e231
Instruction ID: d9563ea6e098b7158e417de1844ebd268362b0ebff402b540ded853de3fd6cde
Opcode Fuzzy Hash: 6739ebce8d8eb8b538b3e08217bf070be59bd3f01cd02b2132e29f90c612e231
Instruction Fuzzy Hash: CC51E270A00218ABDB20EF64DC4DB9EBBB6FF45704F104599F505AB2C1DB78AA45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00568330 Relevance: 46.0, APIs: 25, Strings: 1, Instructions: 457COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?,?), ref: 0056838A
GetClipBox.GDI32(?,?), ref: 005683DA
CreateRectRgnIndirect.GDI32(?), ref: 005683EA
CreateRectRgnIndirect.GDI32(?), ref: 005683F6
ExtSelectClipRgn.GDI32(?,00000000,00000001), ref: 00568405
IntersectRect.USER32(?,?,?), ref: 005684C8

Strings

IListItem, xrefs: 0056860E

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Rect$ClipCreateIndirectIntersect$Select
String ID: IListItem
API String ID: 3915324890-3953988410
Opcode ID: c12cbc215d7d2b933653cb4ecbc68e9ecbf9dd23471875f20571ad163fe72ef2
Instruction ID: d2abaa469a86ad7f5f1b620a65b4a3a9d909809172535e02f53350d98b6b3604
Opcode Fuzzy Hash: c12cbc215d7d2b933653cb4ecbc68e9ecbf9dd23471875f20571ad163fe72ef2
Instruction Fuzzy Hash: A5122531A00619DFCF15DFA8CC44AEDBBB6FF99300F14426AE915AB261DB31A951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005E6630 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 280encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32(00000002,00000000,00000000,00002000,00000000), ref: 005E673D
GetLastError.KERNEL32 ref: 005E674C
CertCreateCertificateChainEngine.CRYPT32(00000030,?), ref: 005E67D9
GetLastError.KERNEL32 ref: 005E67E3
CertGetCertificateChain.CRYPT32(?,?,00000000,00000000,?,20000000,00000000,?), ref: 005E683A
GetLastError.KERNEL32 ref: 005E6844
CertFreeCertificateChainEngine.CRYPT32(?), ref: 005E698B
CertCloseStore.CRYPT32(?,00000000), ref: 005E699B
CertFreeCertificateChain.CRYPT32(?), ref: 005E69A9
CertFreeCertificateContext.CRYPT32(?), ref: 005E69B7

Strings

schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT, xrefs: 005E68BC
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN, xrefs: 005E68A0
schannel: CertGetCertificateChain error mask: 0x%08x, xrefs: 005E690A
schannel: failed to create certificate chain engine: %s, xrefs: 005E67F1
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED, xrefs: 005E6881
0, xrefs: 005E67CD
schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN, xrefs: 005E68F4
schannel: Failed to read remote certificate context: %s, xrefs: 005E6970
schannel: failed to create certificate store: %s, xrefs: 005E675A
schannel: CertGetCertificateChain failed: %s, xrefs: 005E6852
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID, xrefs: 005E68D8
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 005E6718

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Cert$Certificate$Chain$ErrorFreeLast$EngineStore$CloseContextCreateOpen
String ID: 0$schannel: CertGetCertificateChain error mask: 0x%08x$schannel: CertGetCertificateChain failed: %s$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT$schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN$schannel: Failed to read remote certificate context: %s$schannel: failed to create certificate chain engine: %s$schannel: failed to create certificate store: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.
API String ID: 713146188-2670036763
Opcode ID: 4c8558f9fdf4f08b44888f6a0f0a4da4d211b930b9abb91c6d85e721bb1e2d04
Instruction ID: 89d78dc68864ecb9fe9b45eee97b9f436ebdb08452d6dfa6cb94959a22829d20
Opcode Fuzzy Hash: 4c8558f9fdf4f08b44888f6a0f0a4da4d211b930b9abb91c6d85e721bb1e2d04
Instruction Fuzzy Hash: 83A1F870600741ABEB248F65CC99BEE7BA9FF653C4F044468F996EB282D730A941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00582EC0 Relevance: 30.2, APIs: 4, Strings: 13, Instructions: 431COMMON

Download Yara Rule

APIs

CharNextW.USER32(?), ref: 005830E9
CharNextW.USER32(?), ref: 00583169
CharNextW.USER32(?), ref: 005831D9
CharNextW.USER32(?), ref: 00583249

Strings

selitemtextcolor, xrefs: 00583198
itemtextcolor, xrefs: 005830A6
expandable, xrefs: 005832CF
text, xrefs: 00582ECA
folderattr, xrefs: 00582FB6
horizattr, xrefs: 00582F16
selected, xrefs: 00583278
dotlineattr, xrefs: 00582F66
checkboxattr, xrefs: 00583006
itemattr, xrefs: 00583056
true, xrefs: 00583308
selitemhottextcolor, xrefs: 00583208
itemhottextcolor, xrefs: 00583122

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CharNext
String ID: checkboxattr$dotlineattr$expandable$folderattr$horizattr$itemattr$itemhottextcolor$itemtextcolor$selected$selitemhottextcolor$selitemtextcolor$text$true
API String ID: 3213498283-3714843181
Opcode ID: 1301d8ef01ceb8d9a4bff705d69af0ac41fbafd33500788564bc74fb56e5786a
Instruction ID: a94ccef0ae37a9b886739bd461126755fe8dde5c649d6122afb73053b27a4fa7
Opcode Fuzzy Hash: 1301d8ef01ceb8d9a4bff705d69af0ac41fbafd33500788564bc74fb56e5786a
Instruction Fuzzy Hash: 63D1AE726101029AEB10BF20D8467B67BA6FF75B68F948476DD06EF215E733DA41C710

Uniqueness

Uniqueness Score: -1.00%

Function 005D06E0 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 286encryptionCOMMON

Download Yara Rule

APIs

CertFreeCertificateContext.CRYPT32(00000000,?,?,?,?,?,?), ref: 005D0A31

Strings

schannel: failed to setup replay detection, xrefs: 005D0793
schannel: SSL/TLS connection with %s port %hu (step 3/3), xrefs: 005D074B
ALPN, server did not agree to a protocol, xrefs: 005D08A7
schannel: ALPN, server accepted to use %.*s, xrefs: 005D086B
schannel: failed to store credential handle, xrefs: 005D0978
schannel: stored credential handle in session cache, xrefs: 005D09A3
schannel: failed to setup memory allocation, xrefs: 005D07CA
schannel: failed to setup stream orientation, xrefs: 005D07E7
schannel: old credential handle is stale, removing, xrefs: 005D092F
/1.1, xrefs: 005D0891
schannel: failed to retrieve remote cert context, xrefs: 005D0A4E
schannel: failed to setup confidentiality, xrefs: 005D07AD
schannel: failed to retrieve ALPN result, xrefs: 005D082F
schannel: failed to setup sequence detection, xrefs: 005D0779
http, xrefs: 005D0888

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CertCertificateContextFree
String ID: /1.1$ALPN, server did not agree to a protocol$http$schannel: ALPN, server accepted to use %.*s$schannel: SSL/TLS connection with %s port %hu (step 3/3)$schannel: failed to retrieve ALPN result$schannel: failed to retrieve remote cert context$schannel: failed to setup confidentiality$schannel: failed to setup memory allocation$schannel: failed to setup replay detection$schannel: failed to setup sequence detection$schannel: failed to setup stream orientation$schannel: failed to store credential handle$schannel: old credential handle is stale, removing$schannel: stored credential handle in session cache
API String ID: 3080675121-113316134
Opcode ID: e6fea2f0680be0f229ae51ab06417fb0cb3548d2cfa644b785f9a64fd5eccede
Instruction ID: a0261ad8bcbff155b89b495f6b1b146ca580e67946eec26d47c474eec6fb3ff5
Opcode Fuzzy Hash: e6fea2f0680be0f229ae51ab06417fb0cb3548d2cfa644b785f9a64fd5eccede
Instruction Fuzzy Hash: 18A13830A006159BDB35DB18DC56BED7BA4FF45315F0404AAF9099B2C2DB31AD85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00578EF1 Relevance: 27.3, APIs: 18, Instructions: 258windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 00578EFF
CreateDIBSection.GDI32 ref: 00578F8A
SelectObject.GDI32(00000000,00000000), ref: 00578FA9
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00CC0020), ref: 00578FD0
SelectObject.GDI32(00000000,?), ref: 00578FDB
CreateDIBSection.GDI32 ref: 00579053
SelectObject.GDI32(00000000,00000000), ref: 00579072
BitBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00200001,00000000,00CC0020), ref: 00579091
SelectObject.GDI32(00000000,?), ref: 0057909C
SelectObject.GDI32(00000000,?), ref: 005791CD
BitBlt.GDI32(?,00200001,00000000,?,00000000,00000000,00000000,00000000,00CC0020), ref: 005791EC
SelectObject.GDI32(00000000,?), ref: 005791F7
DeleteObject.GDI32(?), ref: 00579210
DeleteObject.GDI32(?), ref: 0057921F
DeleteDC.GDI32(00000000), ref: 00579222
DeleteObject.GDI32(?), ref: 00579243
DeleteDC.GDI32(00000000), ref: 0057924A
DeleteDC.GDI32(00000000), ref: 00579265

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Object$DeleteSelect$Create$Section$CompatibleStretch
String ID:
API String ID: 1473964377-0
Opcode ID: 5036a969bb106b8be59927820e97277da5905512dea2e46aa142c7a6f24b120f
Instruction ID: 8b4810e1a21b589052caffe583939475a62218b3d2ff8aba7662fdd5ec1e4fb3
Opcode Fuzzy Hash: 5036a969bb106b8be59927820e97277da5905512dea2e46aa142c7a6f24b120f
Instruction Fuzzy Hash: 3CA10E72404701AFC7128F31CC09B5BBBE9FF99340F00872AF985A6291D735E862CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00588880 Relevance: 26.7, APIs: 12, Strings: 3, Instructions: 442windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00558F20: GetDC.USER32(?), ref: 00558F8C

GetCursorPos.USER32(?), ref: 00588CA9
ScreenToClient.USER32(?,?), ref: 00588CB9
PostMessageW.USER32(?,00000008,00000000,00000000), ref: 00588D1F
PostMessageW.USER32(?,00000008,00000000,00000000), ref: 00588DB1
GetTickCount.KERNEL32 ref: 00588E00
GetFocus.USER32 ref: 00588E2F
GetParent.USER32(00000000), ref: 00588E36
GetParent.USER32(00000000), ref: 00588E4A
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00588E5D
GetCursorPos.USER32(?), ref: 00588E76
ScreenToClient.USER32(?,?), ref: 00588E86
CallWindowProcW.USER32(?,?,?,?,?), ref: 00588F24

Strings

VerticalLayout, xrefs: 00588990, 005889A6
we, xrefs: 005889AB
ScrollBar, xrefs: 00588CD9, 00588EC8

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: MessagePost$ClientCursorParentScreen$CallCountFocusProcTickWindow
String ID: we$ScrollBar$VerticalLayout
API String ID: 3129551459-3414881230
Opcode ID: f28b8554f75fba03c6af6215aefd7fc9f364531f123a2dedb7acac963b525159
Instruction ID: 18a4851cb1d0a9d290f86705bb361145933af3ad1fdc1f81e2c5c2054eb37111
Opcode Fuzzy Hash: f28b8554f75fba03c6af6215aefd7fc9f364531f123a2dedb7acac963b525159
Instruction Fuzzy Hash: 9D12C370A00606DFDB14EF24C854BAABBB6FF44314F1445A8E91DAB2A1DB71BD94CF90

Uniqueness

Uniqueness Score: -1.00%

Function 005E03E0 Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 318COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 005E0554
___swprintf_l.LIBCMT ref: 005E05B4
___swprintf_l.LIBCMT ref: 005E0605
___swprintf_l.LIBCMT ref: 005E0648

Strings

blksize, xrefs: 005E0610
%I64d, xrefs: 005E05A9
timeout, xrefs: 005E0653
TFTP file name too long, xrefs: 005E050A
%s%c%s%c, xrefs: 005E0548
netascii, xrefs: 005E0400
octet, xrefs: 005E03F6, 005E053F, 005E05D5, 005E05EB, 005E0618, 005E0631, 005E065B, 005E0671, 005E068B
tftp_send_first: internal error, xrefs: 005E073A
tsize, xrefs: 005E05CD

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ___swprintf_l
String ID: %I64d$%s%c%s%c$TFTP file name too long$blksize$netascii$octet$tftp_send_first: internal error$timeout$tsize
API String ID: 48624451-1678188727
Opcode ID: af738d3850f64865d9ef9f363131602d5e65800de6d246ecd42125c45259c980
Instruction ID: ef5bc9baff877784d93ed1eaa9988a3ef1dbbb65f396cf0b21e4c807fb9bb34a
Opcode Fuzzy Hash: af738d3850f64865d9ef9f363131602d5e65800de6d246ecd42125c45259c980
Instruction Fuzzy Hash: DCA14EB26006046FDB24DF68DC46FEF7BAAFFC5304F08056AF94AD7282D631A9158B50

Uniqueness

Uniqueness Score: -1.00%

Function 00590170 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 262filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,dJe,6F923D37), ref: 005901F5
GetFileSize.KERNEL32(00000000,00000000), ref: 0059022E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0059025B
CloseHandle.KERNEL32(00000000), ref: 00590262
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000002), ref: 005903DF
GetFileSize.KERNEL32(00000000,00000000), ref: 005903EF
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0059041C
CloseHandle.KERNEL32(00000000), ref: 00590423
GlobalAlloc.KERNEL32(00000000,00000000), ref: 0059044F
GlobalLock.KERNEL32(00000000), ref: 00590458
CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 0059047D
GdipAlloc.GDIPLUS(00000010), ref: 00590491
GdipLoadImageFromStream.GDIPLUS(?,00000004), ref: 005904B3
GlobalUnlock.KERNEL32(00000000), ref: 005904D4

Strings

dJe, xrefs: 005901A7

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: File$Global$Create$AllocCloseGdipHandleReadSizeStream$FromImageLoadLockUnlock
String ID: dJe
API String ID: 1553753948-2278656182
Opcode ID: bcd40d3800760e468f12481b92c081b428797cb1fc5e36a332a57a802dcf39d4
Instruction ID: eaa65e116119d7e848108a9132a0ab41a699a14e03df2fa233d165ea602d6af1
Opcode Fuzzy Hash: bcd40d3800760e468f12481b92c081b428797cb1fc5e36a332a57a802dcf39d4
Instruction Fuzzy Hash: 36910571900315AFEF309B20DC4AFAE7AB9BB44710F1459A5F90EAB2D1EB70AD44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005DF040 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 198networkCOMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 005DF0FE
___swprintf_l.LIBCMT ref: 005DF185
___swprintf_l.LIBCMT ref: 005DF1BC
send.WS2_32(?,?,00000006,00000000), ref: 005DF1DD
WSAGetLastError.WS2_32 ref: 005DF1E7
___swprintf_l.LIBCMT ref: 005DF269
send.WS2_32(?,?,?,00000000), ref: 005DF281
WSAGetLastError.WS2_32 ref: 005DF28B

Strings

%c%c, xrefs: 005DF1AD
Sending data failed (%d), xrefs: 005DF1EE, 005DF292
%c%c%c%c%s%c%c, xrefs: 005DF253
%c%c%c%c, xrefs: 005DF0ED
%127[^,],%127s, xrefs: 005DF14B
%c%s%c%s, xrefs: 005DF176

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ___swprintf_l$ErrorLastsend
String ID: %127[^,],%127s$%c%c$%c%c%c%c$%c%c%c%c%s%c%c$%c%s%c%s$Sending data failed (%d)
API String ID: 1939966535-3318542072
Opcode ID: cbedca7d0bb2fe821d41c8a4d282964262ad0b886ade080323449650278f44d0
Instruction ID: 77e4b49c3492610f80e9945118ea2e98d5c6fe052903b701b02e3f0e2d53c6f9
Opcode Fuzzy Hash: cbedca7d0bb2fe821d41c8a4d282964262ad0b886ade080323449650278f44d0
Instruction Fuzzy Hash: 9661F7B5A40209BFE730DB64CC46FFB776DBB45700F0445A6F64AAB283DA71BA448B50

Uniqueness

Uniqueness Score: -1.00%

Function 0057F0A0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 149windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 0057F0F3
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0057F127
SelectObject.GDI32(00000000,00000000), ref: 0057F132
CreateCompatibleDC.GDI32(?), ref: 0057F19B
CreateDIBSection.GDI32(00000000,00000028,00000000,00000000,00000000,00000000), ref: 0057F1B7
SelectObject.GDI32(00000000,00000000), ref: 0057F1CE
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 0057F1EA
SelectObject.GDI32(00000000,00000000), ref: 0057F226

Strings

(, xrefs: 0057F171

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Create$CompatibleObjectSelect$BitmapSection
String ID: (
API String ID: 3995652026-3887548279
Opcode ID: c799f1f5c9285ef010bde48d4891a93f7d6e3efb9bfe5937a49c779319de3f02
Instruction ID: 56d5b2a6230c8f69cb89cdb098c8ebf8277a282f1d98dc9a8471af58ed3423d3
Opcode Fuzzy Hash: c799f1f5c9285ef010bde48d4891a93f7d6e3efb9bfe5937a49c779319de3f02
Instruction Fuzzy Hash: C5513675E003489BDB20CFE4DC88BEEBBB6FF59304F108129E509AB251DB316995CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00526340 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 205processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 005263F3
GetLastError.KERNEL32 ref: 005263FD

Part of subcall function 005A6850: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,00000000,6F923D37,?,75922EE0), ref: 005A68EF

MsgWaitForMultipleObjects.USER32(00000001,00000008,00000000,000000C8,00001CFF), ref: 00526462
GetExitCodeProcess.KERNEL32(00000008,00000000), ref: 00526480
GetLastError.KERNEL32 ref: 0052648A

Strings

Install return=%ld, xrefs: 00526541
Install ErrCode= %ld, xrefs: 005264A6
Install ErrCode=%d, xrefs: 00526419

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLastProcess$ByteCharCodeCreateExitMultiMultipleObjectsWaitWide
String ID: Install ErrCode= %ld$Install ErrCode=%d$Install return=%ld
API String ID: 3171732053-3345554096
Opcode ID: ca08f19757632bf957ad27edd21be4926096bb14a2da1a3d4a4b8b88a7b34ae4
Instruction ID: ed3ca0a3751d1ceb94ee48368080f4dba8b263a0e6b13933eb5547d6e7193a69
Opcode Fuzzy Hash: ca08f19757632bf957ad27edd21be4926096bb14a2da1a3d4a4b8b88a7b34ae4
Instruction Fuzzy Hash: DE71F371A002099BDF10EFA4DD85B9D7FB6FF5A304F244258E800AB2C6D7B59A45CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00612B81 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 375COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00612BC9
_free.LIBCMT ref: 00612BED
_free.LIBCMT ref: 00612BFA
_free.LIBCMT ref: 00612C1F
_free.LIBCMT ref: 00612C2C
_free.LIBCMT ref: 00612C35
_free.LIBCMT ref: 00612F10
_free.LIBCMT ref: 00612F18

Strings

tAe, xrefs: 00612BAF, 00612E95

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _free
String ID: tAe
API String ID: 269201875-2013524493
Opcode ID: 26a2d45f9d8972fad9e6c803e9242c160dfa474adc4b4cd3b53aa46e73dd4bb7
Instruction ID: b9f1b543eeac71a8587d6c45a23ea7ef9856c3e6ac6b271c4f3f15b8f0e02e8a
Opcode Fuzzy Hash: 26a2d45f9d8972fad9e6c803e9242c160dfa474adc4b4cd3b53aa46e73dd4bb7
Instruction Fuzzy Hash: 0CC15376D80205ABDB60DBA8DC82FEF77F9AF08700F144169FA04FB2C6D67099409B94

Uniqueness

Uniqueness Score: -1.00%

Function 005842C0 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 314COMMON

Download Yara Rule

APIs

CharNextW.USER32(?), ref: 0058446F
CharNextW.USER32(?), ref: 005844DD
CharNextW.USER32(?), ref: 0058454B
CharNextW.USER32(?), ref: 005845B9

