Edit tour

Windows Analysis Report
_cdrecord.exe

Overview

General Information

Sample name:	_cdrecord.exe
Analysis ID:	1543858
MD5:	af7468dd406bd65837e1bf8fdb2e2e90
SHA1:	1ecf40e9d93f046ca2462556f13f260f143212db
SHA256:	07fcf0f808b802c8c4b568069f31f4b007cc64fec5af385325150709788ed34b
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Contains functionality to communicate with device drivers

Detected potential crypto function

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

_cdrecord.exe (PID: 5556 cmdline: "C:\Users\user\Desktop\_cdrecord.exe" MD5: AF7468DD406BD65837E1BF8FDB2E2E90)

conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: _cdrecord.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\_cdrecord.exe

Code function: 0_2_0042FC80: memset,DeviceIoControl,CloseHandle,DeviceIoControl,GetLastError,CloseHandle,CloseHandle,

0_2_0042FC80

Source: C:\Users\user\Desktop\_cdrecord.exe	Code function: 0_2_004329A0	0_2_004329A0
Source: C:\Users\user\Desktop\_cdrecord.exe	Code function: 0_2_00431B00	0_2_00431B00
Source: C:\Users\user\Desktop\_cdrecord.exe	Code function: 0_2_00432C5C	0_2_00432C5C
Source: C:\Users\user\Desktop\_cdrecord.exe	Code function: 0_2_00432470	0_2_00432470
Source: C:\Users\user\Desktop\_cdrecord.exe	Code function: 0_2_00414D51	0_2_00414D51
Source: C:\Users\user\Desktop\_cdrecord.exe	Code function: 0_2_004325C0	0_2_004325C0
Source: C:\Users\user\Desktop\_cdrecord.exe	Code function: 0_2_00431DF0	0_2_00431DF0
Source: C:\Users\user\Desktop\_cdrecord.exe	Code function: 0_2_00431E80	0_2_00431E80
Source: C:\Users\user\Desktop\_cdrecord.exe	Code function: 0_2_0041477B	0_2_0041477B

Source: _cdrecord.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: clean3.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03

Source: _cdrecord.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\_cdrecord.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: _cdrecord.exe	String found in binary or memory: Use%s -help
Source: _cdrecord.exe	String found in binary or memory: start/stop unit
Source: _cdrecord.exe	String found in binary or memory: start/stop unit
Source: _cdrecord.exe	String found in binary or memory: ?medium load/unloadprevent/allow medium removalstart/stop unitset cd speedqic 02write_g0write_g1write_g5seek_g0seek_g1flush cacheread bufferwrite_bufferread subchannelread tocread headerread disk inforead track inforeserve_track_rzoneread dvd structuresend dvd structuresend opcclose track/sessionread master cuesend_cue_sheetread buffer capBFree: %ld K BSize: %ld K
Source: _cdrecord.exe	String found in binary or memory: ?medium load/unloadprevent/allow medium removalstart/stop unitset cd speedqic 02write_g0write_g1write_g5seek_g0seek_g1flush cacheread bufferwrite_bufferread subchannelread tocread headerread disk inforead track inforeserve_track_rzoneread dvd structuresend dvd structuresend opcclose track/sessionread master cuesend_cue_sheetread buffer capBFree: %ld K BSize: %ld K
Source: _cdrecord.exe	String found in binary or memory: support ejection of CD via START/STOP command
Source: _cdrecord.exe	String found in binary or memory: support ejection of CD via START/STOP command
Source: _cdrecord.exe	String found in binary or memory: Loading mechanism typesupport ejection of CD via START/STOP commandlock media on power up via prevent jumperallow media to be locked in the drive via PREVENT/ALLOW commandcurrently in a media-locked state Is %s%s
Source: _cdrecord.exe	String found in binary or memory: Loading mechanism typesupport ejection of CD via START/STOP commandlock media on power up via prevent jumperallow media to be locked in the drive via PREVENT/ALLOW commandcurrently in a media-locked state Is %s%s
Source: _cdrecord.exe	String found in binary or memory: start/stop
Source: _cdrecord.exe	String found in binary or memory: start/stop

Source: unknown	Process created: C:\Users\user\Desktop\_cdrecord.exe "C:\Users\user\Desktop\_cdrecord.exe"
Source: C:\Users\user\Desktop\_cdrecord.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\_cdrecord.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\_cdrecord.exe	Section loaded: cygwin1.dll			Jump to behavior

Source: C:\Users\user\Desktop\_cdrecord.exe

Code function: 0_2_004085B5 push E800440Eh; rep ret

0_2_004085BE

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\_cdrecord.exe

Code function: 0_2_0042FA68 memset,GetVersionExA,

0_2_0042FA68

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	2 System Information Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
_cdrecord.exe	0%	ReversingLabs

Domains and IPs

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543858
Start date and time:	2024-10-28 15:07:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	_cdrecord.exe
Detection:	CLEAN
Classification:	clean3.winEXE@2/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 96
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target _cdrecord.exe, PID 5556 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: _cdrecord.exe

Joe Sandbox View / Context

Instruction
push ebp
mov ebp, esp
sub esp, 08h
and esp, FFFFFFF0h
mov eax, dword ptr [00458000h]
test eax, eax
je 00007F362C832AE3h
int3
fstcw word ptr [ebp-02h]
movzx eax, word ptr [ebp-02h]
and eax, FFFFF0C0h
mov word ptr [ebp-02h], ax
movzx eax, word ptr [ebp-02h]
or eax, 0000033Fh
mov word ptr [ebp-02h], ax
fldcw word ptr [ebp-02h]
mov dword ptr [esp], 00401050h
call 00007F362C868E56h
leave
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
mov eax, 000026BCh
call 00007F362C868795h
mov esi, dword ptr [ebp+08h]
mov edi, dword ptr [ebp+0Ch]
and esp, FFFFFFF0h
mov eax, 00000010h
call 00007F362C868782h
call 00007F362C868E7Dh
mov dword ptr [ebp-00002660h], 00000000h
mov dword ptr [ebp-0000265Ch], 00000028h
mov dword ptr [ebp-00002654h], FFFFFFFFh
mov dword ptr [ebp-00002650h], 00000000h
mov dword ptr [ebp-0000264Ch], 00000000h
mov dword ptr [ebp-00002664h], 00000000h
mov dword ptr [ebp-00002658h], 00000000h
mov dword ptr [ebp-00002680h], 00000000h

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5c000	0xbcc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x36d50	0x36e00	871e3e5d69d6ed71e18600c34ec458f1	False	0.4344435150911162	data	6.217377719949441	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x38000	0x4e00	0x4e00	7887c0cf7b573fc85b7fb6261e9b8ac2	False	0.4250801282051282	data	5.9095201151221275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x3d000	0x1af10	0x1b000	5e1956c612630753e55adad921672b33	False	0.4856770833333333	data	6.363111916719902	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x58000	0x3bb0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5c000	0xbcc	0xc00	0bce5cb3fb5307256366a51f00afe801	False	0.3837890625	data	4.817863915563165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

DLL	Import
cygwin1.dll	__errno, __getreent, __isinfd, __isnand, __main, _ctype_, _exit, _fcntl64, _fdopen64, _fopen64, _fseeko64, _fstat64, _geteuid32, _getpwuid32, _getuid32, _impure_ptr, _lseek64, _mmap64, _open64, _setreuid32, _setuid32, _stat64, abort, atexit, atoi, calloc, close, cygwin_internal, dlclose, dll_crt0__FP11per_process, dlopen, dlsym, dup2, ecvt, execlp, exit, fclose, fcvt, fflush, fgets, fileno, fork, fputc, fread, free, fwrite, gcvt, getc, getenv, getpid, getpwnam, getrlimit, getservbyname, gettimeofday, isatty, kill, malloc, memcpy, memmove, memset, pause, putchar, puts, rcmd, read, realloc, rewind, select, setbuf, setmode, setpriority, setrlimit, setsockopt, signal, sleep, socketpair, strchr, strcmp, strcpy, strdup, strerror, strncmp, strncpy, strrchr, strstr, sysconf, usleep, valloc, wait, write
KERNEL32.dll	CloseHandle, CreateEventA, CreateFileA, DeviceIoControl, GetCurrentProcess, GetCurrentThread, GetDriveTypeA, GetLastError, GetModuleHandleA, GetVersionExA, ResetEvent, SetPriorityClass, SetThreadPriority, WaitForSingleObject

__errno, __getreent, __isinfd, __isnand, __main, _ctype_, _exit, _fcntl64, _fdopen64, _fopen64, _fseeko64, _fstat64, _geteuid32, _getpwuid32, _getuid32, _impure_ptr, _lseek64, _mmap64, _open64, _setreuid32, _setuid32, _stat64, abort, atexit, atoi, calloc, close, cygwin_internal, dlclose, dll_crt0__FP11per_process, dlopen, dlsym, dup2, ecvt, execlp, exit, fclose, fcvt, fflush, fgets, fileno, fork, fputc, fread, free, fwrite, gcvt, getc, getenv, getpid, getpwnam, getrlimit, getservbyname, gettimeofday, isatty, kill, malloc, memcpy, memmove, memset, pause, putchar, puts, rcmd, read, realloc, rewind, select, setbuf, setmode, setpriority, setrlimit, setsockopt, signal, sleep, socketpair, strchr, strcmp, strcpy, strdup, strerror, strncmp, strncpy, strrchr, strstr, sysconf, usleep, valloc, wait, write

KERNEL32.dll

CloseHandle, CreateEventA, CreateFileA, DeviceIoControl, GetCurrentProcess, GetCurrentThread, GetDriveTypeA, GetLastError, GetModuleHandleA, GetVersionExA, ResetEvent, SetPriorityClass, SetThreadPriority, WaitForSingleObject

Target ID:	0
Start time:	10:08:35
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\_cdrecord.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\_cdrecord.exe"
Imagebase:	0x400000
File size:	433'295 bytes
MD5 hash:	AF7468DD406BD65837E1BF8FDB2E2E90
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	10:08:35
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 0042FC80 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 0042FBA9: CreateFileA.KERNEL32 ref: 0042FC2A
Part of subcall function 0042FBA9: CreateFileA.KERNEL32 ref: 0042FC6B

memset.CYGWIN1 ref: 0042FCD1
DeviceIoControl.KERNEL32 ref: 0042FD5C
CloseHandle.KERNEL32 ref: 0042FD71
DeviceIoControl.KERNEL32 ref: 0042FE1C
CloseHandle.KERNEL32 ref: 0042FEC8

Strings

0, xrefs: 0042FD12
d, xrefs: 0042FCFB
$, xrefs: 0042FD1D
P, xrefs: 0042FD33
,, xrefs: 0042FCE9
P, xrefs: 0042FD3F
P, xrefs: 0042FCBE

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle$memset
String ID: $$,$0$P$P$P$d
API String ID: 2861769238-2174330560
Opcode ID: 9e0f1a4ace77dbcca5397f85e36d97f48b545bf7c49172b1acd885fea778e2a6
Instruction ID: 7e40a2bce85369eb8e9c04fc14debd32ca0506d520e1741b3e91c21e9a4eb3d9
Opcode Fuzzy Hash: 9e0f1a4ace77dbcca5397f85e36d97f48b545bf7c49172b1acd885fea778e2a6
Instruction Fuzzy Hash: 4F612BB09087988EDB21DF69C44479AFFF0AF05304F4489AED8D997742D3799688CF52

Function 00431E80 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 388COMMON

Download Yara Rule

APIs

memset.CYGWIN1 ref: 004320D9

Strings

V, xrefs: 004320AB
*, xrefs: 00432227
V, xrefs: 004322BB
*, xrefs: 00432017

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: memset
String ID: *$*$V$V
API String ID: 2221118986-3580671525
Opcode ID: 8223d32872e1890313ee28f2f0a321579b5ca1fd4143904587e022bc5591db11
Instruction ID: b7ad7d31040748f33b0375e915380a22010ce120072c4f192b6e562fc1b57c1a
Opcode Fuzzy Hash: 8223d32872e1890313ee28f2f0a321579b5ca1fd4143904587e022bc5591db11
Instruction Fuzzy Hash: 21F1EA319043548FC704CF69C8902AABBF1FF9A315F1D85AED995AB343C2399946CBA4

Function 00414D51 Relevance: 5.0, APIs: 3, Instructions: 468COMMON

Download Yara Rule

APIs

sleep.CYGWIN1 ref: 00414D99
sleep.CYGWIN1 ref: 00414DB2

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: sleep
String ID:
API String ID: 255050412-0
Opcode ID: de1077f7d6f263606e8b85e63e49ef796ee7e3ed83387811b435462104106793
Instruction ID: ef38756df6fc5b1c5b654972a00693ba8f35fd49123c70e732856cbf27ca4a60
Opcode Fuzzy Hash: de1077f7d6f263606e8b85e63e49ef796ee7e3ed83387811b435462104106793
Instruction Fuzzy Hash: D8021571A0065A8FC708CF6DC9816D9BBE2EB85304F098279D494DF786D378E959CB90

Function 004325C0 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 301COMMON

Download Yara Rule

APIs

memmove.CYGWIN1 ref: 00432702

Strings

a, xrefs: 00432989

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: memmove
String ID: a
API String ID: 2162964266-3904355907
Opcode ID: 28bd0fff92f00045bc3569439ce6a6bf115b8d8b7e248f0866f225e4ced698df
Instruction ID: a11c8230a95c83cd708e7bd761c85f06dc8dd1db9550eb8e179d08ae7ab39cbd
Opcode Fuzzy Hash: 28bd0fff92f00045bc3569439ce6a6bf115b8d8b7e248f0866f225e4ced698df
Instruction Fuzzy Hash: 3AC14B741087E14BC729CF398590166BFE1AF5A205B0CC69EDCE98F787C274E655CBA0

Function 0042FA68 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

memset.CYGWIN1 ref: 0042FA8B
GetVersionExA.KERNEL32 ref: 0042FA9D

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: Versionmemset
String ID:
API String ID: 3136939366-0
Opcode ID: 59be04fc3a23e0dd711e7fd0171d0d228509abb5e592f3f0a8dbfa9e8714d11e
Instruction ID: 2c96f08e4314872a2ce68c558374f263de19a94800f56b4f9a66448e429bdc2d
Opcode Fuzzy Hash: 59be04fc3a23e0dd711e7fd0171d0d228509abb5e592f3f0a8dbfa9e8714d11e
Instruction Fuzzy Hash: FEF039B0A043189AEB20EF24D58574ABBB4AB01348F5048BDD58D16242D7799A8CCB87

Function 00432C5C Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

E, xrefs: 00432D20

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: f7cc50a1453199557ae3d47cb477393bc9e08c242b28aac06f6c9737cef1818c
Instruction ID: fce0cf2f69286fd883d30533da7416d8fc51ef772e2db66574f84f2d3d078afb
Opcode Fuzzy Hash: f7cc50a1453199557ae3d47cb477393bc9e08c242b28aac06f6c9737cef1818c
Instruction Fuzzy Hash: A8813D31A046A64BCB05CF79C4941EEBFF1EF59301F198259D8D86B782C374AA19DBE0

Function 004329A0 Relevance: 1.5, APIs: 1, Instructions: 214COMMON

Download Yara Rule

APIs

memmove.CYGWIN1 ref: 00432A01

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 390f3dc84766854a9d1f66e848e5c9d6831f8e619a27e2c1c679d024a07b033c
Instruction ID: 6d82fa6229c4c9319b89a8fea5044584fd5efec439dd8cfb2bbfa157f7b47640
Opcode Fuzzy Hash: 390f3dc84766854a9d1f66e848e5c9d6831f8e619a27e2c1c679d024a07b033c
Instruction Fuzzy Hash: 62914D319042A54BCB05CF39C49416ABFB2AF89215F1DC69EECA85F387C375E916CB90

Function 00432470 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

E, xrefs: 00432489

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 7cb3387b23aabd452c24cb396cec7e22b5831f53c97b28183a5ab7af4d1000be
Instruction ID: 0a54a789f2b7b7d743eaaf11ee7e81fc1e63f644e7e12839b13735ac17c86a02
Opcode Fuzzy Hash: 7cb3387b23aabd452c24cb396cec7e22b5831f53c97b28183a5ab7af4d1000be
Instruction Fuzzy Hash: F1415B30E0426A4BDB05CA7D85A53EFBFF19F89205F144559E894BB3C2D2A59A09C790

Function 00431B00 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

PqE, xrefs: 00431B11

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID:
String ID: PqE
API String ID: 0-2741963274
Opcode ID: d9a643cc478c39b250c68add5d0551f7a05f3a172f40f03e7c93910885fea3d2
Instruction ID: a63f2f189a3e2edcf0538d7badf3dcbb9cc3f8a9c9775b6af0df4775ef0d8f65
Opcode Fuzzy Hash: d9a643cc478c39b250c68add5d0551f7a05f3a172f40f03e7c93910885fea3d2
Instruction Fuzzy Hash: 8921A5716052508BCB49CF39D4C1652BBE1EF4D21836AC1EAD84ECF22BD226E957CB94