Strings

selitemtextcolor, xrefs: 0058450B
itemtextcolor, xrefs: 0058442F
visiblefolderbtn, xrefs: 005842CB
itemminwidth, xrefs: 005843DC
true, xrefs: 00584304, 00584392
selitemhottextcolor, xrefs: 00584579
visiblecheckbtn, xrefs: 00584355
itemhottextcolor, xrefs: 0058449D

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CharNext
String ID: itemhottextcolor$itemminwidth$itemtextcolor$selitemhottextcolor$selitemtextcolor$true$visiblecheckbtn$visiblefolderbtn
API String ID: 3213498283-1882295018
Opcode ID: b2c29b11fc89b1ab581706e8d69ecbc4fdf19a7add910f97251721081bd0effa
Instruction ID: 9a4c598cef08e01bb47a509d54a228c7e6234d68d4134549173b11761388189b
Opcode Fuzzy Hash: b2c29b11fc89b1ab581706e8d69ecbc4fdf19a7add910f97251721081bd0effa
Instruction Fuzzy Hash: B5A1B1726001039BEB14BF64D8057BABB66FF70768F948975ED06EB214E732D981CB60

Uniqueness

Uniqueness Score: -1.00%

Function 005A8880 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 312synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,005A8C00,00000000,00000000,00000000), ref: 005A8ADD
WaitForSingleObject.KERNEL32(00000000,00002710,?,?,?,?,?,?,?,?,00000004), ref: 005A8AEF
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000004), ref: 005A8AF6

Strings

&downloader_num=, xrefs: 005A8987
uid=, xrefs: 005A88FA
GUID, xrefs: 005A88C4
&install_finish_downloader=true, xrefs: 005A8A18
&url=, xrefs: 005A8915
&install_start_downloader=false, xrefs: 005A8A03
&install_finish_downloader=false, xrefs: 005A8A21
UpdateEventUrl, xrefs: 005A8A43
&install_start_downloader=true, xrefs: 005A89FA

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CloseCreateHandleObjectSingleThreadWait
String ID: &downloader_num=$&install_finish_downloader=false$&install_finish_downloader=true$&install_start_downloader=false$&install_start_downloader=true$&url=$GUID$UpdateEventUrl$uid=
API String ID: 51348343-3402532700
Opcode ID: 703b64960f3d7d92addc5bab7d517e7446596f9a881c35618e67d20626670b6e
Instruction ID: 15a293ae984d75f9dfa847270b87fa30a1bbdc1acd04174778ffb9533398cd07
Opcode Fuzzy Hash: 703b64960f3d7d92addc5bab7d517e7446596f9a881c35618e67d20626670b6e
Instruction Fuzzy Hash: A7B14C71A002489FDB14DF64CC4ABAEBFB6FF86314F10425DE001AB6C1DB75AA44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005821E0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 276windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00582318
ScreenToClient.USER32(?,?), ref: 0058233A
PtInRect.USER32(?,?,?), ref: 0058234D
SetFocus.USER32(?), ref: 005823B1
GetCaretPos.USER32(?), ref: 0058241F
ImmGetContext.IMM32(?), ref: 00582432
ImmSetCompositionWindow.IMM32(00000000,00000020), ref: 0058245E
GetObjectW.GDI32(00000000,0000005C,?), ref: 0058247D
ImmSetCompositionFontW.IMM32(00000000,?), ref: 00582489
ImmReleaseContext.IMM32(?,00000000), ref: 0058249D
ScreenToClient.USER32(?,?), ref: 005824D3

Strings

, xrefs: 0058243D

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ClientCompositionContextScreen$CaretCursorFocusFontObjectRectReleaseWindow
String ID:
API String ID: 850084529-3916222277
Opcode ID: 5ac8187c66e1efbc036d6ecbad92c324c795df5e9bf79b24ee27c522e594e7ec
Instruction ID: 2622efc31236628cdc97af329e5c25c24c0cca4341769de717aaa11cfcf01734
Opcode Fuzzy Hash: 5ac8187c66e1efbc036d6ecbad92c324c795df5e9bf79b24ee27c522e594e7ec
Instruction Fuzzy Hash: A9B16E756042018FDB24EF18C998AADBFE6BF89300F040869FD99EB291DB34DD55CB52

Uniqueness

Uniqueness Score: -1.00%

Function 005625D0 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 211fileCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(00000000,00000000), ref: 00562699
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,dJe,6F923D37), ref: 0056267D

Part of subcall function 005F41FD: _free.LIBCMT ref: 005F4210

Strings

Error opening file, xrefs: 0056268C
Error opening zip file, xrefs: 0056275F
Could not read file, xrefs: 00562717
Could not unzip file, xrefs: 005627FE
Could not find ziped file, xrefs: 0056278A
File too large, xrefs: 005626BB, 005627AE
dJe, xrefs: 00562622
File is empty, xrefs: 005626A7, 0056279D

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: File$CreateSize_free
String ID: Could not find ziped file$Could not read file$Could not unzip file$Error opening file$Error opening zip file$File is empty$File too large$dJe
API String ID: 4284271727-1695810021
Opcode ID: 4d57c4895ef7f826758a6000fe41e44a76b190026b670fa2b5ba782096364be4
Instruction ID: dc8a3d39a5d6f85ed8ac2d8d97374c731e86c0487fab7b4800c1bd12469710b8
Opcode Fuzzy Hash: 4d57c4895ef7f826758a6000fe41e44a76b190026b670fa2b5ba782096364be4
Instruction Fuzzy Hash: 50610AB1E0070567EB319B20EC9AFAE7B6ABB94710F144469F40A672C1EF716E44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005BC220 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 207COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 005BC26F
___from_strstr_to_strchr.LIBCMT ref: 005BC2BF
___swprintf_l.LIBCMT ref: 005BC349

Strings

;type=%c, xrefs: 005BC33E
Port number out of range, xrefs: 005BC49A
[%*45[0123456789abcdefABCDEF:.]%c, xrefs: 005BC23D
IPv6 closing bracket followed by '%c', xrefs: 005BC28F
Port number ended with '%c', xrefs: 005BC451
%s://%s%s%s:%d%s%s%s, xrefs: 005BC39E
t,b, xrefs: 005BC37E
x,b, xrefs: 005BC38D
], xrefs: 005BC255

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ___from_strstr_to_strchr$___swprintf_l
String ID: %s://%s%s%s:%d%s%s%s$;type=%c$IPv6 closing bracket followed by '%c'$Port number ended with '%c'$Port number out of range$[%*45[0123456789abcdefABCDEF:.]%c$]$t,b$x,b
API String ID: 604305841-4099080028
Opcode ID: e609e975d2d32ddaa520e879804c7a50d6611e79bdf877cf825623146c6182dc
Instruction ID: f1aac30ce8bb450f07a194f63f28554e348e3ac9b0c64f652bc04a534ca4eb07
Opcode Fuzzy Hash: e609e975d2d32ddaa520e879804c7a50d6611e79bdf877cf825623146c6182dc
Instruction Fuzzy Hash: C27179B0B04746ABEB109B74D856BFEBFE4FF85300F44046AE88986282DB3479548B91

Uniqueness

Uniqueness Score: -1.00%

Function 005DE050 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 198COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 005DE0C1
_strncpy.LIBCMT ref: 005DE17E
_strncpy.LIBCMT ref: 005DE1C3

Strings

NEW_ENV, xrefs: 005DE1E6
TTYPE, xrefs: 005DE15C
XDISPLOC, xrefs: 005DE1A1
Unknown telnet option %s, xrefs: 005DE2D8
USER,%s, xrefs: 005DE0B6
Syntax error in telnet option: %s, xrefs: 005DE2F1
%127[^= ]%*[ =]%255s, xrefs: 005DE13E
%hu%*[xX]%hu, xrefs: 005DE256
BINARY, xrefs: 005DE27F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _strncpy$___swprintf_l
String ID: %127[^= ]%*[ =]%255s$%hu%*[xX]%hu$BINARY$NEW_ENV$Syntax error in telnet option: %s$TTYPE$USER,%s$Unknown telnet option %s$XDISPLOC
API String ID: 1627702573-748038847
Opcode ID: 27c2c8937454c8de47af7cb51024e4a4efb15649c779e52254dff61e1250f8df
Instruction ID: 323254c903200fea925c35b0ecad2d83f294de40b95f853da9f967a4453ad91a
Opcode Fuzzy Hash: 27c2c8937454c8de47af7cb51024e4a4efb15649c779e52254dff61e1250f8df
Instruction Fuzzy Hash: 3671E571D00209AFEF21EF64DC46FDABBA8BF44304F8444ABF54997242EE31EA448B51

Uniqueness

Uniqueness Score: -1.00%

Function 0056EBA0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(errorLine), ref: 0056EC2F
SysAllocString.OLEAUT32(errorCharacter), ref: 0056EC39
SysAllocString.OLEAUT32(errorCode), ref: 0056EC43
SysAllocString.OLEAUT32(errorMessage), ref: 0056EC4D
SysAllocString.OLEAUT32(errorUrl), ref: 0056EC57
SysFreeString.OLEAUT32(?), ref: 0056ED13

Strings

errorMessage, xrefs: 0056EC45
errorCharacter, xrefs: 0056EC31
errorCode, xrefs: 0056EC3B
errorLine, xrefs: 0056EC0F
(, xrefs: 0056EBEB
errorUrl, xrefs: 0056EC4F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: String$Alloc$Free
String ID: ($errorCharacter$errorCode$errorLine$errorMessage$errorUrl
API String ID: 2383597386-2821095632
Opcode ID: 9f895665dc94bb7766648daa63d5f56e786ba9a8be9ecde76564d6edb3c14414
Instruction ID: cf1453d238b3fffcad6e9d6e8787321cb75a7b4d562a1fb145962838d0de20c9
Opcode Fuzzy Hash: 9f895665dc94bb7766648daa63d5f56e786ba9a8be9ecde76564d6edb3c14414
Instruction Fuzzy Hash: 4451B071A002199FDB10DF68CC85B9EBBB5FF49314F5080A9F509AB290DB71AE45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 005846D0 Relevance: 19.7, APIs: 13, Instructions: 171windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005848F0: IntersectRect.USER32(?,?,?), ref: 005849EB

SendMessageW.USER32(?,00000030,?,00000001), ref: 005847CA
SendMessageW.USER32(?,000000C5,?,00000000), ref: 005847DF
SendMessageW.USER32(?,000000CC,?,00000000), ref: 005847FF
SetWindowTextW.USER32(?,00000000), ref: 00584815
SendMessageW.USER32(?,000000B9,00000000,00000000), ref: 00584840
SendMessageW.USER32(?,000000D3,00000003,00000000), ref: 0058484E
EnableWindow.USER32(?,00000000), ref: 00584868
SendMessageW.USER32(?,000000CF,00000000,00000000), ref: 00584888
ShowWindow.USER32(?,00000004), ref: 0058488F
SetFocus.USER32(?), ref: 00584898
GetWindowTextLengthW.USER32(?), ref: 005848AE
GetWindowTextLengthW.USER32(?), ref: 005848C3
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005848D3

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: MessageSend$Window$Text$Length$EnableFocusIntersectRectShow
String ID:
API String ID: 2848147740-0
Opcode ID: eda107360847c2c345e5bbeed02afdeaa9f9f8132558f972dc8a24df8c76e987
Instruction ID: ff5be59877b6c1ed9d0e332a756f4a3400cd2132f4f9f7c840cf6b3b7c32a35f
Opcode Fuzzy Hash: eda107360847c2c345e5bbeed02afdeaa9f9f8132558f972dc8a24df8c76e987
Instruction Fuzzy Hash: 32513B74600215AFEB14EF24CC9AF6A7BA6BF49300F0441A9ED099F2A2DB71ED55CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005D8500 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 352COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 005D855F

Strings

%u.%u.%u.%u, xrefs: 005D870B
Weirdly formatted EPSV reply, xrefs: 005D860D
Illegal port number in EPSV reply, xrefs: 005D85BB
Can't resolve new host %s:%hu, xrefs: 005D87FB
Bad PASV/EPSV response: %03d, xrefs: 005D891C
%c%c%c%u%c, xrefs: 005D8586
Can't resolve proxy host %s:%hu, xrefs: 005D8795
Couldn't interpret the 227-response, xrefs: 005D8671
%u,%u,%u,%u,%u,%u, xrefs: 005D8658
Skip %u.%u.%u.%u for data connection, re-use %s instead, xrefs: 005D86EA

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: %c%c%c%u%c$%u,%u,%u,%u,%u,%u$%u.%u.%u.%u$Bad PASV/EPSV response: %03d$Can't resolve new host %s:%hu$Can't resolve proxy host %s:%hu$Couldn't interpret the 227-response$Illegal port number in EPSV reply$Skip %u.%u.%u.%u for data connection, re-use %s instead$Weirdly formatted EPSV reply
API String ID: 601868998-927013084
Opcode ID: f6a2023190bcab6c941264874a739690a98c8fd906abf7692748e1ed0187a251
Instruction ID: 7319afd050b77df145e1d3968c6e175921a37c82b56e79be734183380c44b3a4
Opcode Fuzzy Hash: f6a2023190bcab6c941264874a739690a98c8fd906abf7692748e1ed0187a251
Instruction Fuzzy Hash: E5C12B71900605ABDB309B68DC46FFF7BA9FF44315F54086BF90A92242EB35B950CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00612A83 Relevance: 19.6, APIs: 13, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00612AA0

Part of subcall function 0060AEA3: HeapFree.KERNEL32(00000000,00000000,?,006131DE,?,00000000,?,00654B9C,?,00613483,?,00000007,?,?,0061383A,?), ref: 0060AEB9
Part of subcall function 0060AEA3: GetLastError.KERNEL32(?,?,006131DE,?,00000000,?,00654B9C,?,00613483,?,00000007,?,?,0061383A,?,?), ref: 0060AECB

_free.LIBCMT ref: 00612AB2
_free.LIBCMT ref: 00612AC4
_free.LIBCMT ref: 00612AD6
_free.LIBCMT ref: 00612AE8
_free.LIBCMT ref: 00612AFA
_free.LIBCMT ref: 00612B0C
_free.LIBCMT ref: 00612B1E
_free.LIBCMT ref: 00612B30
_free.LIBCMT ref: 00612B42
_free.LIBCMT ref: 00612B54
_free.LIBCMT ref: 00612B66
_free.LIBCMT ref: 00612B78

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9ad7ca21333fb794281161d15ae7b0c8827b71b0466904216fd3e23fc0801fab
Instruction ID: 00a0f5a4a97f80d4be7b72ec803c56e1bd5877c1d0b4e43d7a9c8a1bf5f18ced
Opcode Fuzzy Hash: 9ad7ca21333fb794281161d15ae7b0c8827b71b0466904216fd3e23fc0801fab
Instruction Fuzzy Hash: 58213072504701ABC778EFA8F895C9773FBAB74355B680848F055DB691CA30FCD09A68

Uniqueness

Uniqueness Score: -1.00%

Function 005580B0 Relevance: 19.6, APIs: 13, Instructions: 78windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000004), ref: 005580C2
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,00525386), ref: 005580CF
EnableWindow.USER32(00000000,00000000), ref: 005580D7
IsWindow.USER32(?), ref: 005580EF
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0055810A
EnableWindow.USER32(00000000,00000001), ref: 00558128
SetFocus.USER32(00000000), ref: 0055812F
TranslateMessage.USER32(?), ref: 00558145
DispatchMessageW.USER32(?), ref: 0055814F
IsWindow.USER32(?), ref: 0055815E
EnableWindow.USER32(00000000,00000001), ref: 0055816B
SetFocus.USER32(00000000,?,?,?,?,?,?,?,00525386), ref: 00558172
PostQuitMessage.USER32(?), ref: 00558181

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Window$Message$Enable$Focus$DispatchPostQuitShowTranslate
String ID:
API String ID: 200552106-0
Opcode ID: deccb9458498692119ffca4084044731266901399beb2dc4e79af8818e098f4f
Instruction ID: bde7e618f3d1e49eb01b66db11094f6bbe75ec0228a19766841505c124ee3543
Opcode Fuzzy Hash: deccb9458498692119ffca4084044731266901399beb2dc4e79af8818e098f4f
Instruction Fuzzy Hash: 6621A331904A0AAFDF20AFA0DC49BEEBBBAFF26302F505121F505AA050DB745947CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00546270 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 228memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 005A6850: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,00000000,6F923D37,?,75922EE0), ref: 005A68EF

CreateThread.KERNEL32(00000000,00000000,00546430,00000000,00000000,00000000), ref: 0054635C
CloseHandle.KERNEL32(00000000), ref: 00546367
VariantInit.OLEAUT32(00000000), ref: 00546473
SysAllocString.OLEAUT32(about:blank), ref: 0054648E
VariantClear.OLEAUT32(?), ref: 005464BD

Strings

DJe, xrefs: 0054633C
load h5 SetWebBrowserEventHandler, xrefs: 00546320
DJe, xrefs: 005464D3
about:blank, xrefs: 00546485
load h5 end, xrefs: 00546382
load h5 FindControl, xrefs: 005462D8

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Variant$AllocByteCharClearCloseCreateHandleInitMultiStringThreadWide
String ID: DJe$DJe$about:blank$load h5 FindControl$load h5 SetWebBrowserEventHandler$load h5 end
API String ID: 711093020-843595317
Opcode ID: ec60087e64d668334c102f98a219aa9cc9946add4972159d27fa6ca2524c6333
Instruction ID: 00739e9c2c095d0fe3d0c95d01538f05609da4363e0f4ee6ec9caf1407406de6
Opcode Fuzzy Hash: ec60087e64d668334c102f98a219aa9cc9946add4972159d27fa6ca2524c6333
Instruction Fuzzy Hash: 0A810271A00344ABDB24DF68CC49BDE7FA6FB86708F20465CF8059B2C1DB76A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00612FA3 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 201COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00613011
_free.LIBCMT ref: 0061301D
_free.LIBCMT ref: 00613146
_free.LIBCMT ref: 00613151

Strings

tAe, xrefs: 00612FCE, 00613188
xAe, xrefs: 0061319F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _free
String ID: tAe$xAe
API String ID: 269201875-2979389600
Opcode ID: 48e274f9b18e25649c312cc9a517361182eefc729dd4fada658bf6bb6762af01
Instruction ID: 779e13d975df44e64842cff3eb024d228cc608f08ecf4db8d26443d58e3a1e04
Opcode Fuzzy Hash: 48e274f9b18e25649c312cc9a517361182eefc729dd4fada658bf6bb6762af01
Instruction Fuzzy Hash: 5261E671940305AFDB20DF64D842BEB77FAEF55310F284569E946DB381EB70AE818B50

Uniqueness

Uniqueness Score: -1.00%

Function 005D8230 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 194COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 005D8320
___swprintf_l.LIBCMT ref: 005D83FE

Strings

Given file does not exist, xrefs: 005D827D
%04d%02d%02d %02d:%02d:%02d GMT, xrefs: 005D8318
Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 005D83F3
%04d%02d%02d%02d%02d%02d, xrefs: 005D82C8
The requested document is not old enough, xrefs: 005D84C5
Skipping time comparison, xrefs: 005D84CC
The requested document is not new enough, xrefs: 005D847A
unsupported MDTM reply format, xrefs: 005D826A
Mb, xrefs: 005D83B5

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ___swprintf_l
String ID: Mb$%04d%02d%02d %02d:%02d:%02d GMT$%04d%02d%02d%02d%02d%02d$Given file does not exist$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT$Skipping time comparison$The requested document is not new enough$The requested document is not old enough$unsupported MDTM reply format
API String ID: 48624451-1366277790
Opcode ID: 78c9a35c413d17f969e1c7104d2b8dd6cc9e2f050f8031ae68f5fd13efc6348d
Instruction ID: 92777893bb852c6a477b433a7f7557a19bd68bc402d56d8e96793b2d5b150915
Opcode Fuzzy Hash: 78c9a35c413d17f969e1c7104d2b8dd6cc9e2f050f8031ae68f5fd13efc6348d
Instruction Fuzzy Hash: 41719271A0061AABEF31DB68DC46FEA7BA9FB44304F0445ABE94DD3241DE31AA44CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0054A910 Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 444libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,GetNativeSystemInfo,6F923D37,?,?), ref: 0054A95D
GetProcAddress.KERNEL32(00000000), ref: 0054A964