Function 0041477B Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: __getreent$gettimeofday
String ID:
API String ID: 1257086969-0
Opcode ID: e23266663ef55ae2738f885f28f299a497797baebc487b957e4c5456e93bc85a
Instruction ID: ea4e5cb8747ccbf8efdb5e3e706d87ce1f8fd9f2265f3da48baab8a7d0f49685
Opcode Fuzzy Hash: e23266663ef55ae2738f885f28f299a497797baebc487b957e4c5456e93bc85a
Instruction Fuzzy Hash: 11E1ACB59047169FC700CF29C4813DABBE1FF85345F10852EE49887B82E378E99ADB95

Function 00431DF0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7389bb02c135412f1bbfde4d1a8fcaddffcd87b88cc758ed71481fa29e1c02
Instruction ID: 3ca0a330fd041bf31e3fb2f6a2987948e8b8efa853c1574abeae5c3f70f40cb1
Opcode Fuzzy Hash: 1c7389bb02c135412f1bbfde4d1a8fcaddffcd87b88cc758ed71481fa29e1c02
Instruction Fuzzy Hash: 0A01D4223542754B87008E79DCD04A2B7D5E75E3463A89677EE84C7216C22DFA0AEB74

Function 0042D1B8 Relevance: 50.9, APIs: 26, Strings: 3, Instructions: 151stringCOMMON

Download Yara Rule

APIs

getpwnam.CYGWIN1 ref: 0042D1D3
socketpair.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D21E
fork.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D23E
close.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D25E
dup2.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D271
dup2.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D28A
_exit.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D2A7
close.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D2B2
_getuid32.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D2B7
_setuid32.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D2C7
_exit.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D2F3
_getuid32.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D2F8
_geteuid32.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D2FF
_setreuid32.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D316
_exit.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D342
fork.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D347
_exit.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D364
_exit.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D374
signal.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D388
signal.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D39C
signal.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D3B0
strrchr.CYGWIN1(?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D3C2
execlp.CYGWIN1(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,REMOTE,?,0042C545), ref: 0042D3FC

Strings

rsh, xrefs: 0042D1CB
/, xrefs: 0042D3B7
REMOTE, xrefs: 0042D1BB

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: _exit$signal$_getuid32closedup2fork$_geteuid32_setreuid32_setuid32execlpgetpwnamsocketpairstrrchr
String ID: /$REMOTE$rsh
API String ID: 2493897631-911763186
Opcode ID: 8b38bb419fdebd86897de42b391a2e57c2950617e98b811ce342d46da6392b90
Instruction ID: 10edc96526b607b45b20e52bdef1b77abaabf6dbfb715c64d9b40676b8527277
Opcode Fuzzy Hash: 8b38bb419fdebd86897de42b391a2e57c2950617e98b811ce342d46da6392b90
Instruction Fuzzy Hash: 3C51E8B19087059BD720BF7AD54126EBBE0AF48328F119A1EE5E8873D1D77CD4808B5B

Function 004261C4 Relevance: 42.4, APIs: 15, Strings: 9, Instructions: 383stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00423100: usleep.CYGWIN1 ref: 00423163

putchar.CYGWIN1 ref: 004263BF
putchar.CYGWIN1 ref: 004263CD
putchar.CYGWIN1 ref: 004263DE
strncpy.CYGWIN1 ref: 004263F8
strncpy.CYGWIN1 ref: 00426412
strncpy.CYGWIN1 ref: 0042642C
__getreent.CYGWIN1 ref: 004272C1

Strings

, xrefs: 004267C7
FAKE, xrefs: 004267D5
, xrefs: 004267CE
#, xrefs: 0042646B
EX , xrefs: 004267B2
MT02, xrefs: 004267B9
, xrefs: 004267C0
EMUL, xrefs: 004267AB
$, xrefs: 004261F8

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: putcharstrncpy$__getreentusleep
String ID: $ $ $#$$$EMUL$EX $FAKE$MT02
API String ID: 3239524876-3830852849
Opcode ID: 07d1dce2130bb363e7da3ef6efff11f76d7cee0a88f0077f5d81b8358a080c85
Instruction ID: 3f47eabf2a4b2511008f2494c0320062933aaff87fc7bd5cb894599d8da3a9f2
Opcode Fuzzy Hash: 07d1dce2130bb363e7da3ef6efff11f76d7cee0a88f0077f5d81b8358a080c85
Instruction Fuzzy Hash: 3B0287B0608B55EBDB20DF25D0843A9BBB1BF14314F51865FD8884B742C3B8E598DF9A

Function 0042EAB0 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 339stringCOMMON

Download Yara Rule

APIs

strncpy.CYGWIN1 ref: 0042EBD0
strchr.CYGWIN1 ref: 0042EC04
strchr.CYGWIN1 ref: 0042EC48
strchr.CYGWIN1 ref: 0042EC73
strchr.CYGWIN1 ref: 0042EC93
strncpy.CYGWIN1 ref: 0042ECD5
__errno.CYGWIN1 ref: 0042EE93
rcmd.CYGWIN1 ref: 0042EED5
__getreent.CYGWIN1 ref: 0042EF12
__getreent.CYGWIN1 ref: 0042EF5F
__getreent.CYGWIN1 ref: 0042EF87
__getreent.CYGWIN1 ref: 0042EFA9
__getreent.CYGWIN1 ref: 0042EFDC

Strings

REMOTE, xrefs: 0042EB9D
HELP, xrefs: 0042EB60
help, xrefs: 0042EB7A
,, xrefs: 0042EDED

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: __getreent$strchr$strncpy$__errnorcmd
String ID: ,$HELP$REMOTE$help
API String ID: 744770957-3024340532
Opcode ID: fcbda20660463f563b903b2f0d47b175046d143392fb867de78864e120935eab
Instruction ID: 335d7bc0763899cb3354b5fe8caeea5d2d967eea4c3a2cf7fb024d667be07dbe
Opcode Fuzzy Hash: fcbda20660463f563b903b2f0d47b175046d143392fb867de78864e120935eab
Instruction Fuzzy Hash: 74F128B09047199BDB20DF26C48439EBBF1AF48324F54C5AEE8885B351D738D985CF86

Function 00403891 Relevance: 35.1, APIs: 15, Strings: 5, Instructions: 129COMMON

Download Yara Rule

APIs

signal.CYGWIN1 ref: 0040398B
signal.CYGWIN1 ref: 0040399F
signal.CYGWIN1 ref: 004039B3
sleep.CYGWIN1 ref: 004039CC
putchar.CYGWIN1 ref: 004039E1
signal.CYGWIN1 ref: 00403A09
getpid.CYGWIN1 ref: 00403A0E
kill.CYGWIN1 ref: 00403A1E

Part of subcall function 004349B5: __getreent.CYGWIN1 ref: 004349E1

Part of subcall function 004346C0: __getreent.CYGWIN1 ref: 004346C6
Part of subcall function 004346C0: fflush.CYGWIN1 ref: 004346D1

signal.CYGWIN1 ref: 00403A73
signal.CYGWIN1 ref: 00403A87
signal.CYGWIN1 ref: 00403A9B
signal.CYGWIN1 ref: 00403AAF
signal.CYGWIN1 ref: 00403AC3
signal.CYGWIN1 ref: 00403AD7
putchar.CYGWIN1 ref: 00403AE3

Strings

single, xrefs: 004038DF
multi, xrefs: 004038D4
force, xrefs: 004038FA
dummy, xrefs: 0040390E, 00403957
real, xrefs: 00403919, 00403962

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: signal$__getreentputchar$fflushgetpidkillsleep
String ID: force$dummy$multi$real$single
API String ID: 2417562645-3732234474
Opcode ID: b0fcbf7895b530ce878863c9ec7c2c10e62b8ef983d9250c992088cf397a0a4e
Instruction ID: 213270c2992b6ca7f469ac35a478c582caa837e7380617af0459fe1b62720d35
Opcode Fuzzy Hash: b0fcbf7895b530ce878863c9ec7c2c10e62b8ef983d9250c992088cf397a0a4e
Instruction Fuzzy Hash: 155139F15093449BD710AFA6C10531ABBE4AF8871DF01982EF8D85B3C2D7BC9944DB5A

Function 0041111B Relevance: 22.7, APIs: 10, Strings: 5, Instructions: 246stringCOMMON

Download Yara Rule

APIs

strchr.CYGWIN1 ref: 00411150
strchr.CYGWIN1 ref: 004111F1
strchr.CYGWIN1 ref: 00411212
strchr.CYGWIN1 ref: 00411282
strchr.CYGWIN1 ref: 004112A3
atoi.CYGWIN1 ref: 004112C2
strchr.CYGWIN1 ref: 00411344
strchr.CYGWIN1 ref: 00411365
strchr.CYGWIN1 ref: 004113FC
strchr.CYGWIN1 ref: 0041141B