Strings

DisplayIcon, xrefs: 0054AB17
RegistryName, xrefs: 0054AA20
RegistryAddress, xrefs: 0054A9D0
kernel32, xrefs: 0054A75E, 0054A958
GetNativeSystemInfo, xrefs: 0054A759, 0054A953

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisplayIcon$GetNativeSystemInfo$RegistryAddress$RegistryName$kernel32
API String ID: 1646373207-2338805103
Opcode ID: d0c1998db0748fcf81e38d64c7fa90c0fa2484409714e658720aa03855c45d5c
Instruction ID: 60daf6a393e32a788d4a155079281dc5da0b0e4d4236471f8c1928cc27dc6fe0
Opcode Fuzzy Hash: d0c1998db0748fcf81e38d64c7fa90c0fa2484409714e658720aa03855c45d5c
Instruction Fuzzy Hash: AB021670E102499BEF24DF74CD49BDDBB72BF85308F10865CE044AB296E775AA84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0053C3E0 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 382windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00521340: WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,?,?,00000000,00000000), ref: 00521361

GetWindowRect.USER32(00000000,00000000), ref: 0053C792
ClientToScreen.USER32(00000000,?), ref: 0053C7D8
PtInRect.USER32(00000000,?,?), ref: 0053C7E8
SendMessageW.USER32(00000000,000000A1,00000002,?), ref: 0053C80B
PtInRect.USER32(?,?,?), ref: 0053C822
SendMessageW.USER32(00000000,00000112,0000F020,00000000), ref: 0053C843

Strings

InterceptWebEventX, xrefs: 0053C522
InterceptWebEventCloseX, xrefs: 0053C5F5
InterceptWebEventCloseY, xrefs: 0053C6C8
InterceptWebEventY, xrefs: 0053C44F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Rect$MessageSend$ByteCharClientMultiScreenWideWindow
String ID: InterceptWebEventCloseX$InterceptWebEventCloseY$InterceptWebEventX$InterceptWebEventY
API String ID: 2162539429-2061605471
Opcode ID: 24ad1629fb674357db351af8ddb5bc12c84a1d8415a2276a7a73a58698282743
Instruction ID: d0e47e0b719e763dd7638dedcb4fc10b25d7418a4fb6276bb23e31ab672f8e60
Opcode Fuzzy Hash: 24ad1629fb674357db351af8ddb5bc12c84a1d8415a2276a7a73a58698282743
Instruction Fuzzy Hash: 41D1F771A002059BDF14DF78DC4ABAE7FB6BF89304F24461CE415BB292DB75AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00562910 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 370COMMON

Download Yara Rule

APIs

CharNextW.USER32(00000004,00000000,?,?), ref: 005629F7
CharNextW.USER32(00000000,00000000,?,?,?,005628FC,0056258D,00000000,?,?,0056258D), ref: 00562C09
CharNextW.USER32(00000000,00000000,?,?,?,005628FC,0056258D,00000000,?,?,0056258D), ref: 00562C4E

Strings

Expected start tag, xrefs: 00562CFA
gfff, xrefs: 00562A3A
Error parsing element name, xrefs: 00562CB5
Unmatched closing tag, xrefs: 00562C69
>, xrefs: 00562B00
Expected start-tag closing, xrefs: 00562C9D
Expected end-tag start, xrefs: 00562C86

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CharNext
String ID: >$Error parsing element name$Expected end-tag start$Expected start tag$Expected start-tag closing$Unmatched closing tag$gfff
API String ID: 3213498283-651812674
Opcode ID: b130480ea0abccca1d6de91eb92b3ab2322f8fb26e8d78ae9f16493ec76e48f1
Instruction ID: e6ff856dc2b46bfe035bfd7598de8b6e94f5c2ecdf6a5a1c97b744e453db1505
Opcode Fuzzy Hash: b130480ea0abccca1d6de91eb92b3ab2322f8fb26e8d78ae9f16493ec76e48f1
Instruction Fuzzy Hash: 32C105356006069FCB24EF69C8949BABBF6FF99340F14856EE984CB351E7709D81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005B4990 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 319COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 005B4AA7
___from_strstr_to_strchr.LIBCMT ref: 005B4B4C
___from_strstr_to_strchr.LIBCMT ref: 005B4BAF

Strings

Couldn't parse CURLOPT_RESOLVE removal entry '%s'!, xrefs: 005B4A0D
Added %s:%d:%s to DNS cache, xrefs: 005B4CCC
RESOLVE %s:%d is - old addresses discarded!, xrefs: 005B4C4D
Ignoring resolve address '%s', missing IPv6 support., xrefs: 005B4BC3
Couldn't parse CURLOPT_RESOLVE entry '%s'!, xrefs: 005B4D32
Resolve address '%s' found illegal!, xrefs: 005B4D1C
%255[^:]:%d, xrefs: 005B49F2

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: %255[^:]:%d$Added %s:%d:%s to DNS cache$Couldn't parse CURLOPT_RESOLVE entry '%s'!$Couldn't parse CURLOPT_RESOLVE removal entry '%s'!$Ignoring resolve address '%s', missing IPv6 support.$RESOLVE %s:%d is - old addresses discarded!$Resolve address '%s' found illegal!
API String ID: 601868998-3873099096
Opcode ID: 60a0e97c653fe5e5568bfa5af0d1f41a9a6686494cff52d21a45bff59cbe196a
Instruction ID: a875a3b7ea49b5c230d10013d9f10bb9d591d76b4d0c989e95eec8ca824d106e
Opcode Fuzzy Hash: 60a0e97c653fe5e5568bfa5af0d1f41a9a6686494cff52d21a45bff59cbe196a
Instruction Fuzzy Hash: 78B1C4719002159BDF319F64DC49BEE7FA9FF85705F1404A8E80AAB243E635AE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 005CA0A0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005CA0DF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005CA11D
___swprintf_l.LIBCMT ref: 005CA175
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005CA18D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005CA1C2
___swprintf_l.LIBCMT ref: 005CA1D7
___swprintf_l.LIBCMT ref: 005CA1F2

Strings

%7I64dd, xrefs: 005CA1E8
%2I64d:%02I64d:%02I64d, xrefs: 005CA16B
%3I64dd %02I64dh, xrefs: 005CA1CD

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$___swprintf_l
String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd
API String ID: 2070094197-564197712
Opcode ID: 2c9dc585ac086955f49396bc0ddcab82966a66db62f8808c602d37a1eeed58de
Instruction ID: 2b6a276a1da6819de8098982e9fec809370f2f22ef5cdb05bfc1697ac3b8c9b9
Opcode Fuzzy Hash: 2c9dc585ac086955f49396bc0ddcab82966a66db62f8808c602d37a1eeed58de
Instruction Fuzzy Hash: 414117B3B002597EE7205DAD9C4AFAE7F6DEBC4B50F054179FD18EB181DAB19D108290

Uniqueness

Uniqueness Score: -1.00%

Function 00532BAB Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 313threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00537520,?,00000000,00000000), ref: 00532DDB
CloseHandle.KERNEL32(00000000,?,?,0000001A), ref: 00532DEA

Strings

Installing, xrefs: 00532E24
..., xrefs: 00532EBD
text, xrefs: 00532F28
progressTip, xrefs: 00532F50
4ye, xrefs: 00532EB1
Installing, xrefs: 00532C85
Info_Start_Install_Program, xrefs: 00532C4F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID: ...$4ye$Info_Start_Install_Program$Installing$Installing$progressTip$text
API String ID: 3032276028-3872197431
Opcode ID: b5c7499ae8b7e673f4828292d6472268633a6ad3f13635977d89711f89647c98
Instruction ID: 3a8f9d9703574b46735353f0848378cef5adf78a8188ac30008c0f8f575c39ef
Opcode Fuzzy Hash: b5c7499ae8b7e673f4828292d6472268633a6ad3f13635977d89711f89647c98
Instruction Fuzzy Hash: E7D1C0B0A013459BDB14DF24DD4EB9DBFB2BF85314F204298E408AB2D2D7B5AB44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005348F0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 244fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000,6F923D37,00000000,?), ref: 00534950
GetFileSize.KERNEL32(00000000,00000000), ref: 00534964
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 00534985
ReadFile.KERNEL32(00000000,?,00000104,?,00000000), ref: 005349C1
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,?), ref: 00534A36
CloseHandle.KERNEL32(00000000,6F923D37,00000000,?), ref: 00534C46

Strings

errInfo, xrefs: 00534A55
Downloading, xrefs: 00534B34
error_info, xrefs: 00534AFB

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: File$ByteCharCloseCreateHandleMultiPointerReadSizeWide
String ID: Downloading$errInfo$error_info
API String ID: 20821478-1371400834
Opcode ID: f6dd9c557b2cb57365a6d4da3d22db976b3b874d613e0d08ae2fbc15119ea12f
Instruction ID: 35054e49e0504e448b18231973cf5966b9de42da88292a8bbd7ae795661fd0d5
Opcode Fuzzy Hash: f6dd9c557b2cb57365a6d4da3d22db976b3b874d613e0d08ae2fbc15119ea12f
Instruction Fuzzy Hash: 1291C4709002189BDB25DB64CC89BEEBBB6FF89704F104198E509AB2D1DB746F84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 005C4130 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 229COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 005C41D9
___from_strstr_to_strchr.LIBCMT ref: 005C41EB

Strings

Content-Type:, xrefs: 005C42AD, 005C42CF
Connection:, xrefs: 005C4318
Content-Length:, xrefs: 005C42F4
Authorization:, xrefs: 005C434E
%s, xrefs: 005C4393
Transfer-Encoding:, xrefs: 005C4339
Host:, xrefs: 005C4288

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: %s$Authorization:$Connection:$Content-Length:$Content-Type:$Host:$Transfer-Encoding:
API String ID: 601868998-2212639000
Opcode ID: bc72e40d77b4b1b9846829583e406fad53cb26a9f86de74976cbc7299dd9bfc8
Instruction ID: ae3c8cf30d1baa21e2ea260bf730240e750c56c4a104a4b7f83808d6128a63cc
Opcode Fuzzy Hash: bc72e40d77b4b1b9846829583e406fad53cb26a9f86de74976cbc7299dd9bfc8
Instruction Fuzzy Hash: AF810574A00651AFEF218EE49815FA97FA1BF91744F0845BCEC849F242E375C991CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00588590 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

MapWindowPoints.USER32(?,00000000,?,00000002), ref: 005886FE
MonitorFromWindow.USER32(?,00000001), ref: 0058872D
GetMonitorInfoW.USER32(00000000), ref: 00588734
MapWindowPoints.USER32(?,00000000,?,00000002), ref: 0058878C

Part of subcall function 00557EC0: GetClassInfoExW.USER32(00000000,00000000), ref: 00557F0C
Part of subcall function 00557EC0: GetClassInfoExW.USER32(00520000,00000000), ref: 00557F2C
Part of subcall function 00557EC0: RegisterClassExW.USER32(00000030), ref: 00557F69
Part of subcall function 00557EC0: GetLastError.KERNEL32 ref: 00557F74
Part of subcall function 00557EC0: LoadCursorW.USER32 ref: 00557FE2
Part of subcall function 00557EC0: RegisterClassW.USER32(00000000), ref: 0055800D
Part of subcall function 00557EC0: GetLastError.KERNEL32(?,?,?,00000000,00007F00), ref: 00558018

GetParent.USER32(?), ref: 005887D7
GetParent.USER32(?), ref: 005887E1
GetParent.USER32(00000000), ref: 005887E6
ShowWindow.USER32(?,00000005), ref: 005887F5

Strings

(, xrefs: 00588725

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ClassWindow$InfoParent$ErrorLastMonitorPointsRegister$CursorFromLoadShow
String ID: (
API String ID: 3348196917-3887548279
Opcode ID: 85aba16b30c0df252c353bd757f7f348d378fcfb1df1f9e0bf45bf6702a44177
Instruction ID: 9e04ee5c8d9922b43165b2864f31c439285ba74108af8e010d3a704319cc36aa
Opcode Fuzzy Hash: 85aba16b30c0df252c353bd757f7f348d378fcfb1df1f9e0bf45bf6702a44177
Instruction Fuzzy Hash: 318110716083019FD724DF28C945A6ABBF5FF89300F144A6DFA99D7360EB71E9008B82

Uniqueness

Uniqueness Score: -1.00%

Function 005E0190 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 197COMMON

Download Yara Rule

APIs

sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 005E0232
sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 005E02C2
sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 005E039C

Strings

tftp_rx: internal error, xrefs: 005E03AF
Received last DATA packet block %d again., xrefs: 005E01EA
Timeout waiting for block %d ACK. Retries = %d, xrefs: 005E02F4
Received unexpected DATA packet block %d, expecting block %d, xrefs: 005E0272

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: sendto
String ID: Received last DATA packet block %d again.$Received unexpected DATA packet block %d, expecting block %d$Timeout waiting for block %d ACK. Retries = %d$tftp_rx: internal error
API String ID: 1876886790-1785996722
Opcode ID: 8acdf3cd5bb361c252e396eda9ae89d51122ecb109d69cac9ee8105b48691ccf
Instruction ID: aef1a033dbbaefb75222ecc73beb0a650f8a4b5788cbb716a22a2016229521c6
Opcode Fuzzy Hash: 8acdf3cd5bb361c252e396eda9ae89d51122ecb109d69cac9ee8105b48691ccf
Instruction Fuzzy Hash: 3051E0B2200912BBE7145F65EC46BFAB768FF84315F000622FA59D6191E732B5A08BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00542480 Relevance: 15.4, APIs: 2, Strings: 8, Instructions: 411COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,00000008,000000FF,?,0000000A), ref: 0054269D
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,?,?,?,00000000,-00000002,?,Errorinfo,00000009), ref: 005427C6

Strings

Failed, xrefs: 005425C1
CDN, xrefs: 005424EF
Errorinfo, xrefs: 005426B8
Result, xrefs: 0054259A
Success, xrefs: 005425CC, 005425F6, 005425F7
Home_Installer, xrefs: 005428C3
Elapsed, xrefs: 005427E1
Result_Download_Configurefile, xrefs: 0054288A

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: CDN$Elapsed$Errorinfo$Failed$Home_Installer$Result$Result_Download_Configurefile$Success
API String ID: 626452242-2874092996
Opcode ID: 64a19a8ed8e16262cc972ebbc3cb313be0a29e4efe2d215d5e8e535bb68e533d
Instruction ID: 57658920893f42736f069133c944e0f45d7af2fbe1f4470c891d1183e236ffc1
Opcode Fuzzy Hash: 64a19a8ed8e16262cc972ebbc3cb313be0a29e4efe2d215d5e8e535bb68e533d
Instruction Fuzzy Hash: 11F1D6319002699BDF24DB24CC89BDDBB76FF89318F508298F444AB295DB756F84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0057CCDB Relevance: 15.3, APIs: 10, Instructions: 294COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?), ref: 0057CD60
CharNextW.USER32(?), ref: 0057DE42
CharNextW.USER32(?), ref: 0057DE64

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CharNext$ColorText
String ID:
API String ID: 1248641432-0
Opcode ID: 44d0e0f7dec8751d59c0050605f4cb862262ffa67c511f3fe52172af4f306ac4
Instruction ID: d89ecc404c426e3282effc7fbc5527a063b8dfe526a10ba3522092dc8c608fe7
Opcode Fuzzy Hash: 44d0e0f7dec8751d59c0050605f4cb862262ffa67c511f3fe52172af4f306ac4
Instruction Fuzzy Hash: E9C15AB0D042298BDF209F24DC49BA9BBB6BF94340F0445E9E84DA7251DB369EE1DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00578830 Relevance: 15.2, APIs: 10, Instructions: 153COMMON

Download Yara Rule

APIs

GetClipBox.GDI32(?,?), ref: 005788FA
CreateRectRgnIndirect.GDI32(?), ref: 0057890A
CreateRectRgnIndirect.GDI32(?), ref: 00578913
CreateRoundRectRgn.GDI32(00000001,00000001,00000001,?,?,?), ref: 0057894E
CombineRgn.GDI32(?,?,00000000,00000001), ref: 0057895E
ExtSelectClipRgn.GDI32(?,?,00000001), ref: 0057896A
DeleteObject.GDI32(00000000), ref: 00578985
SelectClipRgn.GDI32(?,?), ref: 005789D3
DeleteObject.GDI32(?), ref: 005789DC
DeleteObject.GDI32(?), ref: 005789DF

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ClipCreateDeleteObjectRect$IndirectSelect$CombineRound
String ID:
API String ID: 4113048980-0
Opcode ID: 34d2e6bc8f8f375bf8d75a2db8e77bd4afacc18207b86fcc0b9dad0295f12717
Instruction ID: 4bcca968f14cf2d888f1bf7f473e4acf577bc8e93aad4eea5f6231c95403bb54
Opcode Fuzzy Hash: 34d2e6bc8f8f375bf8d75a2db8e77bd4afacc18207b86fcc0b9dad0295f12717
Instruction Fuzzy Hash: 10516A35D00608EFCB11DFA8D948AEEBBF9FF5A310F144269F909A7261DB316981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0060AB37 Relevance: 15.1, APIs: 10, Instructions: 70COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0060AB4D

Part of subcall function 0060AEA3: HeapFree.KERNEL32(00000000,00000000,?,006131DE,?,00000000,?,00654B9C,?,00613483,?,00000007,?,?,0061383A,?), ref: 0060AEB9
Part of subcall function 0060AEA3: GetLastError.KERNEL32(?,?,006131DE,?,00000000,?,00654B9C,?,00613483,?,00000007,?,?,0061383A,?,?), ref: 0060AECB

_free.LIBCMT ref: 0060AB59
_free.LIBCMT ref: 0060AB64
_free.LIBCMT ref: 0060AB6F
_free.LIBCMT ref: 0060AB7A
_free.LIBCMT ref: 0060AB85
_free.LIBCMT ref: 0060AB90
_free.LIBCMT ref: 0060AB9B
_free.LIBCMT ref: 0060ABA6
_free.LIBCMT ref: 0060ABB4

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1ba9749a48d38b5762c8eb2b4bc164d5ed8b23e1fe458f1c8df6ccdf1b0e6a54
Instruction ID: 9cae9fc469957deb67fd98c44f9b9ecbb09194e6dfc1fc7f05128b9eba386a74
Opcode Fuzzy Hash: 1ba9749a48d38b5762c8eb2b4bc164d5ed8b23e1fe458f1c8df6ccdf1b0e6a54
Instruction Fuzzy Hash: A5212BBA950208AFCB45EFD4C841DDE7BBABF48380F0045AAF5049F161EB71EA44DB81

Uniqueness

Uniqueness Score: -1.00%

Function 005DAEE0 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 378COMMON

Download Yara Rule

Strings

Accept-ranges: bytes, xrefs: 005DB063
Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 005DB0D7
failed to resume file:// transfer, xrefs: 005DB3CB
Mb, xrefs: 005DB0AE
Content-Length: %I64d, xrefs: 005DB034
Can't get the size of file., xrefs: 005DB166

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: Mb$Accept-ranges: bytes$Can't get the size of file.$Content-Length: %I64d$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT$failed to resume file:// transfer
API String ID: 601868998-3958857549
Opcode ID: 47af0d2cdbb81205ad768e18c60b37336c831b734499bc15a2b80af7e97de348
Instruction ID: d24e88e3c5a08de1a899fcbd1179dc16b08c27c1422cc700012717f6a2404f61
Opcode Fuzzy Hash: 47af0d2cdbb81205ad768e18c60b37336c831b734499bc15a2b80af7e97de348
Instruction Fuzzy Hash: 1AD1C471A04219DBEB30DB68DC45BADBBB6BF45304F0444EAE90DA7342EB715E84CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00570CA0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 00570D17
PtInRect.USER32(?,?,?), ref: 00570D77
PtInRect.USER32(?,?,?), ref: 00570DC9
PtInRect.USER32(?,?,?), ref: 00570E3E