Strings

62D, xrefs: 0041116D
X2D, xrefs: 00411396
,:/@, xrefs: 00411132, 00411137
, xrefs: 0041140A
y2D, xrefs: 0041142D

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: strchr$atoi
String ID: $,:/@$62D$X2D$y2D
API String ID: 3209639173-265814900
Opcode ID: 2fef49a283f6a7d786d5af992b870a2e6c35ff5782244de47df674c97327f091
Instruction ID: e24d4b40a871b8f57b1282ee07f82994780bcf965fd50f61e6f456a463a3bd9e
Opcode Fuzzy Hash: 2fef49a283f6a7d786d5af992b870a2e6c35ff5782244de47df674c97327f091
Instruction Fuzzy Hash: 609123B45047198EDB219F29C8913DABBE0AF16354F04849ADAD4A7360C37CCEC2CF99

Function 0040B05D Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 214COMMON

Download Yara Rule

APIs

isatty.CYGWIN1 ref: 0040B079
_fstat64.CYGWIN1 ref: 0040B0A0
_lseek64.CYGWIN1 ref: 0040B11E
read.CYGWIN1 ref: 0040B159
read.CYGWIN1 ref: 0040B1C7
read.CYGWIN1 ref: 0040B268
_lseek64.CYGWIN1 ref: 0040B3BC
_lseek64.CYGWIN1 ref: 0040B3E4

Strings

RIFF, xrefs: 0040B198
fmt , xrefs: 0040B215
WAVE, xrefs: 0040B1DB
data, xrefs: 0040B2E9

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: _lseek64read$_fstat64isatty
String ID: RIFF$WAVE$data$fmt
API String ID: 760648946-4212202414
Opcode ID: 8044840aef883259447bf1be922e528d503c80eacacf933a7dcf0c7fce6030f2
Instruction ID: eeeaf4536e85b5ab1a125e3f5006cc46843156599ce7ce250647521fa127613a
Opcode Fuzzy Hash: 8044840aef883259447bf1be922e528d503c80eacacf933a7dcf0c7fce6030f2
Instruction Fuzzy Hash: EC9124709043588BEB20DF29C88479EBBF1EF45324F1485A9D898673C1D3389D85CF9A

Function 0042FFDB Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

P, xrefs: 00430149
P, xrefs: 00430158
,, xrefs: 004300D9
0, xrefs: 00430119
P, xrefs: 004300C1

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID:
String ID: ,$0$P$P$P
API String ID: 0-718439047
Opcode ID: 3b2eedff4cb70c6c922c0940110641631cfe9c578dd8e50799c95f241fe1634c
Instruction ID: 58f22cea2b565ad5640c4ae69065b42d52380e2ff1ed4097f7c2be0998e0810a
Opcode Fuzzy Hash: 3b2eedff4cb70c6c922c0940110641631cfe9c578dd8e50799c95f241fe1634c
Instruction Fuzzy Hash: 17915CB04083958EDB20CF69C0947AABFF1BF49305F08899ED8D88B342D778E949CB55

Function 0042A68D Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 0042A386: putchar.CYGWIN1(?,?,?,0042A707), ref: 0042A55C

puts.CYGWIN1 ref: 0042A71E
puts.CYGWIN1 ref: 0042A72A
putchar.CYGWIN1 ref: 0042A8D2
putchar.CYGWIN1 ref: 0042A8F3

Strings

*, xrefs: 0042A6E1
0, xrefs: 0042A74C
@, xrefs: 0042A87B
Data, xrefs: 0042A881
Audio, xrefs: 0042A88C
Blank, xrefs: 0042A876
0, xrefs: 0042A75F

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: putchar$puts
String ID: *$0$0$@$Audio$Blank$Data
API String ID: 2912448171-2052026052
Opcode ID: ddd65e98c031a317310a327d9769fa7611133043f557bbef5a0ded0133146f3e
Instruction ID: 78c37fb4aff3d336b42877f110a211c2c86ff51aecdf68144b84432710380b6c
Opcode Fuzzy Hash: ddd65e98c031a317310a327d9769fa7611133043f557bbef5a0ded0133146f3e
Instruction Fuzzy Hash: 56814BB09083688BEB20DF6AC44039DBFF0AF85314F558A5EE4D897282D73C8585DF56

Function 0042C3D7 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105stringCOMMON

Download Yara Rule

APIs

signal.CYGWIN1 ref: 0042C3F5
getservbyname.CYGWIN1 ref: 0042C412
_getuid32.CYGWIN1 ref: 0042C434
_getpwuid32.CYGWIN1 ref: 0042C43C
strchr.CYGWIN1 ref: 0042C469
getenv.CYGWIN1 ref: 0042C4F3
getenv.CYGWIN1 ref: 0042C50A
rcmd.CYGWIN1 ref: 0042C578

Strings

@, xrefs: 0042C45E
/opt/schily/sbin/rscsi, xrefs: 0042C4FE
REMOTE, xrefs: 0042C3DA

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: getenv$_getpwuid32_getuid32getservbynamercmdsignalstrchr
String ID: /opt/schily/sbin/rscsi$@$REMOTE
API String ID: 2104411971-1090103765
Opcode ID: 17ac6293c8db2d893e52f9fa6d0cedeb2ab735dfc9f1de11be2c4c5b3959278e
Instruction ID: e72b4520f4b545ef418f80018aa8ecf0a0ac88ee1159a32e7b4f290d9535e401
Opcode Fuzzy Hash: 17ac6293c8db2d893e52f9fa6d0cedeb2ab735dfc9f1de11be2c4c5b3959278e
Instruction Fuzzy Hash: F54106B0908315DFD310EF26D48165EBBE4BB48355F40892EE4E88B352E778D884CB9A

Function 0040DDA4 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 90COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 0040DE90
puts.CYGWIN1 ref: 0040DE9C
puts.CYGWIN1 ref: 0040DEA8
puts.CYGWIN1 ref: 0040DEBC
puts.CYGWIN1 ref: 0040DEC8
puts.CYGWIN1 ref: 0040DED4

Strings

Long strategy type (Cyanine, AZO or similar), xrefs: 0040DDD5
Short strategy type (Phthalocyanine or similar), xrefs: 0040DDDF
Phase change, xrefs: 0040DDEA
unknown dye (reserved id code), xrefs: 0040DE33
unknown dye (old id code), xrefs: 0040DE17

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: puts
String ID: Long strategy type (Cyanine, AZO or similar)$Phase change$Short strategy type (Phthalocyanine or similar)$unknown dye (old id code)$unknown dye (reserved id code)
API String ID: 2585676111-3703577660
Opcode ID: 62fc78ec44e459fe378b18a8ec0c0919d5fea47ff7d3c09b3a057bb5276fdf1a
Instruction ID: 998a603d9028793de7a06e25d0c0a3ec02998d22f97dbb81d4d5ff70ab3253b1
Opcode Fuzzy Hash: 62fc78ec44e459fe378b18a8ec0c0919d5fea47ff7d3c09b3a057bb5276fdf1a
Instruction Fuzzy Hash: 7631E8B18042055ADB107F65C5813AE7BE0DF55314F45946FE4C45F742D7BC8849CBAE

Function 004272E8 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON

Download Yara Rule

APIs

fwrite.CYGWIN1(?,?,?,004272D8), ref: 00427317
fwrite.CYGWIN1(?,?,?,004272D8), ref: 0042738B
fwrite.CYGWIN1(?,?,?,004272D8), ref: 004273B1
fwrite.CYGWIN1(?,?,?,004272D8), ref: 004273D7
fwrite.CYGWIN1(?,?,?,004272D8), ref: 004273FD
fwrite.CYGWIN1(?,?,?,004272D8), ref: 00427423
fwrite.CYGWIN1(?,?,?,004272D8), ref: 00427449
fwrite.CYGWIN1(?,?,?,004272D8), ref: 0042746F
fwrite.CYGWIN1(?,?,?,004272D8), ref: 00427495
fwrite.CYGWIN1(?,?,?,004272D8), ref: 004274BB
fwrite.CYGWIN1(?,?,?,004272D8), ref: 004274E1
fputc.CYGWIN1(?,?,?,004272D8), ref: 004274F1

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: fwrite$fputc
String ID:
API String ID: 3035207039-0
Opcode ID: 55c3076f2482090a552e443168e7d3a368ce5e1027172a48ac74dae2b4143a81
Instruction ID: d3ad6c3e32324ba88b0a81f29b0dc72bc4f1b88bbf8a6a78ca3d5bfa963af02f
Opcode Fuzzy Hash: 55c3076f2482090a552e443168e7d3a368ce5e1027172a48ac74dae2b4143a81
Instruction Fuzzy Hash: 9B61E5B050C754AEE711AF15C18935EBFE0AF85758F14C88FE8C84A682C3FD9884DB5A