Strings

link, xrefs: 00570E88

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Rect
String ID: link
API String ID: 400858303-917281265
Opcode ID: 0368aaaef302c6e857ba5f77860e288ccd0d54055d40394dc5f2f8406cd5e331
Instruction ID: 25fe1ded090e57e3b1e38a0ad90092b1089aab4757a6a8c0eeaebbb9a6c60738
Opcode Fuzzy Hash: 0368aaaef302c6e857ba5f77860e288ccd0d54055d40394dc5f2f8406cd5e331
Instruction Fuzzy Hash: 4F818371704705DFCB30DF68E884A6ABBE5FB94325F109A2EE95DC7280CB31A851DB91

Uniqueness

Uniqueness Score: -1.00%

Function 005C0030 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 169networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32(?,?,?), ref: 005C0094
WSAGetLastError.WS2_32(?,?,?,?,?,?,?), ref: 005C009E

Part of subcall function 005E3C50: GetLastError.KERNEL32(00000000,?,?,?,?,005C01F7,?,?,?,?,?,?,?,?,?,?), ref: 005E3C57
Part of subcall function 005E3C50: _strncpy.LIBCMT ref: 005E3C95
Part of subcall function 005E3C50: GetLastError.KERNEL32(?,?,?,?,005C01F7,?,?,?,?,?,?,?,?,?,?,005B90AB), ref: 005E3D30
Part of subcall function 005E3C50: SetLastError.KERNEL32(00000000,?,?,?,?,005C01F7,?,?,?,?,?,?,?,?,?,?), ref: 005E3D3B

getsockname.WS2_32(?,?,00000080), ref: 005C00FD
WSAGetLastError.WS2_32(?,?,005B90AB), ref: 005C0107

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 005C01FA
ssrem inet_ntop() failed with errno %d: %s, xrefs: 005C0170
getsockname() failed with errno %d: %s, xrefs: 005C0118
getpeername() failed with errno %d: %s, xrefs: 005C00AF

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLast$_strncpygetpeernamegetsockname
String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 616724167-670633250
Opcode ID: 0e333fe6a60d7b22b7f0dd0b2986467bb4c9a106ea4efeef95a59971f8f9196b
Instruction ID: c7f648f561d3544c5ead4af6d1528f83c0ef6e4cb901c4a90c33aa4d9b3eaec1
Opcode Fuzzy Hash: 0e333fe6a60d7b22b7f0dd0b2986467bb4c9a106ea4efeef95a59971f8f9196b
Instruction Fuzzy Hash: 6D519575900219ABCF10AF659C4ABEE7BA8FF55310F4401E6FD49A7142EA316A848BA0

Uniqueness

Uniqueness Score: -1.00%

Function 005E69D0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 119encryptionCOMMON

Download Yara Rule

APIs

CertGetNameStringA.CRYPT32(00000000,00000006,00010002,00000000,00000000,00000000), ref: 005E69EF
CertGetNameStringA.CRYPT32(00000000,00000006,00010002,00000000,00000000,?), ref: 005E6A2F

Strings

schannel: CertGetNameString() returned no certificate name information, xrefs: 005E69F8
schannel: server certificate name verification failed, xrefs: 005E6AC6
schannel: connection hostname (%s) did not match against certificate name (%s), xrefs: 005E6A8F
schannel: connection hostname (%s) validated against certificate name (%s), xrefs: 005E6A7B
schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names, xrefs: 005E6AE2
schannel: CertGetNameString() returned certificate name information of unexpected size, xrefs: 005E6A38

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CertNameString
String ID: schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names$schannel: CertGetNameString() returned certificate name information of unexpected size$schannel: CertGetNameString() returned no certificate name information$schannel: connection hostname (%s) did not match against certificate name (%s)$schannel: connection hostname (%s) validated against certificate name (%s)$schannel: server certificate name verification failed
API String ID: 149855834-1713101147
Opcode ID: ca6cf5e2c66f5a746196562a6a1bfed8566e81a12b75501b6251a8af784ed8fd
Instruction ID: 2ad320e0b675bd246676064d0e4197d6149c5575f6930c64d8290f41f7f89ec8
Opcode Fuzzy Hash: ca6cf5e2c66f5a746196562a6a1bfed8566e81a12b75501b6251a8af784ed8fd
Instruction Fuzzy Hash: 7E315532E00258A7DF259E4AEC42AEE7F2AFFA13C1F094475FC49B7101D7716E1186A0

Uniqueness

Uniqueness Score: -1.00%

Function 00608DA2 Relevance: 13.8, APIs: 9, Instructions: 302COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9f6d37ce502ada221523dc097de9c31e2ee6e169be23bda0dcbcba0e3ef66b
Instruction ID: be39599ad992dda158ab5cd765b07b48e3b2f4589bb096e5f64d9fb417dda101
Opcode Fuzzy Hash: 0e9f6d37ce502ada221523dc097de9c31e2ee6e169be23bda0dcbcba0e3ef66b
Instruction Fuzzy Hash: ACC1F070A842469FDB19CFA8D884BAFBBB7AF49314F04405CE5519B3D2C7709A42CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0058E840 Relevance: 13.8, APIs: 9, Instructions: 281timethreadCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000014,00000032,00000000), ref: 0058E8F6
BeginPaint.USER32(?,?), ref: 0058E919
EndPaint.USER32(?,?), ref: 0058E926
CallWindowProcW.USER32(?,?,?,?,?), ref: 0058E95B
GetClientRect.USER32(?,?), ref: 0058EAF6
GetGUIThreadInfo.USER32(00000000,?), ref: 0058EB4E
ClientToScreen.USER32(?,?), ref: 0058EB79
ScreenToClient.USER32(?,?), ref: 0058EB99
PtInRect.USER32(?,?,?), ref: 0058EBB2

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Client$PaintRectScreen$BeginCallInfoProcThreadTimerWindow
String ID:
API String ID: 1857846357-0
Opcode ID: 11e6ece7bbdb16500be71980836120dd58fd03c953f5e23313374de40ab6e949
Instruction ID: 82746e7d5787be880cc7460130fd99fe56bff2fd735c64759fed3b1e66afc8aa
Opcode Fuzzy Hash: 11e6ece7bbdb16500be71980836120dd58fd03c953f5e23313374de40ab6e949
Instruction Fuzzy Hash: 9BB1C271A04605EFDB18DF64C886FA9BBB5FF49700F1445A9F909AB2A1D731ED80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0055CE20 Relevance: 13.7, APIs: 9, Instructions: 217COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 0055CE5C
GetObjectW.GDI32(00000000), ref: 0055CE63
CreateFontIndirectW.GDI32(?), ref: 0055CEB6
SelectObject.GDI32(?,00000000), ref: 0055CF53
GetTextMetricsW.GDI32(?,00000090), ref: 0055CF6A
SelectObject.GDI32(?,00000000), ref: 0055CF7D
DeleteObject.GDI32(00000000), ref: 0055CFD1
DeleteObject.GDI32(00000000), ref: 0055D078

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Object$DeleteSelect$CreateFontIndirectMetricsStockText
String ID:
API String ID: 1902588391-0
Opcode ID: a56d579acb78998c90db73a67b7a16c03fd9bdc45a2a7774aa93bc451be5575b
Instruction ID: 56d2383371ae98c7972ebce9c60889feff4717c49f2df04a555fa102995e2a5a
Opcode Fuzzy Hash: a56d579acb78998c90db73a67b7a16c03fd9bdc45a2a7774aa93bc451be5575b
Instruction Fuzzy Hash: 1D81B671D002499BDF20DF60DC55BAE7FB5BF59301F0440AAED49EB282EA319E45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005AAC2A Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 303threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,005ABDB0,?,00000000,00000000), ref: 005AACC1
CloseHandle.KERNEL32(00000000), ref: 005AACDD

Strings

&tmpTime_=, xrefs: 005AAECC
%s %d redownload info count:%d, xrefs: 005AAF77
%s %d download info code:%d, xrefs: 005AAD07
CHttpHelper::GetDownloadInfo, xrefs: 005AACED, 005AAF5D

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID: %s %d download info code:%d$%s %d redownload info count:%d$&tmpTime_=$CHttpHelper::GetDownloadInfo
API String ID: 3032276028-1870634201
Opcode ID: aeee60c6023a04b3219d3c4e30c89e7b3416859e10eeeeca4ea2aff6f461f04b
Instruction ID: c339f983fdd63d88738d3f754b150a06a2742689fafadbfab1936fe237a5db00
Opcode Fuzzy Hash: aeee60c6023a04b3219d3c4e30c89e7b3416859e10eeeeca4ea2aff6f461f04b
Instruction Fuzzy Hash: 9DB1C170A002599FEB29DF64CC59BDDBBB5BF8A304F14419CE405AB282D771AE81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005388C0 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 253COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00538A8E
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00538B2A
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00538BCE

Part of subcall function 00521300: MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,?,?), ref: 0052131E

Strings

OfflineDownloadUrl, xrefs: 00538A4A
Click_Download_Offline, xrefs: 005388FB
Download_Failed, xrefs: 00538925
open, xrefs: 00538A87, 00538B23, 00538BC7

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ExecuteShell$ByteCharMultiWide
String ID: Click_Download_Offline$Download_Failed$OfflineDownloadUrl$open
API String ID: 2997808067-3584090089
Opcode ID: 2d91efbe21ba2ae51817a9658204bd6879879a2ea42628034147fa3e1fe70ec6
Instruction ID: 12e0cf5ad50a9bd767b51d1bdb60938216dc87cb09b427666f0ad70035e8a1e2
Opcode Fuzzy Hash: 2d91efbe21ba2ae51817a9658204bd6879879a2ea42628034147fa3e1fe70ec6
Instruction Fuzzy Hash: C2910571A00309ABDF18CF68DC56BAEBF76BF85714F208119F511AB2C1DB756A05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005C71C0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 171COMMON

Download Yara Rule

Strings

%x%s, xrefs: 005C732D
operation aborted by callback, xrefs: 005C722E
Read callback asked for PAUSE when not supported!, xrefs: 005C7272
read function returned funny value, xrefs: 005C72D0
XAb, xrefs: 005C731B
Signaling end of chunked upload via terminating chunk., xrefs: 005C7382

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID: %x%s$Read callback asked for PAUSE when not supported!$Signaling end of chunked upload via terminating chunk.$XAb$operation aborted by callback$read function returned funny value
API String ID: 0-2134544425
Opcode ID: 1a2814651b5e9895876b6774a7c73fd7151b1fda28a49986031b20d5b1c4b79d
Instruction ID: 10c0f0cec4217f6641b77a515482d2df2df0c401b355ce46835af48bdcef4baa
Opcode Fuzzy Hash: 1a2814651b5e9895876b6774a7c73fd7151b1fda28a49986031b20d5b1c4b79d
Instruction Fuzzy Hash: E1511831A003499FDB20DFA8D856FFEBBE5FF89310F04046DE85A97282DA756D408B90

Uniqueness

Uniqueness Score: -1.00%

Function 005E0780 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 152COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005E07EA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005E085D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005E08CF

Strings

Connection time-out, xrefs: 005E07BC
set timeouts for state %d; Total %ld, retry %d maxtry %d, xrefs: 005E08F3
gfff, xrefs: 005E0885
gfff, xrefs: 005E0804

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: Connection time-out$gfff$gfff$set timeouts for state %d; Total %ld, retry %d maxtry %d
API String ID: 885266447-870032562
Opcode ID: 7f8e553f83653e353e46ae655eb28e641dbbeee685b1f44612f831c7a1f5261b
Instruction ID: 6969bd1ed9dad1f8677bf68b02c0eddb5e38be3639cd9770b1599aa2cd900ab1
Opcode Fuzzy Hash: 7f8e553f83653e353e46ae655eb28e641dbbeee685b1f44612f831c7a1f5261b
Instruction Fuzzy Hash: 8B41C5B1B00616ABD708DF6ADC85799BBA9FF88300F045529E948DB782E775ED508BC0

Uniqueness

Uniqueness Score: -1.00%

Function 005643B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00564422
PostMessageW.USER32(?,00000010,00000001,00000000), ref: 00564439
SendMessageW.USER32(?,00000112,0000F120,?), ref: 0056450D

Strings

closebtn, xrefs: 005643E2
maxbtn, xrefs: 00564487
minbtn, xrefs: 00564444
restorebtn, xrefs: 005644C7

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Message$PostSendWindow
String ID: closebtn$maxbtn$minbtn$restorebtn
API String ID: 259590922-318950520
Opcode ID: a59826b901cdece0a47d4e49242466b3f04e9de18b024896232d9303bff8f8fc
Instruction ID: a17432119c20f34a9a1356016b74cd1f800b635f4940e7dfee42574d23f17a8c
Opcode Fuzzy Hash: a59826b901cdece0a47d4e49242466b3f04e9de18b024896232d9303bff8f8fc
Instruction Fuzzy Hash: 08418F3160010297EF24AB20CC03BB67AA2FB35759F4544B5D946DB255EF23DE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005DED90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 129networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 005DEDF3
htons.WS2_32(?), ref: 005DEE06
send.WS2_32(?,?,00000003,00000000), ref: 005DEE85
WSAGetLastError.WS2_32 ref: 005DEE8F
send.WS2_32(?,?,00000002,00000000), ref: 005DEEC7
WSAGetLastError.WS2_32 ref: 005DEED1

Strings

Sending data failed (%d), xrefs: 005DEE96, 005DEED8

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLasthtonssend
String ID: Sending data failed (%d)
API String ID: 2027122571-2319402659
Opcode ID: 56c3b679382c65eebf54624e09dde9b6f48b791671f2e5844402f838fc420235
Instruction ID: 531dd1f9e8707c74bdd1a9aafd1124cf740c371ce49d47e46bf81ecbf86fa117
Opcode Fuzzy Hash: 56c3b679382c65eebf54624e09dde9b6f48b791671f2e5844402f838fc420235
Instruction Fuzzy Hash: 6941F3706046019FD712DF28C886AB97FB9FF69310F2405A6F95ADF382D730A911CB61

Uniqueness

Uniqueness Score: -1.00%

Function 005C43F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 112COMMON

Download Yara Rule

Strings

If-Unmodified-Since, xrefs: 005C4495
Invalid TIMEVALUE, xrefs: 005C4442
Last-Modified, xrefs: 005C448E
%s: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 005C44D9
Mb, xrefs: 005C44AF
If-Modified-Since, xrefs: 005C449C, 005C44D8

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID: Mb$%s: %s, %02d %s %4d %02d:%02d:%02d GMT$If-Modified-Since$If-Unmodified-Since$Invalid TIMEVALUE$Last-Modified
API String ID: 0-1618591332
Opcode ID: cc1709742c671771ff6042971318e3091366b13e283b58f9226793c7a807719f
Instruction ID: bb97bcae641e461344beeb151ee1cd79968bb353c786af862b8cf39ce19a15e1
Opcode Fuzzy Hash: cc1709742c671771ff6042971318e3091366b13e283b58f9226793c7a807719f
Instruction Fuzzy Hash: E131FA316001099FCF18DFE8EC55FBDBBBAFB85311F60056DE90A9B241DA266E158B80

Uniqueness

Uniqueness Score: -1.00%

Function 00618DD7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00618E2A
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00618E43
FindVITargetTypeInstance.LIBVCRUNTIME ref: 00618E4A
PMDtoOffset.LIBCMT ref: 00618E69

Strings

Bad dynamic_cast!, xrefs: 00618EAB

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: 6726608b9ddecc640007886064c9ec303bda3045c54d13ded2092cdd6c38d6ee
Instruction ID: 2bf481739d72b3cb7296f479cb8606dfc5771673f2d15458adacb56a5663cf8e
Opcode Fuzzy Hash: 6726608b9ddecc640007886064c9ec303bda3045c54d13ded2092cdd6c38d6ee
Instruction Fuzzy Hash: 9321F672A003059FCB18DF68DD46AEA77B6FF95724F184619F91193280DF30ED4187A0

Uniqueness

Uniqueness Score: -1.00%

Function 005BE630 Relevance: 12.3, APIs: 8, Instructions: 312networkCOMMON

Download Yara Rule

APIs

select.WS2_32(?,?,00000000,?,?), ref: 005BE8BC
WSAGetLastError.WS2_32 ref: 005BE8C7
__WSAFDIsSet.WS2_32(000000FF,?), ref: 005BE982
__WSAFDIsSet.WS2_32(000000FF,?), ref: 005BE999
__WSAFDIsSet.WS2_32(000000FF,?), ref: 005BE9B5
__WSAFDIsSet.WS2_32(000000FF,?), ref: 005BE9C9
__WSAFDIsSet.WS2_32(?,00000000), ref: 005BE9E5
__WSAFDIsSet.WS2_32(?,?), ref: 005BE9F9

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: d5b65cd3fe0e245a08953c882e8045e7ee3930763ccb0e51e8176c1f10de9a8e
Instruction ID: 30fb90c6617e2ec9ea3838eca1f8eb2302d7b80dec923f911e67f551f519fcf3
Opcode Fuzzy Hash: d5b65cd3fe0e245a08953c882e8045e7ee3930763ccb0e51e8176c1f10de9a8e
Instruction Fuzzy Hash: FAC1B671E006198BDF25CF289D866ED7B79FF58320F5846A9E859D7181DB30AEC08F90

Uniqueness

Uniqueness Score: -1.00%

Function 0055CD70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 0055CDA0
GetTextMetricsW.GDI32(?,006576CC), ref: 0055CDAF
SelectObject.GDI32(?,00000000), ref: 0055CDBC
SelectObject.GDI32(?,00000380), ref: 0055CDEA
GetTextMetricsW.GDI32(?,00000410), ref: 0055CDFB
SelectObject.GDI32(?,00000000), ref: 0055CE08

Strings

<ve, xrefs: 0055CDC0

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ObjectSelect$MetricsText
String ID: <ve
API String ID: 3697559710-2525859393
Opcode ID: 9e83e1393458370bd51258d40627fd36bf1271687dfa73c009bde25a86ff8141
Instruction ID: 741ebeadf19c20ae40204bba43c1de99db6d48d2810c778399d6f43d62f21ef9
Opcode Fuzzy Hash: 9e83e1393458370bd51258d40627fd36bf1271687dfa73c009bde25a86ff8141
Instruction Fuzzy Hash: 7B113C36504208AFCF11AF59EC84AD57FAAFB55322F4481B2EE0CCB161DA711999DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00612518 Relevance: 12.2, APIs: 8, Instructions: 204COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00612542
_free.LIBCMT ref: 0061261B
_free.LIBCMT ref: 00612648

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 9170cb6d72e7e70a1d61d83f0b48179ed9a9bad54968518e1e840b822e0e9ee4
Instruction ID: 414c1aad07ea43d4e5ba7b4a6622dc7a825689688a492f46ae4a0790d7533d72
Opcode Fuzzy Hash: 9170cb6d72e7e70a1d61d83f0b48179ed9a9bad54968518e1e840b822e0e9ee4
Instruction Fuzzy Hash: A65106B0D44307AFDB24EFB498A1AEF77A7AF01310F18416EE510973C1DA3186A1CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00590C70 Relevance: 12.1, APIs: 8, Instructions: 124windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00590C9C
SendMessageW.USER32(?,00001001,00000000,?), ref: 00590CC9
SendMessageW.USER32(?,00000008,?,?), ref: 00590D04
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00590D0F
DefWindowProcW.USER32(?,?,?,?), ref: 00590D41
DefWindowProcW.USER32(?,00000101,?,?), ref: 00590D64
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00590D8A
CallWindowProcW.USER32(?,?,?,?,?), ref: 00590DCF

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: MessageProcWindow$Send$CallPost
String ID:
API String ID: 2702885961-0
Opcode ID: a8b70e57edcff816feabeda014d017669f017b31c8c4de74f911861e89c1578b
Instruction ID: ebda5000e5b90e0fc852048a177b9aa7f674c18db287696f6769f954a33c9e18
Opcode Fuzzy Hash: a8b70e57edcff816feabeda014d017669f017b31c8c4de74f911861e89c1578b
Instruction Fuzzy Hash: A2418E75600715BFCB149F54CC89F69BBAAFF58311F044669F9185B6A0CB72BC60CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0058EEF0 Relevance: 12.1, APIs: 8, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 00576000: IsRectEmpty.USER32(?), ref: 0057608E