Function 0041AD64 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 430COMMON

Download Yara Rule

APIs

malloc.CYGWIN1 ref: 0041AD8B
realloc.CYGWIN1 ref: 0041AE4F
realloc.CYGWIN1 ref: 0041AF75
realloc.CYGWIN1 ref: 0041B03E
realloc.CYGWIN1 ref: 0041B0B0
realloc.CYGWIN1 ref: 0041B2A6
free.CYGWIN1 ref: 0041B343

Strings

!, xrefs: 0041B259
, xrefs: 0041B203

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: realloc$freemalloc
String ID: $!
API String ID: 266208546-2056089098
Opcode ID: 064915345142a3f90702f4d4b7f0fffee6babb413cf63b9a369b4e958ddcf53e
Instruction ID: 327a8b0bda491c6508eebb63352ae0c512388f77b4e25d1e4cbc4bb8e3c6c3c1
Opcode Fuzzy Hash: 064915345142a3f90702f4d4b7f0fffee6babb413cf63b9a369b4e958ddcf53e
Instruction Fuzzy Hash: B5220470904219DFCB14CF58D084A9DBBF1FF88358F14856EE898AB352D775E986CB81

Function 00430AA1 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

p, xrefs: 00430B20

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: f952a143ae00677e715513829e78ba99890893e04da52871ca6f2c687991b6da
Instruction ID: b048feee7772d0bdf43b4fa209adf4d84b7d75cff63b91cd720f1049e78138ae
Opcode Fuzzy Hash: f952a143ae00677e715513829e78ba99890893e04da52871ca6f2c687991b6da
Instruction Fuzzy Hash: 2581F6B0508744DBD710EF29C19575ABBE0FF48318F109A5EE8C88B746D778E989CB86

Function 0041F1BC Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

__getreent.CYGWIN1(?,0041FECD), ref: 0041F294
putchar.CYGWIN1 ref: 0041F310
putchar.CYGWIN1 ref: 0041F322
putchar.CYGWIN1 ref: 0041F342
putchar.CYGWIN1 ref: 0041F354
puts.CYGWIN1 ref: 0041F366
putchar.CYGWIN1 ref: 0041F399

Part of subcall function 004349B5: __getreent.CYGWIN1 ref: 004349E1

putchar.CYGWIN1 ref: 0041F3A7
putchar.CYGWIN1 ref: 0041F3B9

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: putchar$__getreent$puts
String ID:
API String ID: 3919515144-0
Opcode ID: 2f90e35f722b11f2d5fa997e2f8dfbf3f61d26e32cf9b2db2a4c82da5ae2812c
Instruction ID: 847bbc4ba71fa1aa5d00e96b5f3a89fb400e1676a892d98682794db020f49f4a
Opcode Fuzzy Hash: 2f90e35f722b11f2d5fa997e2f8dfbf3f61d26e32cf9b2db2a4c82da5ae2812c
Instruction Fuzzy Hash: 9B5160F440C7945ED3216F76C08126EBEE0AF89318F05C82FE4E986742D77C9486DB5A

Function 00417CD6 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

fclose.CYGWIN1 ref: 00418240

Strings

1, xrefs: 0041807B
help, xrefs: 00418009
0, xrefs: 00418090
dD, xrefs: 00418245
1, xrefs: 004182BA
0, xrefs: 004182D1

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: fclose
String ID: 0$0$1$1$help$dD
API String ID: 3125558077-935708906
Opcode ID: 4acadf5fca6b5609a7a15cc1e3d510c216de1f92c727ba5c48b3b74945b51dde
Instruction ID: 92df10f2f375b7fdab4ebb9a6c934d9e71f58b57df0a71ecca178078a096a0b1
Opcode Fuzzy Hash: 4acadf5fca6b5609a7a15cc1e3d510c216de1f92c727ba5c48b3b74945b51dde
Instruction Fuzzy Hash: 91228E706087499BDB15DF25C4803AABBE1BF45354F09C68EE8988F392D738D881CB89

Function 0040B677 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 461stringCOMMON

Download Yara Rule

APIs

strncpy.CYGWIN1 ref: 0040B6CC
strrchr.CYGWIN1 ref: 0040B6E0
rcmd.CYGWIN1 ref: 0040B865

Part of subcall function 0040BD01: malloc.CYGWIN1 ref: 0040BD2B

Part of subcall function 0040BD73: malloc.CYGWIN1 ref: 0040BD96
Part of subcall function 0040BD73: strcpy.CYGWIN1 ref: 0040BDA8

Strings

yes, xrefs: 0040BAB3, 0040BB5C
inf, xrefs: 0040B6F8
., xrefs: 0040B6D5
once, xrefs: 0040BBB7

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: malloc$rcmdstrcpystrncpystrrchr
String ID: .$inf$once$yes
API String ID: 1717987454-3090738551
Opcode ID: eb43d832a99df5188690b2d4a893bc9bd1f5d7543815a19773ee26ff8f2f7097
Instruction ID: 9c76f31b13b76a7764505ad06b1f95fa81383da36845a4cbcb5c88d2a00b9974
Opcode Fuzzy Hash: eb43d832a99df5188690b2d4a893bc9bd1f5d7543815a19773ee26ff8f2f7097
Instruction Fuzzy Hash: 7F124FB09047068BD721AF25C48135AB7E1EF44314F05887EE984AB392EB7CDD81CB9D

Function 004303C6 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 183COMMON

Download Yara Rule

APIs

__errno.CYGWIN1 ref: 00430404
__errno.CYGWIN1 ref: 004304A5
__errno.CYGWIN1 ref: 0043060B

Part of subcall function 0042FA68: memset.CYGWIN1 ref: 0042FA8B
Part of subcall function 0042FA68: GetVersionExA.KERNEL32 ref: 0042FA9D

malloc.CYGWIN1 ref: 0043062A
atexit.CYGWIN1 ref: 0043066A

Strings

ASPI, xrefs: 00430472, 00430523, 00430585, 004305CA
SPTI, xrefs: 00430458, 00430515, 0043054F, 004305BC

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: __errno$Versionatexitmallocmemset
String ID: ASPI$SPTI
API String ID: 2419783000-2941854592
Opcode ID: ad56939da11e676fe57b18682fe70219d020388752f625acd1c1971b622f9dce
Instruction ID: e9b9d857a47cf2b53a1bb54ffcff32c307a0aacfc8d696f869562098ec2fd228
Opcode Fuzzy Hash: ad56939da11e676fe57b18682fe70219d020388752f625acd1c1971b622f9dce
Instruction Fuzzy Hash: 6C7149B0904209DBDB10DF64C4953AE77E1FB48325F14972AD8A49B396C37DC980CF99

Function 0040C750 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 181stringCOMMON

Download Yara Rule

APIs

strchr.CYGWIN1 ref: 0040C7D9
strchr.CYGWIN1 ref: 0040C7F6
strrchr.CYGWIN1 ref: 0040C835
strdup.CYGWIN1 ref: 0040C8AB
_fstat64.CYGWIN1 ref: 0040C928

Strings

/, xrefs: 0040C82A
5!D, xrefs: 0040C84F

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: strchr$_fstat64strdupstrrchr
String ID: /$5!D
API String ID: 3773073796-1970127024
Opcode ID: 227fe29de14e53c86460684e87561f93a298d189755f54d9aa591a54300cb96f
Instruction ID: 5758117b63476aaad6ab5296c98efcbb1b7d5f4a14bed7c18031990a2b1b918b
Opcode Fuzzy Hash: 227fe29de14e53c86460684e87561f93a298d189755f54d9aa591a54300cb96f
Instruction Fuzzy Hash: 2C81C6B0908705DFD720AF69C58561ABBF0BF44318F40892EE4D997781D7B8E884CB9A

Function 0040ADD8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

isatty.CYGWIN1 ref: 0040ADF4
_fstat64.CYGWIN1 ref: 0040AE1B
_lseek64.CYGWIN1 ref: 0040AE8B
read.CYGWIN1 ref: 0040AEA5
_lseek64.CYGWIN1 ref: 0040AFA3
_lseek64.CYGWIN1 ref: 0040AFD6

Strings

.snd, xrefs: 0040AEB5

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: _lseek64$_fstat64isattyread
String ID: .snd
API String ID: 1656159448-2260677232
Opcode ID: 2fb83336c679090f3ca4650719826fd1965217aa8e236a4998fd4fa556d8485c
Instruction ID: 9bca5978be67e1c0d0b37ce6900f079ae3c491f4d4e544da474543d425230887
Opcode Fuzzy Hash: 2fb83336c679090f3ca4650719826fd1965217aa8e236a4998fd4fa556d8485c
Instruction Fuzzy Hash: 7A519470E083644AE7209A3EC4907AEBFF19BC9370F54C669E4E8E73C5D63C89458B95