GetDC.USER32(00000000), ref: 0058EF70
GetDeviceCaps.GDI32(00000000,00000058), ref: 0058EF81
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0058EF88
ReleaseDC.USER32(00000000,00000000), ref: 0058EF91
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0058EFA7
MulDiv.KERNEL32(000009EC,?,?), ref: 0058EFBA
OffsetRect.USER32(?,?,?), ref: 0058F020
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0058F06F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CapsDeviceRect$EmptyMoveOffsetReleaseWindow
String ID:
API String ID: 3865870406-0
Opcode ID: 4be00cb14f970975e6ba75312ba34ddb3df89733dc26221c54cdfc9bb14edf9c
Instruction ID: 8acacc0bf9aacbe81212798a03341a77bdbaadb4ec1de46fc7feb12e8404b9e7
Opcode Fuzzy Hash: 4be00cb14f970975e6ba75312ba34ddb3df89733dc26221c54cdfc9bb14edf9c
Instruction Fuzzy Hash: 80514C71608701EFD720DF28C889BAA7BF5FB88314F044A6DFD999B251DB31A844CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0058CA70 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

valuechanged, xrefs: 0058CBDF, 0058CC4C, 0058CD69

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID: valuechanged
API String ID: 0-4135814588
Opcode ID: f1b8fb24c08d1e3d1db1fdb4327ae354d677e35e8b1aa1d6a09b1ed8a509655a
Instruction ID: 7fb1325aab7b1bcaefbfb7936540ee50f5798ac067b2a202a036673e8dc9f335
Opcode Fuzzy Hash: f1b8fb24c08d1e3d1db1fdb4327ae354d677e35e8b1aa1d6a09b1ed8a509655a
Instruction Fuzzy Hash: 5DF17371700B018FD724EE78C585BAABFE6BFD4310F14492EE99AA7284CB71B854C790

Uniqueness

Uniqueness Score: -1.00%

Function 005281C0 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 392libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,GetNativeSystemInfo,?,ProductTestidSubKeyName), ref: 005282B7
GetProcAddress.KERNEL32(00000000), ref: 005282BE

Strings

ProductTestidSubKeyName, xrefs: 00528284
ProductVerSubKey, xrefs: 0052823E
kernel32, xrefs: 005282AE
GetNativeSystemInfo, xrefs: 005282A9

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetNativeSystemInfo$ProductTestidSubKeyName$ProductVerSubKey$kernel32
API String ID: 1646373207-3527134549
Opcode ID: d81ffe12f0520759c9122a807d09d19ddd8c63d9980b8ad89a6b851396f455d7
Instruction ID: 39e237da76c082df55f05a7a743794cbdc9e767a431ff56b92a278a1f808d67e
Opcode Fuzzy Hash: d81ffe12f0520759c9122a807d09d19ddd8c63d9980b8ad89a6b851396f455d7
Instruction Fuzzy Hash: 47E14A71A112559BDB04DFB8DC857ADBF72FF8A304F20861CE4149B2D5EB79A684CB80

Uniqueness

Uniqueness Score: -1.00%

Function 005AA430 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,6F923D37), ref: 005AA485
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005AA55F

Strings

CDownloadHelper::CalcSpeedPro, xrefs: 005AA57D, 005AA761
%s %d download mini size timeout:%d, xrefs: 005AA782
%s %d time:%d,size:%I64d, xrefs: 005AA59A
list<T> too long, xrefs: 005AA7B3

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: SleepUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: %s %d download mini size timeout:%d$%s %d time:%d,size:%I64d$CDownloadHelper::CalcSpeedPro$list<T> too long
API String ID: 4141101911-161206272
Opcode ID: edaec422fff11e1b3b8078f85a1468841c6c538a3398c8800106e36534b53110
Instruction ID: 23a41245467c710563a223bf5fce1984ebb75e14328862712737520e1616cbad
Opcode Fuzzy Hash: edaec422fff11e1b3b8078f85a1468841c6c538a3398c8800106e36534b53110
Instruction Fuzzy Hash: 0EC19971E002059FCB14CFA8D885BAEBBF2FF8A314F158199E905AB391D771AD40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005808A0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 00580957

Strings

, xrefs: 0058097F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Rect
String ID:
API String ID: 400858303-3916222277
Opcode ID: 69a688baa8080590894aeeef0994794f527f28ca952bafa0ae512c1d174cf169
Instruction ID: 50fb1950d10e11e98186fd7608effba5fe451262cb16cca4d6c9e230e0bc6355
Opcode Fuzzy Hash: 69a688baa8080590894aeeef0994794f527f28ca952bafa0ae512c1d174cf169
Instruction Fuzzy Hash: 02B1CE313046018FD764DF68C855BAAFBE5FF99714F04465AE989EB2A1CB30EC19CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00558BC0 Relevance: 10.8, APIs: 7, Instructions: 266COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00558C87
DestroyWindow.USER32(?,?,?,?,?,?,?,00000000,0061EFD0,000000FF), ref: 00558CC1
DeleteDC.GDI32(?), ref: 00558CEC
DeleteDC.GDI32(?), ref: 00558CF9
DeleteObject.GDI32(?), ref: 00558D06
DeleteObject.GDI32(?), ref: 00558D13
ReleaseDC.USER32(?,?), ref: 00558D26

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Delete$Object$DestroyReleaseWindow
String ID:
API String ID: 743758788-0
Opcode ID: 7a2a01d97d11046a818d710da7803395f73e82a1fe8a8d79b8d69950b4ec34d9
Instruction ID: f685026bd351f68bdd0d5be78417496f1c7b8d7e2439f3f211f98862ff705bd9
Opcode Fuzzy Hash: 7a2a01d97d11046a818d710da7803395f73e82a1fe8a8d79b8d69950b4ec34d9
Instruction Fuzzy Hash: 7B914FB06006069BDB25EB34C8A9A7B7BE9BF50741F04082DE85AD7251EF34F949CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00585100 Relevance: 10.8, APIs: 7, Instructions: 257COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F01), ref: 00585168
SetCursor.USER32(00000000), ref: 0058516F
PtInRect.USER32(?,?,?), ref: 00585263
PtInRect.USER32(?,?,?), ref: 005852A5

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CursorRect$Load
String ID:
API String ID: 2751897888-0
Opcode ID: 30f4464961826e80871e169ad1a6f4908ac3570e6158beed1904509d33767e7e
Instruction ID: 8e2e602b81ea6b1dd33ddb84a4b710d315c065538d7bb1b4e98f6912d1923a27
Opcode Fuzzy Hash: 30f4464961826e80871e169ad1a6f4908ac3570e6158beed1904509d33767e7e
Instruction Fuzzy Hash: 8A91A4357006029BCF14EF68D488B69BBE2FF95311F14056AE859EB251EB71EC61CB81

Uniqueness

Uniqueness Score: -1.00%

Function 005A8F80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 244threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,005A9350,?,00000000,00000000), ref: 005A913C
CreateThread.KERNEL32(00000000,00000000,005AA410,?,00000000,00000000), ref: 005A9158
CloseHandle.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,?,00000000), ref: 005A916A
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,?,00000000,00000000,?,00000000), ref: 005A9173
CloseHandle.KERNEL32(00000000,?,00000000,00000000,?,00000000,00000000,?,00000000), ref: 005A917E

Strings

.temp, xrefs: 005A9012

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CloseCreateHandleThread$ObjectSingleWait
String ID: .temp
API String ID: 272024972-2462334126
Opcode ID: 58683ae88ead3de7ed5a0f3484937d18235e90465fd0f13a32fb809571cbdc65
Instruction ID: 9e46c548d1c9a54aabf8385ac4974dba547e59523d08e19b5931767f8ea6aa2d
Opcode Fuzzy Hash: 58683ae88ead3de7ed5a0f3484937d18235e90465fd0f13a32fb809571cbdc65
Instruction Fuzzy Hash: A1911671A002559FDB18CF38DC89B5D7FA6FF8A300F108258E9149B296EB75F944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0058F130 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 215COMMON

Download Yara Rule

APIs

CLSIDFromString.OLE32(?,?), ref: 0058F1CE
CLSIDFromProgID.OLE32(?,?), ref: 0058F1D6

Strings

clsid, xrefs: 0058F158
true, xrefs: 0058F2F3
delaycreate, xrefs: 0058F2B5
modulename, xrefs: 0058F25A

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: From$ProgString
String ID: clsid$delaycreate$modulename$true
API String ID: 2510552579-1263489701
Opcode ID: 2c23429c84147b1aa40b798982c8d8c65e2871602077f11932b807c10fec3cf4
Instruction ID: 9f222154bbfdd8856660c9ba32f651ec6385d186923bd72d103516d1fcaffd8a
Opcode Fuzzy Hash: 2c23429c84147b1aa40b798982c8d8c65e2871602077f11932b807c10fec3cf4
Instruction Fuzzy Hash: A8710B266142429BD724FB24D8027FBBBA2FFBD314F444979EC46A7241FB329950C391

Uniqueness

Uniqueness Score: -1.00%

Function 00562E10 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 170COMMON

Download Yara Rule

APIs

Part of subcall function 00562D80: CharNextW.USER32(?,00000000,0056258D,?,00562A26,0056258D), ref: 00562DA7

Part of subcall function 00562DC0: CharNextW.USER32(0056258D,?,0056258D,?,00562A99,0056258D,0056258D), ref: 00562DFC

CharNextW.USER32(?,0056258D,0056258D,?,0056258D,00000000,0056258D,0056258D), ref: 00562E95
CharNextW.USER32(0000002F,0056258D,0056258D,?,0056258D,00000000,0056258D,0056258D), ref: 00562EE7
CharNextW.USER32(0000002F,0056258D,0056258D,00000022,0056258D,0056258D,?,0056258D,00000000,0056258D,0056258D), ref: 00562F57

Strings

Error while parsing attributes, xrefs: 00562FBE
Error while parsing attribute string, xrefs: 00562F83
Expected attribute value, xrefs: 00562FA7

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CharNext
String ID: Error while parsing attribute string$Error while parsing attributes$Expected attribute value
API String ID: 3213498283-2127762582
Opcode ID: 3c79db835fef5c28cc6b7f18033362bc7acfe91136cff8877ff7c83105bf9930
Instruction ID: f15f76b3cb5d035f3c0b98f077e675bb06877647a5e062226bb377b5075b7a50
Opcode Fuzzy Hash: 3c79db835fef5c28cc6b7f18033362bc7acfe91136cff8877ff7c83105bf9930
Instruction Fuzzy Hash: AC51C4356006069BC724EF1DD4519B9F7F5FF99351B54806AF984CB390EB358D82C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00591110 Relevance: 10.7, APIs: 7, Instructions: 166COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F01), ref: 00591172
SetCursor.USER32(00000000), ref: 00591179
IsWindow.USER32(?), ref: 00591206
ShowWindow.USER32(?,00000001), ref: 00591219
ReleaseCapture.USER32 ref: 00591290
IsWindow.USER32(?), ref: 005912EA
ShowWindow.USER32(?,00000001), ref: 005912F9

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Window$CursorShow$CaptureLoadRelease
String ID:
API String ID: 3716655541-0
Opcode ID: d2ecb003081d91a95b9239bfbbc09161beba957c20a760d628282490c0cd26d6
Instruction ID: ee8d3c83ac4de5abde61089cb75b91324e237d17e2ad978a42ef539ceca0961e
Opcode Fuzzy Hash: d2ecb003081d91a95b9239bfbbc09161beba957c20a760d628282490c0cd26d6
Instruction Fuzzy Hash: 9351AF35600A139FEF24EF29D848BB8BBE2BF96300F044569E559C7252CB31EC51CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0052E7E0 Relevance: 10.6, APIs: 7, Instructions: 130COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0052E823
std::_Lockit::_Lockit.LIBCPMT ref: 0052E845
std::_Lockit::~_Lockit.LIBCPMT ref: 0052E865
__Getctype.LIBCPMT ref: 0052E904
__Getcvt.LIBCPMT ref: 0052E917
std::_Facet_Register.LIBCPMT ref: 0052E951
std::_Lockit::~_Lockit.LIBCPMT ref: 0052E969

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeGetcvtRegister
String ID:
API String ID: 2755674607-0
Opcode ID: 8e8310b43e21cb7e29f84bb3116bdd72d5ceed7223b54cd0224b55f12fa8f1dd
Instruction ID: 509e07b71f3e1179c5d221a0006309bcc07ef2d81c64a04250ab75bb8c9bc4ce
Opcode Fuzzy Hash: 8e8310b43e21cb7e29f84bb3116bdd72d5ceed7223b54cd0224b55f12fa8f1dd
Instruction Fuzzy Hash: 8D510471D00355CFCB11CF18D882A6ABBB4FF55314F148269E885AB292EB30FE81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005F2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005F292B
___except_validate_context_record.LIBVCRUNTIME ref: 005F2933
_ValidateLocalCookies.LIBCMT ref: 005F29C1
__IsNonwritableInCurrentImage.LIBCMT ref: 005F29EC
_ValidateLocalCookies.LIBCMT ref: 005F2A41

Strings

csm, xrefs: 005F29D6

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 12b36b5d263d2af3ef34b24c4f97cda3e6b26f9a3cf1ae4ca51b8c90fc9b8c47
Instruction ID: af9dd9b4695459edceeced7818e43157ad1b9612f104eb67a53d1a75afa2b6e1
Opcode Fuzzy Hash: 12b36b5d263d2af3ef34b24c4f97cda3e6b26f9a3cf1ae4ca51b8c90fc9b8c47
Instruction Fuzzy Hash: 7641D774A0020D9BCF10DF69C844ABEBFB5BF44324F148165EA149B392D779DA55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00524730 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0052475D

Part of subcall function 005F188D: RaiseException.KERNEL32(?,?,005ECDEB,6F923D37,6F923D37,?,?,?,?,?,?,005ECDEB,6F923D37,00650C00,?,6F923D37), ref: 005F18ED

__CxxThrowException@8.LIBVCRUNTIME ref: 0052479C
std::locale::_Init.LIBCPMT ref: 0052483A

Strings

ios_base::badbit set, xrefs: 00524767, 00524788, 005247C1
ios_base::eofbit set, xrefs: 00524776
ios_base::failbit set, xrefs: 0052466F, 00524771

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Exception@8Throw$ExceptionInitRaisestd::locale::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 687216407-1866435925
Opcode ID: 561ad570b2552b9b257cc92936e70b2b317f595619a15b0ea810922b4439ab45
Instruction ID: d780a3e92b69a5a527f949da69077fdfba5d33a4861842ef633b7332e7e354f2
Opcode Fuzzy Hash: 561ad570b2552b9b257cc92936e70b2b317f595619a15b0ea810922b4439ab45
Instruction Fuzzy Hash: 753103B1900715ABE304DF14D90AB96BBE4FF41714F04462DE9149BAC0EBBAB818CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 0060C42E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0060C485
ext-ms-, xrefs: 0060C499

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: fc94f55edf81448b0f9bb93c2395637ef575cbf9b949434f1dd3b9332cafb18b
Instruction ID: 288abd6d4bb2176f59c60a8104dfe6b68eaaade37962e6c42ffca1e54c4c12ef
Opcode Fuzzy Hash: fc94f55edf81448b0f9bb93c2395637ef575cbf9b949434f1dd3b9332cafb18b
Instruction Fuzzy Hash: DE21F331AC5625ABCB359B259C60ABB379BBB11770F160311ED0AAB3D0D630EC01C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00602900 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00602942

Strings

@&`, xrefs: 0060290F, 00602916, 00602941
.exe, xrefs: 0060294F
.cmd, xrefs: 00602960
.com, xrefs: 00602982
.bat, xrefs: 00602971

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe$@&`
API String ID: 1752292252-1998130116
Opcode ID: 739cf9bbaf90d5236fdc39f831eb3fb87a267ca43dd261d528498f3e81dde2f2
Instruction ID: 4120111b3723cde8a8b74467478c84b340e3527ac33435884ba317960898e85f
Opcode Fuzzy Hash: 739cf9bbaf90d5236fdc39f831eb3fb87a267ca43dd261d528498f3e81dde2f2
Instruction Fuzzy Hash: 71010C27BC471B25A61C151EEC15AB7179EDFC1BB1F26002AF948F76C1DD49DC010194

Uniqueness

Uniqueness Score: -1.00%

Function 005583E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetPropW.USER32(?,WndX), ref: 00558400
GetPropW.USER32(?,WndX), ref: 00558428
CallWindowProcW.USER32(?,?,?,?,?), ref: 00558447
SetPropW.USER32(?,WndX,00000000), ref: 00558464
DefWindowProcW.USER32(?,?,?,?), ref: 0055848A

Strings

WndX, xrefs: 005583FA, 00558422, 0055845E

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Prop$ProcWindow$Call
String ID: WndX
API String ID: 1029653574-1375107400
Opcode ID: 5a3e5af871dc7b918b7b4d5978fc28ff11cbde2dcb2008f0ddfdb69608348e19
Instruction ID: 6b236798680129bb4f4d1100b942229c6db569c2077a470b8c7f0970e0e434ce
Opcode Fuzzy Hash: 5a3e5af871dc7b918b7b4d5978fc28ff11cbde2dcb2008f0ddfdb69608348e19
Instruction Fuzzy Hash: 3F11C332200215ABDB209F44EC48E7FBFA9FF99725F048416FD09A7251CB729C119BA0

Uniqueness

Uniqueness Score: -1.00%

Function 005C6570 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 005C6596
___from_strstr_to_strchr.LIBCMT ref: 005C65B1
___from_strstr_to_strchr.LIBCMT ref: 005C65C6

Strings

HTTP, xrefs: 005C657B
The requested URL returned error: %s, xrefs: 005C65D5
The requested URL returned error: %d, xrefs: 005C65F6

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: HTTP$The requested URL returned error: %d$The requested URL returned error: %s
API String ID: 601868998-4174864708
Opcode ID: d34a51d82a978986f3e559e0ad1560527a83be0981d2ba715a6c86cc45d43c1a
Instruction ID: 4e30e4441d18627b77f3fe88204870dfdaadc345c78eece5ac86fa54c95433e3
Opcode Fuzzy Hash: d34a51d82a978986f3e559e0ad1560527a83be0981d2ba715a6c86cc45d43c1a
Instruction Fuzzy Hash: 510148366813623ADB1126E46C46BDA7F886F52725F0C0075FA0C59283E688374483F3

Uniqueness

Uniqueness Score: -1.00%

Function 0057C0D0 Relevance: 10.6, APIs: 7, Instructions: 56COMMON

Download Yara Rule

APIs

CreatePen.GDI32(?,?), ref: 0057C108
SelectObject.GDI32(?,00000000), ref: 0057C118
GetStockObject.GDI32(00000005), ref: 0057C11E
SelectObject.GDI32(?,00000000), ref: 0057C128
RoundRect.GDI32(?,?,?,?,?,?,?), ref: 0057C141
SelectObject.GDI32(?,00000000), ref: 0057C14B
DeleteObject.GDI32(00000000), ref: 0057C14E

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Object$Select$CreateDeleteRectRoundStock
String ID:
API String ID: 1454345155-0
Opcode ID: 475cb618e40445fd4aa45102efe1163555554d306d73b9e38c61804817288116
Instruction ID: 5e23c2c03161fc6b39e62f33ce19e2188acac71050176b1b70dab078fba7005f
Opcode Fuzzy Hash: 475cb618e40445fd4aa45102efe1163555554d306d73b9e38c61804817288116
Instruction Fuzzy Hash: D5115E32C00118BFCB115FA5DC49CAABFBAEF95362B014065F909A7130C7318D61EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0057C040 Relevance: 10.6, APIs: 7, Instructions: 54COMMON

Download Yara Rule

APIs

CreatePen.GDI32(?,?), ref: 0057C078
SelectObject.GDI32(?,00000000), ref: 0057C088
GetStockObject.GDI32(00000005), ref: 0057C08E
SelectObject.GDI32(?,00000000), ref: 0057C098
Rectangle.GDI32(?,?,?,?,?), ref: 0057C0AB
SelectObject.GDI32(?,00000000), ref: 0057C0B5
DeleteObject.GDI32(00000000), ref: 0057C0B8