Function 00416A9A Relevance: 12.4, APIs: 8, Instructions: 366COMMON

Download Yara Rule

APIs

malloc.CYGWIN1 ref: 00416AC1
realloc.CYGWIN1 ref: 00416B48
realloc.CYGWIN1 ref: 00416C49
realloc.CYGWIN1 ref: 00416D13
realloc.CYGWIN1 ref: 00416D85
realloc.CYGWIN1 ref: 00416DFC
realloc.CYGWIN1 ref: 00416EF7
free.CYGWIN1 ref: 00416F94

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: realloc$freemalloc
String ID:
API String ID: 266208546-0
Opcode ID: da1a9de500d7a7063dd27d33cdf357b4161b2105e202a2ed9105d8f3c864c540
Instruction ID: 39343d7b556a3e67bc88f882351f16cd213ea2484f5a8523baea7a1d291d22f3
Opcode Fuzzy Hash: da1a9de500d7a7063dd27d33cdf357b4161b2105e202a2ed9105d8f3c864c540
Instruction Fuzzy Hash: 4902C0B49042199FCB14DF99D480A9DBBF1FF88308F11856EE488AB352D775E986CF81

Function 00435285 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

write.CYGWIN1(?,?,?,?,?,?,?,?,?,?,?,0043536C), ref: 004352A7
write.CYGWIN1(?,?,?,?,?,?,?,?,?,?,?,0043536C), ref: 004352CA
write.CYGWIN1(?,?,?,?,?,?,?,?,?,?,?,0043536C), ref: 004352E6
abort.CYGWIN1(?,?,?,?,?,?,?,?,?,?,?,0043536C), ref: 004352EB

Part of subcall function 00436955: fileno.CYGWIN1(00435310,?,?,?,?,?,?,?,?,?,0043548C,?,?,?,?,004355AC), ref: 00436962

fileno.CYGWIN1(?,?,?,?,?,?,?,?,?,0043548C,?,?,?,?,004355AC), ref: 00435317
write.CYGWIN1(?,?,?,?,?,?,?,?,?,0043548C,?,?,?,?,004355AC), ref: 00435327
fwrite.CYGWIN1 ref: 00435341

Strings

Q{E, xrefs: 004352D7

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: write$fileno$abortfwrite
String ID: Q{E
API String ID: 4135057298-1480755383
Opcode ID: 1e2dd25f5142b828310cb9bd4d4082950be1474e0533513aebc179e118cc571e
Instruction ID: 11a07a9bd6933e8aae082d07c3c76d63c32c05f4150ea2a1e431f1bfccb49152
Opcode Fuzzy Hash: 1e2dd25f5142b828310cb9bd4d4082950be1474e0533513aebc179e118cc571e
Instruction Fuzzy Hash: A8110DB4808308ABC710AF55C58655EFFF4EF48758F11A85EF8D817352C778A9409B96

Function 0042F2D0 Relevance: 12.1, APIs: 8, Instructions: 67COMMON

Download Yara Rule

APIs

malloc.CYGWIN1(?,?,00000000,?,0042EAFF), ref: 0042F2DE
malloc.CYGWIN1 ref: 0042F34C
malloc.CYGWIN1 ref: 0042F363
malloc.CYGWIN1 ref: 0042F376
malloc.CYGWIN1 ref: 0042F389
__getreent.CYGWIN1 ref: 0042F39E
malloc.CYGWIN1 ref: 0042F3B3
malloc.CYGWIN1 ref: 0042F3C9

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: malloc$__getreent
String ID:
API String ID: 3312664190-0
Opcode ID: 0d401dc55e936263f7dc003095380ee21f9556ea0f00eaedf2b5f6659ef64c9d
Instruction ID: e9b4131f7107004731e8b6a2c27e21c0636cb8fb10c609056cb376d9190b06f2
Opcode Fuzzy Hash: 0d401dc55e936263f7dc003095380ee21f9556ea0f00eaedf2b5f6659ef64c9d
Instruction Fuzzy Hash: E221F9B05083459ED760BF3AD48131A7AE4AF04354F45567EE8D8CE296EB7CC844CB6A

Function 00413A05 Relevance: 10.8, APIs: 7, Instructions: 303COMMON

Download Yara Rule

APIs

malloc.CYGWIN1 ref: 00413A2C
realloc.CYGWIN1 ref: 00413AD6
realloc.CYGWIN1 ref: 00413BA2
realloc.CYGWIN1 ref: 00413C14
realloc.CYGWIN1 ref: 00413C85
realloc.CYGWIN1 ref: 00413D81
free.CYGWIN1 ref: 00413E1E

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: realloc$freemalloc
String ID:
API String ID: 266208546-0
Opcode ID: 6bfd95f7008972c8c916b5ccaf8ab286bf9b0a0d10888e14ff710e163aaeaaa3
Instruction ID: d787dcf5f3fcbe1c62bdcd7a4a7e94956928f5f55124fa17388c7e420ed6220a
Opcode Fuzzy Hash: 6bfd95f7008972c8c916b5ccaf8ab286bf9b0a0d10888e14ff710e163aaeaaa3
Instruction Fuzzy Hash: 45E1CFB49043199FCB14DF99D080A9DBBF1FF88314F10852EE898AB351E734A986CF85

Function 00403C5F Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 277COMMON

Download Yara Rule

APIs

exit.CYGWIN1 ref: 00403D58

Part of subcall function 004349B5: __getreent.CYGWIN1 ref: 004349E1

Part of subcall function 004348F0: __getreent.CYGWIN1(?,?,?,?,004345F9), ref: 004348FA

exit.CYGWIN1 ref: 0040417A
exit.CYGWIN1 ref: 0040420F
signal.CYGWIN1 ref: 00404229

Strings

yC@, xrefs: 00403CAC
0, xrefs: 00404118

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: exit$__getreent$signal
String ID: 0$yC@
API String ID: 1093632401-1632694943
Opcode ID: 2d73e339847cc807c02179e96d63153a432a40491c6fea064c3d8f57b2782c7e
Instruction ID: b1c97247b37be25f0868702cc49b583f41f0a94c7c5572801ea56d3d1f045d9c
Opcode Fuzzy Hash: 2d73e339847cc807c02179e96d63153a432a40491c6fea064c3d8f57b2782c7e
Instruction Fuzzy Hash: B9C1F1B49097C59ED7047FAAB10219EBAE0AE9D308F11B81FE8C446253D77C64458BBF

Function 0040EB80 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 262COMMON

Download Yara Rule

APIs

_open64.CYGWIN1 ref: 0040EBF9
read.CYGWIN1 ref: 0040EC29
close.CYGWIN1 ref: 0040EC52

Strings

@,D, xrefs: 0040EBD0
h-D, xrefs: 0040EFBF
d, xrefs: 0040EB8C

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: _open64closeread
String ID: @,D$d$h-D
API String ID: 3750398406-4001815264
Opcode ID: 34d8759a9664a49b09a2d1d426510619c0168642213a880f797025deb918281e
Instruction ID: b9001e7061df9cd0856762845e29a6ceed4dc79014e91aadd5da5408d861bb7a
Opcode Fuzzy Hash: 34d8759a9664a49b09a2d1d426510619c0168642213a880f797025deb918281e
Instruction Fuzzy Hash: EDD16EB08083A59ED721DF25C480699BFF1BF45314F088AAEE4D89B392D7788A84CF55

Function 004194AC Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 229COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 004196AF
puts.CYGWIN1 ref: 004196DA

Strings

HeD, xrefs: 004195AE
OFF, xrefs: 0041967E
HeD, xrefs: 00419532
PiD, xrefs: 00419670

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: puts
String ID: HeD$HeD$OFF$PiD
API String ID: 2585676111-591938924
Opcode ID: c3ac6d95e92e8982f81d72d244db75e1711f01bd61d4115bd7b2196dc405f5e3
Instruction ID: d4636ab6eca9ba62233fee9a2cf0150e8e728dbcc0ddf6f5bc381e3aae1b50db
Opcode Fuzzy Hash: c3ac6d95e92e8982f81d72d244db75e1711f01bd61d4115bd7b2196dc405f5e3
Instruction Fuzzy Hash: 36A14CB05083159FD721AF25C59839ABBE0AF45314F04899EE8988B391D77CCE85CF9A

Function 0041A30F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

gettimeofday.CYGWIN1 ref: 0041A365
puts.CYGWIN1 ref: 0041A37E
puts.CYGWIN1 ref: 0041A3EF
gettimeofday.CYGWIN1 ref: 0041A55F
sleep.CYGWIN1 ref: 0041A5D0

Part of subcall function 004349B5: __getreent.CYGWIN1 ref: 004349E1

Strings

., xrefs: 0041A53F

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: gettimeofdayputs$__getreentsleep
String ID: .
API String ID: 4269201348-248832578
Opcode ID: 611964cc56ad0300ddb5f44e16ed745bbe2744019b6924e11990791691ff327a
Instruction ID: d8f276f04b0807fd30ec657b217e2dece6516cf045a516c79330c23c065bb1ed
Opcode Fuzzy Hash: 611964cc56ad0300ddb5f44e16ed745bbe2744019b6924e11990791691ff327a
Instruction Fuzzy Hash: 4F813AB4A053159FDB00AF66D1803AEBBF1FF48318F45842EE88497341E77C9990CB9A

Function 0042F5D0 Relevance: 10.7, APIs: 7, Instructions: 196fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 0042F665
DeviceIoControl.KERNEL32 ref: 0042F6B7
CloseHandle.KERNEL32 ref: 0042F703
__errno.CYGWIN1 ref: 0042F71A
memset.CYGWIN1 ref: 0042F73C
GetDriveTypeA.KERNEL32 ref: 0042F7AD
memmove.CYGWIN1 ref: 0042F873

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: CloseControlCreateDeviceDriveFileHandleType__errnomemmovememset
String ID:
API String ID: 4191657644-0
Opcode ID: 722f83465a5b7e6d40d23521ab07af58a7e0b6fb1a0bfbfefe7c0d2c7b2d3ba2
Instruction ID: b49b06dd43075e172c1541ffb61f2a315bc36bd2cb07ec916d297bee85f44ec3
Opcode Fuzzy Hash: 722f83465a5b7e6d40d23521ab07af58a7e0b6fb1a0bfbfefe7c0d2c7b2d3ba2
Instruction Fuzzy Hash: A691C870808365DEDB20DF64D4443AD7BF0BB85309F4486BED4D887252D7B88999CF96

Function 0041AA71 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 173COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 0041ABA8
puts.CYGWIN1 ref: 0041ABC6

Strings

OFF, xrefs: 0041AB7F
PiD, xrefs: 0041AB76
HeD, xrefs: 0041ACCC
HeD, xrefs: 0041AAC9

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: puts
String ID: HeD$HeD$OFF$PiD
API String ID: 2585676111-591938924
Opcode ID: 1afc1be418c137ad300b899671229c0541e1c6db923633c695591e35bd4519f7
Instruction ID: a1d60c44a2119e65627a60602252b21d97328212ef1669b8e9f0a40cdaca8644
Opcode Fuzzy Hash: 1afc1be418c137ad300b899671229c0541e1c6db923633c695591e35bd4519f7
Instruction Fuzzy Hash: BD717AB05093489BD711DF24C18479ABBE1AF85318F15C99EE8D88B382D77CD9C9CB86

Function 0042BDA8 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 160stringCOMMON

Download Yara Rule

APIs

__errno.CYGWIN1 ref: 0042BE10

Part of subcall function 004348F0: __getreent.CYGWIN1(?,?,?,?,004345F9), ref: 004348FA

malloc.CYGWIN1 ref: 0042BE75
strchr.CYGWIN1 ref: 0042BF2F
strchr.CYGWIN1 ref: 0042BF96

Strings

:, xrefs: 0042BF8B
REMOTE, xrefs: 0042BF0B

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: strchr$__errno__getreentmalloc
String ID: :$REMOTE
API String ID: 1956936704-1364300996
Opcode ID: 46844b895ee8992298da146146bf18822c9c7d05140f984c527cd18ed247b1dc
Instruction ID: dd657271d1d04b430805264d8ba9b76b40fff96c1f0f397cfd7a0aef81773a1b
Opcode Fuzzy Hash: 46844b895ee8992298da146146bf18822c9c7d05140f984c527cd18ed247b1dc
Instruction Fuzzy Hash: 237125B46043049FD710DF29C48479ABBE1FF49368F5185AEE8988B352C779E885CF86

Function 004307BA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__errno.CYGWIN1 ref: 004307ED

Strings

@, xrefs: 004308B3

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: __errno
String ID: @
API String ID: 1422650102-2766056989
Opcode ID: 555ad68db2ecb76235f58f10cb07e78186a8081f4beac6abc1c1039c62fe5643
Instruction ID: 60a8f9ba97758de2f4f47fd8ddcc2db6d2bc8e4ea295444c67e5741db8848162
Opcode Fuzzy Hash: 555ad68db2ecb76235f58f10cb07e78186a8081f4beac6abc1c1039c62fe5643
Instruction Fuzzy Hash: 124131B0908744DBDB10EF69C49536DBBF0BF08318F10966EE8949B386D778D948CB96

Function 00408B1B Relevance: 10.6, APIs: 7, Instructions: 96COMMON

Download Yara Rule

APIs

putchar.CYGWIN1 ref: 00408BB4
__getreent.CYGWIN1 ref: 00408BC7
fileno.CYGWIN1 ref: 00408C04
_fcntl64.CYGWIN1 ref: 00408C1C
signal.CYGWIN1 ref: 00408C40
puts.CYGWIN1 ref: 00408C4C
pause.CYGWIN1 ref: 00408C56

Part of subcall function 00433130: getc.CYGWIN1 ref: 0043314A
Part of subcall function 00433130: getc.CYGWIN1 ref: 00433169

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: getc$__getreent_fcntl64filenopauseputcharputssignal
String ID:
API String ID: 1935179653-0
Opcode ID: 43ba5a1efaea7481945f1c4934fed40c673097782837b257d8ea8c0b0282e06d
Instruction ID: 47f3ada2a2933a177b89eccf51746536c7da98d89479a7799a1909927374f706
Opcode Fuzzy Hash: 43ba5a1efaea7481945f1c4934fed40c673097782837b257d8ea8c0b0282e06d
Instruction Fuzzy Hash: B44159B00097449AD710BF65C64531ABBF0AF48728F05892FE9D85B292DBBCD484DB5A

Function 004153EF Relevance: 10.6, APIs: 7, Instructions: 71fileCOMMON

Download Yara Rule

APIs

__getreent.CYGWIN1 ref: 00415403
__getreent.CYGWIN1 ref: 00415462
fwrite.CYGWIN1 ref: 00415485
fwrite.CYGWIN1 ref: 00415426

Part of subcall function 004346C0: __getreent.CYGWIN1 ref: 004346C6
Part of subcall function 004346C0: fflush.CYGWIN1 ref: 004346D1

putchar.CYGWIN1 ref: 0041544D
__getreent.CYGWIN1 ref: 004154AA
fwrite.CYGWIN1 ref: 004154CD

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: __getreent$fwrite$fflushputchar
String ID:
API String ID: 1108590979-0
Opcode ID: da7f194bbc8584845b8b1f3f33f05dea2af0966ca7e7108f9a8d10b31b2356a4
Instruction ID: e88d64def4a61d2d47b715ff9c78633812cdaa561071fc67647ae1e40dd76d3e
Opcode Fuzzy Hash: da7f194bbc8584845b8b1f3f33f05dea2af0966ca7e7108f9a8d10b31b2356a4
Instruction Fuzzy Hash: 86212AB0108B14EFD7117F66C14539EBAE1EF84368F51891EE4D88B292E77D94C0CB5A

Function 0040E850 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

gettimeofday.CYGWIN1 ref: 0040E893
gettimeofday.CYGWIN1 ref: 0040E8D9

Strings

S, xrefs: 0040E871
90, xrefs: 0040E8B1
/, xrefs: 0040E87A
, xrefs: 0040E85C

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: gettimeofday
String ID: $/$90$S
API String ID: 910392884-2579355787
Opcode ID: 1898681365d343bc626d6c7b11edf864bd37be1caeff1dc7466d821add60b491
Instruction ID: 2492fd5be7eb54fe982ce469423cc557d1dec4b4ff5bb78faeaf5628a08cbf0c
Opcode Fuzzy Hash: 1898681365d343bc626d6c7b11edf864bd37be1caeff1dc7466d821add60b491
Instruction Fuzzy Hash: E721B5715053149FE714DF55D98439BBBE4EB84314F10886EE888DB386D77CA984CF86

Function 0042F3F2 Relevance: 10.0, APIs: 8, Instructions: 48COMMON

Download Yara Rule

APIs

free.CYGWIN1 ref: 0042F408
free.CYGWIN1 ref: 0042F419
free.CYGWIN1 ref: 0042F42A
free.CYGWIN1 ref: 0042F441
free.CYGWIN1 ref: 0042F458
free.CYGWIN1 ref: 0042F469
free.CYGWIN1 ref: 0042F482
free.CYGWIN1 ref: 0042F48A