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Object$Select$CreateDeleteRectangleStock
String ID:
API String ID: 2689421921-0
Opcode ID: dd48d383333d5a990f7b6a56f2ff379330ac4d74e54bb8bfe65870a137fd8455
Instruction ID: d6623f21646d453c93efe04dcc19b7cc357805ed1daaad9e1f79d59214a76280
Opcode Fuzzy Hash: dd48d383333d5a990f7b6a56f2ff379330ac4d74e54bb8bfe65870a137fd8455
Instruction Fuzzy Hash: 95012132D00118BFDB115FA5DC49CAABFF9EF95262B014166F909D7130C7718D61DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0054EB20 Relevance: 9.4, APIs: 1, Strings: 5, Instructions: 405COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,?,00000002,00000000,?,?), ref: 0054ECD5

Strings

Language, xrefs: 0054ECF7
.ini, xrefs: 0054EE64
Home_Installer, xrefs: 0054EDB2
Click_Language, xrefs: 0054ED88
text, xrefs: 0054EB90

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: .ini$Click_Language$Home_Installer$Language$text
API String ID: 626452242-539808209
Opcode ID: af6322383b7698356f3dc814249e7b86ad226b3e5896170efaf753bfe8281462
Instruction ID: cdd40b0bb9ec9f951799085fc2420a113a963b34e238724c10b79b2512c4d5ef
Opcode Fuzzy Hash: af6322383b7698356f3dc814249e7b86ad226b3e5896170efaf753bfe8281462
Instruction Fuzzy Hash: CFE10471A00258DBDF18DF68CC8ABDEBF76BF85308F108558E405AB2C6D775AA44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00609154 Relevance: 9.3, APIs: 6, Instructions: 319fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(005F96C3,00000000,?), ref: 0060919C
__fassign.LIBCMT ref: 0060937B
__fassign.LIBCMT ref: 00609398
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006093E0
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00609420
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 006094CC

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: a26ebb983ee30f433448b7ca11b1eb3d87313e2f121478f63812576524397a1e
Instruction ID: a612e9d82fe41c6d981830d27e257001e638d685e80534299ca04ee2a310f2f3
Opcode Fuzzy Hash: a26ebb983ee30f433448b7ca11b1eb3d87313e2f121478f63812576524397a1e
Instruction Fuzzy Hash: 4DD18075D052589FCF19CFE8C8809EEBBB6FF49314F284169E855B7382D6309A46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00606368 Relevance: 9.2, APIs: 6, Instructions: 223COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006063F8
_free.LIBCMT ref: 00606413
_free.LIBCMT ref: 0060641E
_free.LIBCMT ref: 0060652D

Part of subcall function 0060C205: HeapAlloc.KERNEL32(00000008,00521057,00000000,?,0060ADF3,00000001,00000364,00000006,000000FF,?,0055ED42,00639F54,00639F56), ref: 0060C246

_free.LIBCMT ref: 00606502

Part of subcall function 0060AEA3: HeapFree.KERNEL32(00000000,00000000,?,006131DE,?,00000000,?,00654B9C,?,00613483,?,00000007,?,?,0061383A,?), ref: 0060AEB9
Part of subcall function 0060AEA3: GetLastError.KERNEL32(?,?,006131DE,?,00000000,?,00654B9C,?,00613483,?,00000007,?,?,0061383A,?,?), ref: 0060AECB

_free.LIBCMT ref: 00606523

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _free$Heap$AllocErrorFreeLast
String ID:
API String ID: 2104767428-0
Opcode ID: dbcd6205ce616250d266f96c2a9140a2b4ee359e30278b0c95fe2b1e51d80feb
Instruction ID: 2bb2d574b0801f5b3179dfb2a4bd365b1678ecdd225b72a73c9f354335d333ad
Opcode Fuzzy Hash: dbcd6205ce616250d266f96c2a9140a2b4ee359e30278b0c95fe2b1e51d80feb
Instruction Fuzzy Hash: 07518A7AA442115BDF1CAFA8D8516FB77E7DF85320F24409EF944DB3C1EA329E128290

Uniqueness

Uniqueness Score: -1.00%

Function 00526C6D Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON

Download Yara Rule

APIs

CoCreateGuid.OLE32(?), ref: 00526E82
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00526FB1
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 005270B5

Strings

%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X, xrefs: 00526EC8
GUID, xrefs: 00526FF8

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ByteCharMultiWide$CreateGuid
String ID: %08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X$GUID
API String ID: 3151152241-3533722326
Opcode ID: 38adb256e244402b39410fe6baab7fd111f2fead97ab460db55adf68822f058d
Instruction ID: f97809850c2b79259a0f3697563402753a069af1fac64e51d2cbefefb95f2be3
Opcode Fuzzy Hash: 38adb256e244402b39410fe6baab7fd111f2fead97ab460db55adf68822f058d
Instruction Fuzzy Hash: 1AF138319002698BDF24CF74DC49BADBF76BF8A304F14468CE449AB2C6D775AA85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005B44B0 Relevance: 9.1, APIs: 6, Instructions: 66networkCOMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 005B44DA

Part of subcall function 005CD690: getaddrinfo.WS2_32(?,?,?,?), ref: 005CD6AE
Part of subcall function 005CD690: freeaddrinfo.WS2_32(?), ref: 005CD79F

WSAGetLastError.WS2_32 ref: 005B4502
WSAGetLastError.WS2_32 ref: 005B4508
EnterCriticalSection.KERNEL32(?), ref: 005B451E
LeaveCriticalSection.KERNEL32(00000000), ref: 005B452D
LeaveCriticalSection.KERNEL32(00000000), ref: 005B454C

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CriticalSection$ErrorLastLeave$Enter___swprintf_lfreeaddrinfogetaddrinfo
String ID:
API String ID: 2327269287-0
Opcode ID: 425fb474185b3d4374bcd63e88607abc64bc22e088abe681127c86204aa360d4
Instruction ID: f87af71eb358087fd13ea44cce407ff4e81bbf93e346537b20f192541f2235a0
Opcode Fuzzy Hash: 425fb474185b3d4374bcd63e88607abc64bc22e088abe681127c86204aa360d4
Instruction Fuzzy Hash: 79118C715006099BC720DFA9DC85AABBBF9FF88300F500929E94AD7251DB31E9558BA1

Uniqueness

Uniqueness Score: -1.00%

Function 005F2B05 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005F2AFC,005EFE7F), ref: 005F2B13
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005F2B21
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005F2B3A
SetLastError.KERNEL32(00000000,?,005F2AFC,005EFE7F), ref: 005F2B8C

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6fc702bf3a550bfc5573820320f265e1d26ce0021bd31120cdfed038cc1bb2fb
Instruction ID: b077dc4437ccf7911f0ab1f835a751565040fa33df4195825b8d8c109c03654a
Opcode Fuzzy Hash: 6fc702bf3a550bfc5573820320f265e1d26ce0021bd31120cdfed038cc1bb2fb
Instruction Fuzzy Hash: 9301B57210DB1B5EA7342B747C899772F45FB727B6B200329FB18851E0EF1948925140

Uniqueness

Uniqueness Score: -1.00%

Function 005C0740 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 271COMMON

Download Yara Rule

Strings

Trying %s..., xrefs: 005C0809
Immediate connect fail for %s: %s, xrefs: 005C0A28
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 005C07D8

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLast$_strncpyclosesockethtons
String ID: Trying %s...$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 625237673-3338264681
Opcode ID: f20bb35cb4a119f7f9462804639663c56081fc627aa120b8a754bb8f1376b996
Instruction ID: 2a4fa16e8674294f95f49ee5bb101d4984747875a7b747816251a869e1ba086b
Opcode Fuzzy Hash: f20bb35cb4a119f7f9462804639663c56081fc627aa120b8a754bb8f1376b996
Instruction Fuzzy Hash: 4491A7719011199FEF20DBA8DC49FEE7BA9FF45310F4401EAF90DA7182D6355E848BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00603052 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 180COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006030ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006031E8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006031FD

Strings

%0`, xrefs: 006031F3
%0`, xrefs: 006030BE, 006031B9

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: %0`$%0`
API String ID: 885266447-511922796
Opcode ID: 0b2e62f49efa1106ec3f75018b8ea5b3a02f08c48ed33b019c64e2e47129ca9e
Instruction ID: cb795e3b8b4f6ba2b4c401be4b40928f29aaeb6a52ae0d62fbd7c46d36249fba
Opcode Fuzzy Hash: 0b2e62f49efa1106ec3f75018b8ea5b3a02f08c48ed33b019c64e2e47129ca9e
Instruction Fuzzy Hash: BD519171A40219AFCF18CF98CC91AEF7BBBEB89312F148059E955AB391D3319E41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0052EE00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 0052EE5E
__Getcvt.LIBCPMT ref: 0052EEB6

Strings

true, xrefs: 0052EF20
false, xrefs: 0052EF07

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Getcvt
String ID: false$true
API String ID: 1921796781-2658103896
Opcode ID: 0a0fc3389d37e41455ab91ebd3d11b1555fffa8b785e45f4f3d217c68217eee6
Instruction ID: 3d26a7cf11c478eb49976aad58168e4be97b7dc3897aa4c28543069e5c8cffd7
Opcode Fuzzy Hash: 0a0fc3389d37e41455ab91ebd3d11b1555fffa8b785e45f4f3d217c68217eee6
Instruction Fuzzy Hash: F351C471D003589FDB10DFA4C845BAEFBB8FF49310F04826AE855AB281E775A949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00524650 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0052475D

Part of subcall function 005F188D: RaiseException.KERNEL32(?,?,005ECDEB,6F923D37,6F923D37,?,?,?,?,?,?,005ECDEB,6F923D37,00650C00,?,6F923D37), ref: 005F18ED

__CxxThrowException@8.LIBVCRUNTIME ref: 0052479C
std::locale::_Init.LIBCPMT ref: 0052483A

Strings

ios_base::badbit set, xrefs: 00524767, 00524788, 005247C1
ios_base::failbit set, xrefs: 0052466F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Exception@8Throw$ExceptionInitRaisestd::locale::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 687216407-1240500531
Opcode ID: 1878c78b134673434d7d74d1550cf3a64e87c5d5395e9c7816968ff82f033fc2
Instruction ID: bf9af2a3d3ffb396de27a43ed779b15c5ce3354f63f6dfdb63f73823de368a64
Opcode Fuzzy Hash: 1878c78b134673434d7d74d1550cf3a64e87c5d5395e9c7816968ff82f033fc2
Instruction Fuzzy Hash: 345112B1900649AFD704CF58D845BAEBFB8FF4A710F14421DE814AB6C1DB75A904CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00544280 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 005443D5
ShowWindow.USER32(?,00000000,?,DOWNLOAD_VERSION), ref: 005443E4
PostQuitMessage.USER32(00000000), ref: 005443EC

Strings

TrialVersionName, xrefs: 005442C4
DOWNLOAD_VERSION, xrefs: 00544323

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Window$MessagePostQuitShow
String ID: DOWNLOAD_VERSION$TrialVersionName
API String ID: 3974996875-515370789
Opcode ID: 12123b33a7d157367c990489574d2edf742370f12bf2c43b05fd197db9184ef8
Instruction ID: ea4be1d44a3e9e32042102e81fce53fdec7e8a420cae3a44a6099c2e56771d16
Opcode Fuzzy Hash: 12123b33a7d157367c990489574d2edf742370f12bf2c43b05fd197db9184ef8
Instruction Fuzzy Hash: 34412270A01309ABDB14EF68D90AB9EBFB5FF46B14F10455CE8056B3C2DB75AA408BD1

Uniqueness

Uniqueness Score: -1.00%

Function 005D8060 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 005D808A

Strings

%s%s%s, xrefs: 005D8112
NLST, xrefs: 005D80EE, 005D8111
8qb, xrefs: 005D8108
LIST, xrefs: 005D80F3

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: %s%s%s$8qb$LIST$NLST
API String ID: 601868998-695285723
Opcode ID: 26c97de7e60e94c8dcc8a9f14918aa5815e7591c1674976144f2d66049a38c4a
Instruction ID: 7963847685beea22c653db4b6052b09ea89eda6aecde47bd3317334cd83345b6
Opcode Fuzzy Hash: 26c97de7e60e94c8dcc8a9f14918aa5815e7591c1674976144f2d66049a38c4a
Instruction Fuzzy Hash: 343145757006156BEB249B28EC09BBB7F5AFF85795F08407AFD08C6342DB22994987E0

Uniqueness

Uniqueness Score: -1.00%

Function 005D6DA0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,?), ref: 005D6DD4
accept.WS2_32(?,?,00000010), ref: 005D6DF0

Part of subcall function 005E44D0: ioctlsocket.WS2_32(?,8004667E,?), ref: 005E44EA

Strings

Error accept()ing server connect, xrefs: 005D6E09
Connection accepted from server, xrefs: 005D6E2D
Ij], xrefs: 005D6DB3, 005D6DFB, 005D6E8A

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: acceptgetsocknameioctlsocket
String ID: Connection accepted from server$Error accept()ing server connect$Ij]
API String ID: 36920154-1476985251
Opcode ID: f0f79d97e232fb9e3326efea8b350d52d3a06e83f087f219b14f9d16cae1bf88
Instruction ID: 1814bd3272754ab06c123a6c8398890e74394149f880bd8337d678bf23c989e7
Opcode Fuzzy Hash: f0f79d97e232fb9e3326efea8b350d52d3a06e83f087f219b14f9d16cae1bf88
Instruction Fuzzy Hash: D031E671A002096BDB10EF68EC46BEEBB68FF49314F50056AFD09A72C2DA31691587E1

Uniqueness

Uniqueness Score: -1.00%

Function 005C0AA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 005C0AD4
WSAIoctl.WS2_32(?,98000004,00000001,0000000C,00000000,00000000,?,00000000,00000000), ref: 005C0B4D
WSAGetLastError.WS2_32 ref: 005C0B57

Strings

Failed to set SO_KEEPALIVE on fd %d, xrefs: 005C0ADF
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 005C0B5F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorIoctlLastsetsockopt
String ID: Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d
API String ID: 1819429192-277924715
Opcode ID: a3d39205d8f87cbb1a13d6e3401f0c0a9d91ecb6a0a33c86bcd64a4cb61894be
Instruction ID: c840d683f3af6a7cb8efcf1e84bdbaa28efc033c0c9cee4a15a804206ecda2aa
Opcode Fuzzy Hash: a3d39205d8f87cbb1a13d6e3401f0c0a9d91ecb6a0a33c86bcd64a4cb61894be
Instruction Fuzzy Hash: 1E21B671E40209AFEB10DFA49C06FFE7BB9EB95700F10016EF905FA1C0DA746A058B91

Uniqueness

Uniqueness Score: -1.00%

Function 005EE679 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00656968,?,?,00524AA9,006578D0,00620570,00000000,00000000), ref: 005EE683
LeaveCriticalSection.KERNEL32(00656968,?,?,00524AA9,006578D0,00620570,00000000,00000000), ref: 005EE6B6
SetEvent.KERNEL32(00000000,00524AA9,006578D0,00620570,00000000,00000000), ref: 005EE744
ResetEvent.KERNEL32 ref: 005EE750

Strings

hie, xrefs: 005EE67D

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID: hie
API String ID: 3553466030-811730611
Opcode ID: cb005d1a57fea30cbac5e339a9f4e8a67745cfb5adefce4197bb7200877e1b8b
Instruction ID: 7aec1a12d5637771de78cb8fa78559e7fe89d89948c8dfb252685708a1ec3d59
Opcode Fuzzy Hash: cb005d1a57fea30cbac5e339a9f4e8a67745cfb5adefce4197bb7200877e1b8b
Instruction Fuzzy Hash: 1F018F35A05B60DBCB04DF18FD589957BAAFB49303B112069F906DB370CB305981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00546670 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000,?), ref: 00546724

Part of subcall function 005F41FD: _free.LIBCMT ref: 005F4210

SelectObject.GDI32(00000000,00000000), ref: 00546736
GetTextExtentPointW.GDI32(00000000,?,00000000,?), ref: 00546755
DeleteObject.GDI32(00000000), ref: 0054675C
ReleaseDC.USER32(00000000,00000000), ref: 00546766

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Object$DeleteExtentPointReleaseSelectTextWindow_free
String ID:
API String ID: 1134633668-0
Opcode ID: 351162aebbc5cdddf64e35763693ce8f0408bf1546b5c8f66217d8bb8fe50052
Instruction ID: efd82a24a65f83640d2719c83047836ff3f0455b83c06d40566cc3c99a1f1df2
Opcode Fuzzy Hash: 351162aebbc5cdddf64e35763693ce8f0408bf1546b5c8f66217d8bb8fe50052
Instruction Fuzzy Hash: 10814A71A002099FCB14DF68CC85BEEBBB6FF89318F144229E805D7251EB34AE54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005C80D0 Relevance: 7.7, APIs: 5, Instructions: 181COMMON

Download Yara Rule

APIs

_strstr.LIBCMT ref: 005C80F9
___from_strstr_to_strchr.LIBCMT ref: 005C811E
___from_strstr_to_strchr.LIBCMT ref: 005C8147

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ___from_strstr_to_strchr$_strstr
String ID:
API String ID: 2668852316-0
Opcode ID: 1cae599173c279a86436aced15bb35c7bef3e475809c73cb58c53fb7be52a602
Instruction ID: c3479ff8ce4fcfe462215e7abdca3feefc3652b8d3d8131c70edb3328486c1ec
Opcode Fuzzy Hash: 1cae599173c279a86436aced15bb35c7bef3e475809c73cb58c53fb7be52a602
Instruction Fuzzy Hash: A8514675904386AEEB324AE89C49F763FE5BF51344F1C04BCE98846243EE759946C362

Uniqueness

Uniqueness Score: -1.00%

Function 006025AA Relevance: 7.6, APIs: 5, Instructions: 144pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,00602833,00000000,?), ref: 006025CC
GetFileInformationByHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00602833,00000000), ref: 00602626
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00602833,00000000,?,?,00000000,?,?), ref: 006026B4
__dosmaperr.LIBCMT ref: 006026BB
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00602833), ref: 006026F8

Part of subcall function 006029AE: __dosmaperr.LIBCMT ref: 006029F2

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: b07ca24825a635c5eec9eb4e66f8a6aa10c4c9567f83d49117592d0af557ae92
Instruction ID: 7dbbd6922f40cff5f7d136a6a3d33255024ebffc276473d6052cb1bbc1479c28
Opcode Fuzzy Hash: b07ca24825a635c5eec9eb4e66f8a6aa10c4c9567f83d49117592d0af557ae92
Instruction Fuzzy Hash: B3416D71950205AFCB29DFB5DC599ABBBFAEF88300B10492DF856D3650EB31A845CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0060673D Relevance: 7.6, APIs: 5, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006067AB
_free.LIBCMT ref: 006067CB
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0060682C
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0060683E
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0060684B

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: __crt_fast_encode_pointer$_free
String ID:
API String ID: 366466260-0
Opcode ID: 82cb21e4c185ae25ebdd5cc026658db8b980b193cbd07a0985a7713f59876546
Instruction ID: adfe3d3006bb335383361a86177f3dbd0e6c94b4e4f861d6cf37bb4b2a01fe61
Opcode Fuzzy Hash: 82cb21e4c185ae25ebdd5cc026658db8b980b193cbd07a0985a7713f59876546
Instruction Fuzzy Hash: 2341B176A402049BCB18DF68C881A9EB7F7EF89714F1584ACE615EB381DB31ED11CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0052E3D0 Relevance: 7.6, APIs: 5, Instructions: 110COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0052E404
std::_Lockit::_Lockit.LIBCPMT ref: 0052E424
std::_Lockit::~_Lockit.LIBCPMT ref: 0052E444
std::_Facet_Register.LIBCPMT ref: 0052E508
std::_Lockit::~_Lockit.LIBCPMT ref: 0052E520

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: ff27c3f237f6ecce03f64bb7c7b2fc621b28365c2e84a5ecc23e79ad96590fdf
Instruction ID: d9dbc8f8e8cd77eb3d5f3ac1e77118f7feba8936cf6d070df4b367efc9da2aff
Opcode Fuzzy Hash: ff27c3f237f6ecce03f64bb7c7b2fc621b28365c2e84a5ecc23e79ad96590fdf
Instruction Fuzzy Hash: 3941FE71A002248BCB14DF44E886BAEBFB5FF41714F24415DE845AB381EB71AE41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0052E290 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0052E2BD
std::_Lockit::_Lockit.LIBCPMT ref: 0052E2DD
std::_Lockit::~_Lockit.LIBCPMT ref: 0052E2FD
std::_Facet_Register.LIBCPMT ref: 0052E39B
std::_Lockit::~_Lockit.LIBCPMT ref: 0052E3B3

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: d19cff7a3fd459113d1b59fa461d0d89bb798a4eaefc2d29b7d0e13821fca024
Instruction ID: f50cb1acfb496a1532a390f7b3d84689c236778e4d167be2e546f471e72e8629
Opcode Fuzzy Hash: d19cff7a3fd459113d1b59fa461d0d89bb798a4eaefc2d29b7d0e13821fca024
Instruction Fuzzy Hash: 2741FF31A04261DFCB15DF58E886BAABFB5FF65311F14886DE8469B281DB30BD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00590A10 Relevance: 7.6, APIs: 5, Instructions: 89windowtimeCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00590AA6
GetLocalTime.KERNEL32(?), ref: 00590AE7
SendMessageW.USER32(00000000,00001002,00000000,?), ref: 00590B00
ShowWindow.USER32(00000000,00000004), ref: 00590B0B
SetFocus.USER32(00000000), ref: 00590B14

Part of subcall function 00590B30: IntersectRect.USER32(?,?,?), ref: 00590BAB

Part of subcall function 00557EC0: GetClassInfoExW.USER32(00000000,00000000), ref: 00557F0C
Part of subcall function 00557EC0: GetClassInfoExW.USER32(00520000,00000000), ref: 00557F2C
Part of subcall function 00557EC0: RegisterClassExW.USER32(00000030), ref: 00557F69
Part of subcall function 00557EC0: GetLastError.KERNEL32 ref: 00557F74
Part of subcall function 00557EC0: LoadCursorW.USER32 ref: 00557FE2
Part of subcall function 00557EC0: RegisterClassW.USER32(00000000), ref: 0055800D
Part of subcall function 00557EC0: GetLastError.KERNEL32(?,?,?,00000000,00007F00), ref: 00558018

Part of subcall function 0055D430: SelectObject.GDI32(?,00000000), ref: 0055D4B1
Part of subcall function 0055D430: GetTextMetricsW.GDI32(?,00000000), ref: 0055D4C5
Part of subcall function 0055D430: SelectObject.GDI32(?,00000000), ref: 0055D4D5

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Class$ErrorInfoLastMessageObjectRegisterSelectSend$CursorFocusIntersectLoadLocalMetricsRectShowTextTimeWindow
String ID:
API String ID: 190525129-0
Opcode ID: 00284f04dd1f35bcd1d855aad7f09547a543c9e8ec64e7749d183e9424ff640e
Instruction ID: f02b585a33417e01579ab90befdb9c718682a29a87042b9910389650dc8cf705
Opcode Fuzzy Hash: 00284f04dd1f35bcd1d855aad7f09547a543c9e8ec64e7749d183e9424ff640e
Instruction Fuzzy Hash: 6F31AC75600205AFDB24DF64CD49F69BBB6FF99300F0041A8F509AB6A1CB71ACA1CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0057C160 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 0055E350: _wcschr.LIBVCRUNTIME ref: 0055E36B

SetBkMode.GDI32(00000000,00000001), ref: 0057C1DC
SetTextColor.GDI32(?,00000000), ref: 0057C206
SelectObject.GDI32(?,00000000), ref: 0057C221
DrawTextW.USER32(?,?,000000FF,?,?), ref: 0057C23F
SelectObject.GDI32(?,00000000), ref: 0057C247

Part of subcall function 005F41FD: _free.LIBCMT ref: 005F4210

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ObjectSelectText$ColorDrawMode_free_wcschr
String ID:
API String ID: 667260486-0
Opcode ID: ef2e0890050a94800d6e60ed2cae84f1a08f6f99000da9e404a4410b51f77630
Instruction ID: 6c43c7665fd057e9767edb635fc2ff5fb3cb54ad830db063805f4f5f977df63c
Opcode Fuzzy Hash: ef2e0890050a94800d6e60ed2cae84f1a08f6f99000da9e404a4410b51f77630
Instruction Fuzzy Hash: AD317F769001299BDF24DF64CC85AEEB7B9BF58210F00819AF949E3281DE305E858FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00528970 Relevance: 7.6, APIs: 5, Instructions: 61windowthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00528910,00000000,00000000,00000000), ref: 00528994
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005289CC

Part of subcall function 0055E740: GetWindowLongW.USER32(?,000000F0), ref: 0055E752
Part of subcall function 0055E740: GetParent.USER32(?), ref: 0055E765
Part of subcall function 0055E740: GetParent.USER32(?), ref: 0055E7F5

TranslateMessage.USER32(?), ref: 005289E2
DispatchMessageW.USER32(?), ref: 005289E8
CloseHandle.KERNEL32(00000000), ref: 005289FD

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Message$Parent$CloseCreateDispatchHandleLongPeekThreadTranslateWindow
String ID:
API String ID: 3191479290-0
Opcode ID: 2cf5166da0e516f27b738a5fcb5a9d2e29749cb5fa54b6826fac07e6a209cd4e
Instruction ID: 7135a2b7b7ddc69165ec2ecce13dc5ee6fe7314e43f47356b5b5c8dc1740d65a
Opcode Fuzzy Hash: 2cf5166da0e516f27b738a5fcb5a9d2e29749cb5fa54b6826fac07e6a209cd4e
Instruction Fuzzy Hash: 5011E771A45318AADF20DBA0AC56FF97BE9BB1A700F041055E904BB1D1DE60E844CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00612F3A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00612F52

Part of subcall function 0060AEA3: HeapFree.KERNEL32(00000000,00000000,?,006131DE,?,00000000,?,00654B9C,?,00613483,?,00000007,?,?,0061383A,?), ref: 0060AEB9
Part of subcall function 0060AEA3: GetLastError.KERNEL32(?,?,006131DE,?,00000000,?,00654B9C,?,00613483,?,00000007,?,?,0061383A,?,?), ref: 0060AECB

_free.LIBCMT ref: 00612F64
_free.LIBCMT ref: 00612F76
_free.LIBCMT ref: 00612F88
_free.LIBCMT ref: 00612F9A

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 85c03b12f3a6b728511756bf2fca6193dd1cb07a48bc5a9a0008f10b40eae71a
Instruction ID: 779d40474f3bd91d0da6930674df0c9599d7efc4465cbd496dd4dda4ae62d125
Opcode Fuzzy Hash: 85c03b12f3a6b728511756bf2fca6193dd1cb07a48bc5a9a0008f10b40eae71a
Instruction Fuzzy Hash: 90F0AF72188702ABC764EBA5F885DD777FBAA64351B580848F058DB240CF30FCC09A94

Uniqueness

Uniqueness Score: -1.00%

Function 00554C60 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 276synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(00000000,00000001,00000008,?,?,?), ref: 00554D22
GetLastError.KERNEL32(?,00000021,00000000), ref: 00554D66

Strings

InstallerName, xrefs: 00554CA8
list<T> too long, xrefs: 00554F83

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CreateErrorLastMutex
String ID: InstallerName$list<T> too long
API String ID: 1925916568-3642140868
Opcode ID: 9ce73828e9954910fd61a229e5d672c5f5ebd30dcab06c03c797ed43dcf2af16
Instruction ID: 3b5d6e6552663a89a35220e009990eadbfa17bb96f5a3538ef8b4fe4cebbceeb
Opcode Fuzzy Hash: 9ce73828e9954910fd61a229e5d672c5f5ebd30dcab06c03c797ed43dcf2af16
Instruction Fuzzy Hash: 39A1CF71A102049FCB24DF68D89ABADBBBAFF49305F144519E845EB791D730A988CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00538020 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 188windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000112,0000F020,00000000), ref: 00538077

Strings

Downloading, xrefs: 0053809C
Click_Min, xrefs: 00538089
Installing, xrefs: 00538196

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: MessageSend
String ID: Click_Min$Downloading$Installing
API String ID: 3850602802-1326491023
Opcode ID: 7a3632708471c83b8e2035332f2b6ffb5b8d25bec05e401c6982efae05707cc5
Instruction ID: 66583c4a05b6bf78d266b6c303b16bf5cef655ef3ea2cea3986f8f66c964b2b3
Opcode Fuzzy Hash: 7a3632708471c83b8e2035332f2b6ffb5b8d25bec05e401c6982efae05707cc5
Instruction Fuzzy Hash: D671B371E002499FDF08DFA4D98AB9EBFB5BF85300F208519F515AB396DB74AA04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005CC98D Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 005CCAA9
___swprintf_l.LIBCMT ref: 005CCB23

Strings

%ld, xrefs: 005CCA9D
.%ld, xrefs: 005CCB17

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ___swprintf_l
String ID: %ld$.%ld
API String ID: 48624451-3262811310
Opcode ID: 1ac6fea46c9b80fcaeae2e0b52df8184dd2429680e8d0d83f7314e069d48b96c
Instruction ID: 933451befc4fecb29b8499015341040f9f28cc3744e2a3142c1463fb36c8dc70
Opcode Fuzzy Hash: 1ac6fea46c9b80fcaeae2e0b52df8184dd2429680e8d0d83f7314e069d48b96c
Instruction Fuzzy Hash: 2E71E27090465E8EEB21CAA8C845BF8BFB1FF49344F1041EAD84DA7281DB349E82DF51

Uniqueness

Uniqueness Score: -1.00%

Function 005C0DD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 005C0E8D

Strings

Proxy-, xrefs: 005C0F03, 005C0F0B
%sAuthorization: Digest %s, xrefs: 005C0F0C
%.*s, xrefs: 005C0E9D

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: %.*s$%sAuthorization: Digest %s$Proxy-
API String ID: 601868998-541442569
Opcode ID: db0ab5af509bebc1cd77b994a23f80d6a3fdcce27ea43149eab5cac281024860
Instruction ID: 04b9d62de44e1678890f3d8326678722b632df994ee7a917023f17e83529beb1
Opcode Fuzzy Hash: db0ab5af509bebc1cd77b994a23f80d6a3fdcce27ea43149eab5cac281024860
Instruction Fuzzy Hash: D9418471A00209EFDB14DF98DC45BAA7FA9FF48310F1484B9E908D7381E7359D508B91

Uniqueness

Uniqueness Score: -1.00%

Function 00576F60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 00576F7B
SetCursor.USER32(00000000,?,?,00592236,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00576F82

Strings

timer, xrefs: 00576FD4
menu, xrefs: 00577007

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Cursor$Load
String ID: menu$timer
API String ID: 1675784387-2593718399
Opcode ID: 6f4ee927989751a4b2e3ba470369ef5492b825843087232686be7274b730717e
Instruction ID: 383f5310773f13c69cd6189674eb765611f8062465a2551bd30413862b0007dd
Opcode Fuzzy Hash: 6f4ee927989751a4b2e3ba470369ef5492b825843087232686be7274b730717e
Instruction Fuzzy Hash: 342107323146055BCA20DA9CBC05FADBB95FBA9321F00426BFA49C7181CA62A86197E5

Uniqueness

Uniqueness Score: -1.00%

Function 005DE340 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000002,?), ref: 005DE360
WSACleanup.WS2_32 ref: 005DE38D

Strings

insufficient winsock version to support telnet, xrefs: 005DE3B5
WSAStartup failed (%d), xrefs: 005DE36B

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CleanupStartup
String ID: WSAStartup failed (%d)$insufficient winsock version to support telnet
API String ID: 915672949-1763879679
Opcode ID: 4ef9614b44f70ade5f80de618d975ded2602ec41100210acfc5f1dec46612ec4
Instruction ID: dea106786acd6a07f18178fa6f6953a3b4afc7fec37939cf28eea6841cb09e91
Opcode Fuzzy Hash: 4ef9614b44f70ade5f80de618d975ded2602ec41100210acfc5f1dec46612ec4
Instruction Fuzzy Hash: BD01B931A0011C5BDF20EB5CAC17BFD775AEB45305F4004D6EC0A9B281DD346E168795

Uniqueness

Uniqueness Score: -1.00%

Function 005DEC20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00000003,00000000), ref: 005DEC49
WSAGetLastError.WS2_32(?,005DEB2F,?,000000FE,?,?,?,005DF3DA,?,?,?,RCVD,000000FB,?), ref: 005DEC53

Strings

SENT, xrefs: 005DEC6C
Sending data failed (%d), xrefs: 005DEC5A

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLastsend
String ID: SENT$Sending data failed (%d)
API String ID: 1802528911-3459338696
Opcode ID: 4650b81f8d84eb214a8d50b2b1163720d90978701d8ba6303eb7eff3c3d52f7f
Instruction ID: 01bf48c23d708bbb92a11769386bdafa93bf690dd90fa5a9408dc3d8552305bc
Opcode Fuzzy Hash: 4650b81f8d84eb214a8d50b2b1163720d90978701d8ba6303eb7eff3c3d52f7f
Instruction Fuzzy Hash: 96F04632200348BFDB21AF5CEC42DEA3F6DFF55720F048019FD589B252C230A5108BA1

Uniqueness

Uniqueness Score: -1.00%

Function 005B7070 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 005CDD50: GetModuleHandleA.KERNEL32(kernel32,?,00000002,005AC7EF), ref: 005CDD5E

GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceA), ref: 005B70B3

Strings

secur32.dll, xrefs: 005B7088
security.dll, xrefs: 005B708D, 005B7095
InitSecurityInterfaceA, xrefs: 005B70AD

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 1646373207-3788156360
Opcode ID: 9fe9b0d1139e3107af6643c24e3cd610148bca5a743fa735c8ca667b7eb71052
Instruction ID: 10aa455663fd02507158f4a70395b7b9feed7ac38f19babb34398c3f1d8e3068
Opcode Fuzzy Hash: 9fe9b0d1139e3107af6643c24e3cd610148bca5a743fa735c8ca667b7eb71052
Instruction Fuzzy Hash: 39F065A0745B0B69EB24AB745C1AF562E57B7D4741FC06439B511DA1C2EA78C800CA20

Uniqueness

Uniqueness Score: -1.00%

Function 005EE6C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00656968,?,?,?,005249F6,006578D0,6F923D37,?,?,00619FAA,000000FF), ref: 005EE6CE
LeaveCriticalSection.KERNEL32(00656968,?,?,?,005249F6,006578D0,6F923D37,?,?,00619FAA,000000FF), ref: 005EE70B

Strings

hie, xrefs: 005EE6C8

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: hie
API String ID: 3168844106-811730611
Opcode ID: 4f21f847882aefff505150034010940334ecbfa8e8fa06c05ff401b5c9f93d8d
Instruction ID: 686fe59f097ea2dcccd47a1ff4838a4fbb240a6e0a2c7db3869f7a90d55ec7f0
Opcode Fuzzy Hash: 4f21f847882aefff505150034010940334ecbfa8e8fa06c05ff401b5c9f93d8d
Instruction Fuzzy Hash: 4FF0A731510281DFC328AF19E845A657FB9FB55732F24022DF9D98B2E0DB301982CB51

Uniqueness

Uniqueness Score: -1.00%

Function 005EE4C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005EE506

Strings

hhie, xrefs: 005EE517
csm, xrefs: 005EE4D1

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: __scrt_initialize_thread_safe_statics_platform_specific
String ID: csm$hhie
API String ID: 3781127973-1032493083
Opcode ID: c31ddc3751cde153752b4e1ecff7fa043f408584eeb5f0c4316d49b421a70e0d
Instruction ID: 19bf6c592fc15a3380d51e5d770c72e0105b9bb8b9920d34822ea08d01185942
Opcode Fuzzy Hash: c31ddc3751cde153752b4e1ecff7fa043f408584eeb5f0c4316d49b421a70e0d
Instruction Fuzzy Hash: B7F01C7591028A8FDF08EF99C44AB9D7BB1BF48301F140455F180BB281EB255D009B21

Uniqueness

Uniqueness Score: -1.00%

Function 00586990 Relevance: 6.4, APIs: 4, Instructions: 352COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 00586A34

Part of subcall function 0055B850: InvalidateRect.USER32(?,00576E25,00000000,00000000,?,00576E25,?), ref: 0055B899

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Rect$Invalidate
String ID:
API String ID: 2327632943-0
Opcode ID: 7fb5a947c2e463eb00896743848d3be3ebe78af1cbaf72a3b086d147252894b0
Instruction ID: 148229dbb1447a0e2bc7c9ec72483c3049435313217d4977b6800be0cf7b15c5
Opcode Fuzzy Hash: 7fb5a947c2e463eb00896743848d3be3ebe78af1cbaf72a3b086d147252894b0
Instruction Fuzzy Hash: AFE13770704B019FD758EF38C595AAABBE6BFD9300F40492DE99AE7250DB31A850CB81

Uniqueness

Uniqueness Score: -1.00%

Function 005BA240 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 005BA294
___from_strstr_to_strchr.LIBCMT ref: 005BA2EE
___from_strstr_to_strchr.LIBCMT ref: 005BA31D

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID:
API String ID: 601868998-0
Opcode ID: ea146facbf076219e5fccf9123546bf07c2d7b2e27f7232ffc10e2a1d72d4212
Instruction ID: 3334f32443e7a8c360065ac47e3e8596e6e271abf066c7860d05f9c4e6571053
Opcode Fuzzy Hash: ea146facbf076219e5fccf9123546bf07c2d7b2e27f7232ffc10e2a1d72d4212
Instruction Fuzzy Hash: 92419F7AE042166BCF259E5898406FDFFE5BF81301F18406DDC4567202E632BE41C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 005FEE1E Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a8abb020b70a73a1c16405bcd6d254553d3c1be30c79a6dbdea9dde916b6d8
Instruction ID: 6122c9f48e54a83d7fa5546564dda293ad68d634d60cb1e09391df941c7429a2
Opcode Fuzzy Hash: 11a8abb020b70a73a1c16405bcd6d254553d3c1be30c79a6dbdea9dde916b6d8
Instruction Fuzzy Hash: B241C772A00749AFD7149F78D846B6EBFEAFF88710F10492AF255DB291D275E9408780

Uniqueness

Uniqueness Score: -1.00%

Function 0060AC51 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,005F5049,00000000,?,?,?,005F46C8,?,?,00000000), ref: 0060AC56
_free.LIBCMT ref: 0060ACB3
_free.LIBCMT ref: 0060ACE9
SetLastError.KERNEL32(00000000,00000006,000000FF,?,005F46C8,?,?,00000000), ref: 0060ACF4

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: d612aaf0da199a6ba28821b25c0409fb6bf844da0c57bd17f9927bf090d8868e
Instruction ID: 37244c54c3719865edf9dc856d97e565082ecb6bcc337f599b298b8af259181e
Opcode Fuzzy Hash: d612aaf0da199a6ba28821b25c0409fb6bf844da0c57bd17f9927bf090d8868e
Instruction Fuzzy Hash: BA1136322C47012BE75D63F49C81DBB332B8BC17F5B2A032CF630862E1DE618C429116

Uniqueness

Uniqueness Score: -1.00%

Function 0060ADA8 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00639F54,00521057,00654B9C,00602292,0060E7D5,?,0055ED42,00639F54,00639F56,?,?,?,00654B98,?,00521057,00639F54), ref: 0060ADAD
_free.LIBCMT ref: 0060AE0A
_free.LIBCMT ref: 0060AE40
SetLastError.KERNEL32(00000000,00000006,000000FF,?,0055ED42,00639F54,00639F56,?,?,?,00654B98,?,00521057,00639F54,000000FF), ref: 0060AE4B

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 5cc0c326a7aa85e1c1d4f53784b1e6f2973e9c9ff2d009193cddb84a3704b145
Instruction ID: 4e73286c1859db195c993556760c011abdef679dfdf11371f557b39f80b7f359
Opcode Fuzzy Hash: 5cc0c326a7aa85e1c1d4f53784b1e6f2973e9c9ff2d009193cddb84a3704b145
Instruction Fuzzy Hash: F71125322C03012AC75C63F59C81EBB335B9BC17F6B2A0338F220C62E1DE608C46A526

Uniqueness

Uniqueness Score: -1.00%

Function 005F2DF4 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 005F2E0E

Part of subcall function 005F2D5B: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 005F2D8A
Part of subcall function 005F2D5B: ___AdjustPointer.LIBCMT ref: 005F2DA5

_UnwindNestedFrames.LIBCMT ref: 005F2E23
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 005F2E34
CallCatchBlock.LIBVCRUNTIME ref: 005F2E5C

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: da910bc2c580f10b13586449ddaa19d0b77a4dd07c623ddc97968c1e416a8e4f
Instruction ID: d0c22d0447d1a432eac5d19edd6f0f3861896932886a4dc71482728adb58c50e
Opcode Fuzzy Hash: da910bc2c580f10b13586449ddaa19d0b77a4dd07c623ddc97968c1e416a8e4f
Instruction Fuzzy Hash: E501057210014ABBDF126E96CC4AEEB3F6EFF88754F144018FB1896121C636E9619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0060F26E Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0060F36A,00000000,?,006175DF,00000000,00000000,0060F36A,?,?,00000000,00000000,00000001), ref: 0060F284
GetLastError.KERNEL32(?,006175DF,00000000,00000000,0060F36A,?,?,00000000,00000000,00000001,00000000,00000000,?,0060F36A,00000000,00000104), ref: 0060F28E
__dosmaperr.LIBCMT ref: 0060F295

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: e5ac046ac961ae070e019dfa661f81c6012f9264de461d92fa91771b368d95b1
Instruction ID: d2de54621aef9cf4a49f869f5a06639f7b597e3e89a445fffa7cb39929aab525
Opcode Fuzzy Hash: e5ac046ac961ae070e019dfa661f81c6012f9264de461d92fa91771b368d95b1
Instruction Fuzzy Hash: C4F06D36244516BBDB345BE2CC0888BFF6BFF453A03118525F918CB9A0C731E9228BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00578E80 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetClipBox.GDI32(?,?), ref: 00578EAA
CreateRectRgnIndirect.GDI32(?), ref: 00578EB4
CreateRectRgnIndirect.GDI32(?), ref: 00578EC1
ExtSelectClipRgn.GDI32(?,00000000,00000001), ref: 00578ECE

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ClipCreateIndirectRect$Select
String ID:
API String ID: 4223180713-0
Opcode ID: cdcb1cbeacfb00157bd260feb7eb6bd38b8d9130329f54033a8141178d819185
Instruction ID: 25e657ab759c64a7b426e27ee34691c22e8f622348c0c0d07778d8d86b832750
Opcode Fuzzy Hash: cdcb1cbeacfb00157bd260feb7eb6bd38b8d9130329f54033a8141178d819185
Instruction Fuzzy Hash: DE017171D0434C9BDB00CFA4D9859EEBBBAEF6A300F106256F905AA111EF70ABD48761

Uniqueness

Uniqueness Score: -1.00%

Function 005742D0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000,?,FFFFFFFF,?,00574C78,?,?), ref: 0057430B

Strings

xLW, xrefs: 005742F3, 0057452E
xLW, xrefs: 00574383, 00574503, 005743AE

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: FilePointer
String ID: xLW$xLW
API String ID: 973152223-1815305505
Opcode ID: 96b95736e4f9ebb0d123da4745a4f1d2aba59ce70f2452e5a5a937bfd2c668f0
Instruction ID: 7b524360c9e01f15de16680ec7b1c1235130294cc2f3f60a36c588072f096f85
Opcode Fuzzy Hash: 96b95736e4f9ebb0d123da4745a4f1d2aba59ce70f2452e5a5a937bfd2c668f0
Instruction Fuzzy Hash: 2B815470A00616DBCF24DE68D98466DBBF6BF85364B108B69D829973D4E770DE00BF80

Uniqueness

Uniqueness Score: -1.00%

Function 005D11E0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

select/poll on SSL socket, errno: %d, xrefs: 005D13D1
schannel: timed out sending data (bytes sent: %zd), xrefs: 005D13EF

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID: schannel: timed out sending data (bytes sent: %zd)$select/poll on SSL socket, errno: %d
API String ID: 0-3891197721
Opcode ID: 51230e6f78ffa9c328c88600b5f053433a0766ed89e44896748d091925556f6c
Instruction ID: 2c6306ef626f10548d50496e0deba3369ebfb05f441b7fd7c67cce7bb135d7dc
Opcode Fuzzy Hash: 51230e6f78ffa9c328c88600b5f053433a0766ed89e44896748d091925556f6c
Instruction Fuzzy Hash: D5818B71A00208AFDB10DF98DC86B9DBBB5FF88314F140566F915EB392D731A851CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00604324 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006043BD

Strings

pow, xrefs: 00604395, 006043B2

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 820f15d0c65afe371d8f18f27860676d02b2aa9a11b97ba4b800680e89cee62f
Instruction ID: 3c93675cdc584da984eef512e4536f7a30f20270dce2b748e215f1f9a5f831e0
Opcode Fuzzy Hash: 820f15d0c65afe371d8f18f27860676d02b2aa9a11b97ba4b800680e89cee62f
Instruction Fuzzy Hash: 1451CFA0A4910296CB2D7714C9523FB67D3EF42740F289D5DE3D1893E8EF308DD19A86

Uniqueness

Uniqueness Score: -1.00%

Function 005B09B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

Connection #%ld to host %s left intact, xrefs: 005B0BC2
%s, xrefs: 005B0BEC

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID: %s$Connection #%ld to host %s left intact
API String ID: 0-118628944
Opcode ID: 5e6612d03bb8a4601a5ef74264617729ec653033417362728ea3baaf3f0d2585
Instruction ID: a94bd646da314b1bf3a820903677a2168edaf51e13791b9bf9ab341bd75afe52
Opcode Fuzzy Hash: 5e6612d03bb8a4601a5ef74264617729ec653033417362728ea3baaf3f0d2585
Instruction Fuzzy Hash: FC71E170A00705AFEB24DF24D889BEFBFE4BF05308F045569E95A52192DB747D98CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0056C340 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 0056C418
PtInRect.USER32(?,?,?), ref: 0056C45E

Strings

itemclick, xrefs: 0056C4F6

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Rect
String ID: itemclick
API String ID: 400858303-803468992
Opcode ID: d22c1a552d65847a8ac3caa95fe5ecd238ec3e277c893cbcbd97de37b2c227ee
Instruction ID: 3ad9b808800c4a9f194285119e1125d072fb06b8a75f28ad3125631a044a4785
Opcode Fuzzy Hash: d22c1a552d65847a8ac3caa95fe5ecd238ec3e277c893cbcbd97de37b2c227ee
Instruction Fuzzy Hash: DA518F713006024BCE24EF2CC858BB97BA5FF95712F04496AE58ADB351DF62AC11CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0055E350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0055E36B
_wcschr.LIBVCRUNTIME ref: 0055E51B

Strings

,we, xrefs: 0055E40A

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _wcschr
String ID: ,we
API String ID: 2691759472-2477792368
Opcode ID: 0003343b5bab886f1ca22bc98c6ca9509514fa99544825574bde8f6ac86123e2
Instruction ID: 41d238b2ae7efd8760a42e3685c852ddb557bff003a9d05a5e643672682c0171
Opcode Fuzzy Hash: 0003343b5bab886f1ca22bc98c6ca9509514fa99544825574bde8f6ac86123e2
Instruction Fuzzy Hash: 1251F435A003158BCF28DF28C856BBA7BB4BF45301F4505AAED4997240FB30EF498B81

Uniqueness

Uniqueness Score: -1.00%

Function 006121FD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00611D96: GetOEMCP.KERNEL32(00000000,0061200C,00000000,?,005F46C8,005F46C8,?,?,00000000), ref: 00611DC1

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00612053,?,00000000,00000000,?,?,?,?,?,005F46C8), ref: 0061225B
GetCPInfo.KERNEL32(00000000,S a,?,?,00612053,?,00000000,00000000,?,?,?,?,?,005F46C8,?,?), ref: 0061229D

Strings

S a, xrefs: 00612298, 0061229B

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CodeInfoPageValid
String ID: S a
API String ID: 546120528-1049246871
Opcode ID: 5a4310bf2a1775c523407dc8a2b64e0c62c0a687a2403e82de09fb9ad2f82665
Instruction ID: 77a8a2e54739d3201dbeadea53c452f12d35fd021f642df25bd7b4a99c4dc64e
Opcode Fuzzy Hash: 5a4310bf2a1775c523407dc8a2b64e0c62c0a687a2403e82de09fb9ad2f82665
Instruction Fuzzy Hash: 24512770A003469EDB21CF75C8616FFBBE6EF52300F1C456ED0A68B251D6789AD6CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0056A020 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?,?), ref: 0056A13E
IntersectRect.USER32(?,?,?), ref: 0056A18E

Strings

Container, xrefs: 0056A066

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: IntersectRect
String ID: Container
API String ID: 481094312-1163095736
Opcode ID: 29729919d61c7be3b0e8a971a1720d0a01cb4236be0ea89ab9c022cc73a8ac7e
Instruction ID: b49d342a1f4d1a0a81a9c0564c0f2badc981cf54a127a827f9999538dec2a5e4
Opcode Fuzzy Hash: 29729919d61c7be3b0e8a971a1720d0a01cb4236be0ea89ab9c022cc73a8ac7e
Instruction Fuzzy Hash: 465149317046028FC754DF6CD890AAAB7E5BF9D300F144669E999DB361EB30ED44CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00524E80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

GetParent.USER32(0000000B), ref: 00524E9A
DestroyWindow.USER32(00000000), ref: 00524EA1

Strings

UILoginFrame, xrefs: 005250E0

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: DestroyParentWindow
String ID: UILoginFrame
API String ID: 2708952246-833703720
Opcode ID: 062efa5cc5151d2ea6f403c98eda3436fd39167dab12f752b6c47f3d5e927016
Instruction ID: cc1e8351b9e41cc581e222dd19040d92425fe0066a4cab750b352bc2b1012e96
Opcode Fuzzy Hash: 062efa5cc5151d2ea6f403c98eda3436fd39167dab12f752b6c47f3d5e927016
Instruction Fuzzy Hash: 81519FB1120A408BD7288B34DC9D7AABB96FF85305F544A0CE1AAC76E1E779B5448F44

Uniqueness

Uniqueness Score: -1.00%

Function 005D6F70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,005D72B0,?,?,?,?), ref: 005D708F

Strings

FTP response aborted due to select/poll error: %d, xrefs: 005D7096
FTP response timeout, xrefs: 005D70B2

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLast
String ID: FTP response aborted due to select/poll error: %d$FTP response timeout
API String ID: 1452528299-4057338436
Opcode ID: b6736ef5ac141f7d30a248133da16acb962ae879efb0e3cb95770083249c6cfe
Instruction ID: 65c8ba88b8e9f41adaf68166d00f65493e32ef8f943143b8de7aca597de84c94
Opcode Fuzzy Hash: b6736ef5ac141f7d30a248133da16acb962ae879efb0e3cb95770083249c6cfe
Instruction Fuzzy Hash: 8C41F271A0420A9BDF309F5DEC49AAEBFA5FB88315F0001BBE81897391E7318D11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0056A8A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 0056A919
PtInRect.USER32(?,?,?), ref: 0056A95F

Strings

itemclick, xrefs: 0056A9E0

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: Rect
String ID: itemclick
API String ID: 400858303-803468992
Opcode ID: 515dfafcb685c8a0268bee5ff87f0cb0173d652aafa99f118f678a373f618567
Instruction ID: 4dfcc448aeaf4913a77433d499854eab7e9d3f1d3bf3ffbb5a5ed20f762ba5ab
Opcode Fuzzy Hash: 515dfafcb685c8a0268bee5ff87f0cb0173d652aafa99f118f678a373f618567
Instruction Fuzzy Hash: 6941F4313006028FCA30DF68C854FA9BBE5FF95711F14462AE556EB290DB62FC11CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00528A20 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00639F54,00000000,6F923D37), ref: 00528AB6

Strings

%02d:%02d, xrefs: 00528B47
GMT, xrefs: 00528ABE

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: InformationTimeZone
String ID: %02d:%02d$GMT
API String ID: 565725191-3921161529
Opcode ID: 8dacff215522a012b0f86e9fa287faa81c53544c444935a7729294d3f28adb06
Instruction ID: 294e2a8a5e453377156789fb9f01a5f15490ae2f70df3411b3b2200bcc1087a0
Opcode Fuzzy Hash: 8dacff215522a012b0f86e9fa287faa81c53544c444935a7729294d3f28adb06
Instruction Fuzzy Hash: 9941D875A002189FDB14DF58DD457AEBBF9FF89310F44425AE805B7280DB746E448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00544130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 005441BA

Strings

LinkBuyNow, xrefs: 00544170
open, xrefs: 005441B3

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ExecuteShell
String ID: LinkBuyNow$open
API String ID: 587946157-4084998229
Opcode ID: 2f7c0b3daaa0e0649f721f8b54b1975b0eaf40fba7aec3fc897140c677a09161
Instruction ID: 06038cad29399050abc26077dfd68408b682197755d0a209fb56b21c72bac976
Opcode Fuzzy Hash: 2f7c0b3daaa0e0649f721f8b54b1975b0eaf40fba7aec3fc897140c677a09161
Instruction Fuzzy Hash: BD313971A40348AFDB14DF64DC46BAEBBB5FB49B14F108229F815AB7C0DB74A940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005D4360 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

%02x, xrefs: 005D4436
APOP %s %s, xrefs: 005D445F

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID:
String ID: %02x$APOP %s %s
API String ID: 0-177642706
Opcode ID: bb71da095de298a7168fb43d6b7f0361f4440eedc75e5b1dfb508959e260628f
Instruction ID: f92d7bcfb8d7af10e794f0a266e94a8bdb04d881dd3757fb816c45041aa076d7
Opcode Fuzzy Hash: bb71da095de298a7168fb43d6b7f0361f4440eedc75e5b1dfb508959e260628f
Instruction Fuzzy Hash: 39312B31A002056BDB24EFA89C46BFE7B69FF85304F8405A6FC495B243DA315A0547A0

Uniqueness

Uniqueness Score: -1.00%

Function 005D6C90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_strstr.LIBCMT ref: 005D6CD4
_strstr.LIBCMT ref: 005D6CEB

Strings

;type=, xrefs: 005D6CC2, 005D6CE0

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: _strstr
String ID: ;type=
API String ID: 2882301372-3507045495
Opcode ID: 819f02be0fc0f6b27b9289d0169c416914f72778d163a0d5cafe8c0f44c4b1ba
Instruction ID: acce9c86052a1f4e98f158fd4760ca1b928efc00cf56972029c0f6a1a0598735
Opcode Fuzzy Hash: 819f02be0fc0f6b27b9289d0169c416914f72778d163a0d5cafe8c0f44c4b1ba
Instruction Fuzzy Hash: C931E5B16006469EDB209F2CF854792BFE1BF46328F04057BD89D4B382D376A5568BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0055C080 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(?), ref: 0055C099
GetTickCount.KERNEL32 ref: 0055C0CF

Strings

killfocus, xrefs: 0055C0F2

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: CountFocusTick
String ID: killfocus
API String ID: 3897604831-1616503811
Opcode ID: d72e58526fd2e5dedcc5171f6531342c85c108c07c8d64889dfb78075101bdde
Instruction ID: 6fa06bf9924ffe6c262d203bfcc431ca90d0b86c981c602103a51342bb012962
Opcode Fuzzy Hash: d72e58526fd2e5dedcc5171f6531342c85c108c07c8d64889dfb78075101bdde
Instruction Fuzzy Hash: CE317130A007459FD721CB74C854BEEBFF1BF99704F14455EE85A6B291D7B16888CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00580470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F4), ref: 005804E7
SendMessageW.USER32(?,0000004E,00000000,?), ref: 0058051A

Strings

textchanged, xrefs: 005804AA

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: LongMessageSendWindow
String ID: textchanged
API String ID: 3360111000-1330398090
Opcode ID: d5349fa24cbe77abcea4406c868f61cfc1b2042a85336dd31e4b68cf6abc3712
Instruction ID: 65a128aa884bb8ed0addf4ead3f8ceefd6243415a7576a8b0d8a9c3cf2d7cc93
Opcode Fuzzy Hash: d5349fa24cbe77abcea4406c868f61cfc1b2042a85336dd31e4b68cf6abc3712
Instruction Fuzzy Hash: CE11A2327001109FDB10AB58D888F59BFE6FF84321F118272FA0C9B2E1C674E845CB10

Uniqueness

Uniqueness Score: -1.00%

Function 005BEDF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,00000000), ref: 005BEE31
WSAGetLastError.WS2_32 ref: 005BEE48

Strings

Recv failure: %s, xrefs: 005BEE6E

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLastrecv
String ID: Recv failure: %s
API String ID: 2514157807-4276829032
Opcode ID: 43b34796f4e667234edc794fad7e2cbcf9f221fa663967cb2c37e0eb17fe3fd0
Instruction ID: e58692d73330070d5890da8889f15f467fedab3810741eb96843b9b2c66d3b3b
Opcode Fuzzy Hash: 43b34796f4e667234edc794fad7e2cbcf9f221fa663967cb2c37e0eb17fe3fd0
Instruction Fuzzy Hash: FC119176200209AFDB109F59EC85AEABBACFF89364F104066F908C7250D371E9518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00584EB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(?), ref: 00584ED2
GetWindowTextW.USER32(?,?,00000001), ref: 00584EEE

Part of subcall function 00576D90: IntersectRect.USER32(?,?,?), ref: 00576DFB

Strings

textchanged, xrefs: 00584F10

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: TextWindow$IntersectLengthRect
String ID: textchanged
API String ID: 1984522761-1330398090
Opcode ID: 0529d50986195a698495ba421fd43bb85c18e69f69bb5deb4d5f5c95decc90d4
Instruction ID: 52a2887e90866be9422bbcc7c0b14bfa8f3ecdccd7cd00f16940512dc307bca2
Opcode Fuzzy Hash: 0529d50986195a698495ba421fd43bb85c18e69f69bb5deb4d5f5c95decc90d4
Instruction Fuzzy Hash: 9E115E30610705AFD724EF64D85AF6A7BF5FB44305F04096DA9465B2A1CB71AD08CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005BEEA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005BF3D0: recv.WS2_32(00000104,?,?,00000000), ref: 005BF47F

send.WS2_32(?,?,?,00000000), ref: 005BEEC6
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?), ref: 005BEEDC

Strings

Send failure: %s, xrefs: 005BEF04

Memory Dump Source

Source File: 00000000.00000002.2042894457.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2042877249.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042995932.0000000000621000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043036398.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043186087.0000000000655000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043225202.0000000000656000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043255365.0000000000658000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_EDownloader.jbxd

Similarity

API ID: ErrorLastrecvsend
String ID: Send failure: %s
API String ID: 3418755260-857917747
Opcode ID: 8ca995dd5fefcea160f9483244eb02ebfeab18f36c4d24b2d8f6ac906388e8d9
Instruction ID: acc97a16eb5283dbdf05a71b99b2e43a8c5ad58fd8903408cb15604ead0b7fd8
Opcode Fuzzy Hash: 8ca995dd5fefcea160f9483244eb02ebfeab18f36c4d24b2d8f6ac906388e8d9
Instruction Fuzzy Hash: AD019E76600115AFDB119F5CEC49ADA7BA8FF59330F050062F90897250C771BC208BE0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EDownloader.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\EasyLog.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: EDownloader.exePID: 3008, Parent PID: 1028

General

Chronological Activities

Windows Analysis Report
EDownloader.exe

Function 005639E0 Relevance: 35.5, APIs: 14, Strings: 6, Instructions: 472
windowCOMMON

Function 00526920 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 159
COMMON

Function 0060EC7B Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 376
timeCOMMONLIBRARYCODE

Function 0060A524 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 274
COMMONLIBRARYCODE

Function 00526110 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163
processCOMMON

Function 00557EC0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 131
registryCOMMON

Function 005586B0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 219
libraryCOMMON

Function 00574920 Relevance: 12.2, APIs: 8, Instructions: 156
fileCOMMON

Function 00554810 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 333
COMMON

Function 0060EE58 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 173
timeCOMMONLIBRARYCODE

Function 00600F6D Relevance: 9.3, APIs: 6, Instructions: 285
COMMON

Function 005A6850 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 379
COMMON