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f6ef0ea590964c6e0c9daf4f0c0f44f2355525ced2240a86018bede92aae366d
Instruction ID: f1fd467e7ac339833eca8d232b2e394133d73cdee8d442f0d0049b5d2d939183
Opcode Fuzzy Hash: f6ef0ea590964c6e0c9daf4f0c0f44f2355525ced2240a86018bede92aae366d
Instruction Fuzzy Hash: F711B2B1508204DBDF28BF79D0C975A77F0AB14318F84187EE8894B74AE7789888CF56

Function 0040BF78 Relevance: 9.1, APIs: 6, Instructions: 147stringCOMMON

Download Yara Rule

APIs

strchr.CYGWIN1(?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,0040B79F), ref: 0040C009
exit.CYGWIN1(?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,0040B79F), ref: 0040C034
strchr.CYGWIN1 ref: 0040C064
malloc.CYGWIN1 ref: 0040C0C6
strcpy.CYGWIN1 ref: 0040C0D7
exit.CYGWIN1 ref: 0040C121

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: exitstrchr$mallocstrcpy
String ID:
API String ID: 1104735214-0
Opcode ID: 424f657a91144d4e31ea197fb9262ca9abb4d92aa37a7c80aa70bfc4534a3136
Instruction ID: a64e3c4992c692b3f1ec2f9a3ee86e24793c5234779fcd41e5a517d33308f86e
Opcode Fuzzy Hash: 424f657a91144d4e31ea197fb9262ca9abb4d92aa37a7c80aa70bfc4534a3136
Instruction Fuzzy Hash: 5351B7758086A59EDB119F39889036ABFE0DF46314F04856BE4E4DB3D2D33CC981CB56

Function 00422811 Relevance: 9.1, APIs: 6, Instructions: 140COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 0042283C
gettimeofday.CYGWIN1 ref: 00422855
gettimeofday.CYGWIN1 ref: 004229C8
usleep.CYGWIN1 ref: 004229D0
gettimeofday.CYGWIN1 ref: 004229E4
gettimeofday.CYGWIN1 ref: 00422A2C

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: gettimeofday$putsusleep
String ID:
API String ID: 2723502633-0
Opcode ID: 82e458d2d66160dd820ffdd6349e5ef6bb5f685cd0fc86219f4bfe34561e21e4
Instruction ID: 2244c80659a1fffafd292bdc2af2c57a8c89d3026e172aa5aec16df6551cf8a0
Opcode Fuzzy Hash: 82e458d2d66160dd820ffdd6349e5ef6bb5f685cd0fc86219f4bfe34561e21e4
Instruction Fuzzy Hash: 78519FB1A04305DFC704DF69EA8535ABBE6BB84306F40953EE444876A2E7B8DC44CB99

Function 00421AFF Relevance: 9.1, APIs: 6, Instructions: 137COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 00421B62
sleep.CYGWIN1 ref: 00421B81
puts.CYGWIN1 ref: 00421C15
sleep.CYGWIN1 ref: 00421C23
puts.CYGWIN1 ref: 00421CAB
sleep.CYGWIN1 ref: 00421CB9

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: putssleep
String ID:
API String ID: 2929391209-0
Opcode ID: 8dece715bc9eab58ff1f0656a346400cffddc5c249acf39ca1494effba50b156
Instruction ID: d34995dd6f95f49a490404bfc58fc5b3874779caf99e9d3eaa279ce70e6ca81f
Opcode Fuzzy Hash: 8dece715bc9eab58ff1f0656a346400cffddc5c249acf39ca1494effba50b156
Instruction Fuzzy Hash: B5511AB4208B209AD7117F16E58132EBAF0FF14708F91590EE8D987752D77D9581CB8A

Function 00422F07 Relevance: 9.1, APIs: 6, Instructions: 127fileCOMMON

Download Yara Rule

APIs

fputc.CYGWIN1 ref: 00422F5F
fputc.CYGWIN1 ref: 00422F96

Part of subcall function 00423100: usleep.CYGWIN1 ref: 00423163

fputc.CYGWIN1 ref: 00422FA8
fwrite.CYGWIN1 ref: 00422FE4
fwrite.CYGWIN1 ref: 00423038
fwrite.CYGWIN1 ref: 00423073

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: fputcfwrite$usleep
String ID:
API String ID: 3666554851-0
Opcode ID: 1de6122533a7f3bf80b10c8e3b88f03a5a9e340cf29a5255a5701da9d52bdd5d
Instruction ID: 28d8df0b786824480e92a1f234e3e656a117dc44b259c4c4fff5614cd7bda82b
Opcode Fuzzy Hash: 1de6122533a7f3bf80b10c8e3b88f03a5a9e340cf29a5255a5701da9d52bdd5d
Instruction Fuzzy Hash: 9B51B2B06083109FD700AF19D18126EBBF4FF88754F51985FE8D88B246D7B99980DF5A

Function 00430F4B Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

dlopen.CYGWIN1 ref: 00430F60
dlsym.CYGWIN1 ref: 00430F8C
dlsym.CYGWIN1 ref: 00430FA6
dlsym.CYGWIN1 ref: 00430FED
dlsym.CYGWIN1 ref: 00431007
dlsym.CYGWIN1 ref: 00431021

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: dlsym$dlopen
String ID:
API String ID: 1908342191-0
Opcode ID: 0d3d33bcaad64aabe3ab6880e9de91d4c1a15f3007c9aeab2d4e1b464aea26cf
Instruction ID: 74b46915f293d89f3483aa41b173fb91d2d6e509953e77a540df977b19572a2f
Opcode Fuzzy Hash: 0d3d33bcaad64aabe3ab6880e9de91d4c1a15f3007c9aeab2d4e1b464aea26cf
Instruction Fuzzy Hash: 9621FCB0508300DFD711EF25E88A31A7BE1FB0834AF44982EE4C487392D7B9C844DB8A

Function 004178A2 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON

Download Yara Rule

Strings

CD-R CDU928E, xrefs: 0041797D
0dD, xrefs: 00417AF4
, xrefs: 00417C65
SONY, xrefs: 00417960

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID:
String ID: $0dD$CD-R CDU928E$SONY
API String ID: 0-2933898921
Opcode ID: 70e64e058142f2f0fd0aa886ecaceaee069c7e4e128a68eb9f61deaca9623758
Instruction ID: 83febb5d86e4368df265135856b2debcfc779f640c3b061067df8a07ae17464a
Opcode Fuzzy Hash: 70e64e058142f2f0fd0aa886ecaceaee069c7e4e128a68eb9f61deaca9623758
Instruction Fuzzy Hash: 41B108B05093159BDB20AF25C9843DABBF0EF44318F05886EE8895B352D77D8984CF9A

Function 0041DCEA Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 0041DF42
puts.CYGWIN1 ref: 0041DF6A

Strings

OFF, xrefs: 0041DF14
guD, xrefs: 0041DE93
guD, xrefs: 0041DD71

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: puts
String ID: OFF$guD$guD
API String ID: 2585676111-2493235301
Opcode ID: e1001dddf9df3b61d10ba7345b50f2849ade2f35e435c990d0c22b09c4216274
Instruction ID: b1313443b3865ad71f5e2e95ce88bfd3a99091aca396411ce97220ed958ed0a7
Opcode Fuzzy Hash: e1001dddf9df3b61d10ba7345b50f2849ade2f35e435c990d0c22b09c4216274
Instruction Fuzzy Hash: 5CC16EB0504719AFD720DF25D48839ABBF0BF44314F10869EE8988B291D778DAC5CF5A

Function 004057A9 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

putchar.CYGWIN1 ref: 00405ADA

Strings

no , xrefs: 0040582E, 00405954
<, xrefs: 00405895
swab, xrefs: 0040580F, 00405935
pad, xrefs: 004057FB, 00405921

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: putchar
String ID: pad$ swab$<$no
API String ID: 2332253611-2059513193
Opcode ID: 8d67186f82672fb9997a7ea41a5c24d6510d15ec7fff075815114c19038d202f
Instruction ID: ff7a2c44c3ba642afdc74c13e4d17f5cffa076006ef087e416cb3cd2c621429c
Opcode Fuzzy Hash: 8d67186f82672fb9997a7ea41a5c24d6510d15ec7fff075815114c19038d202f
Instruction Fuzzy Hash: 1BA10DB06087069FD714DF69C08471ABBE1FF88314F04C92FE99897781D778A8548F8A

Function 00429AD3 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174COMMON

Download Yara Rule

APIs

__getreent.CYGWIN1(?,00000000,SONY,?,00417A4E), ref: 00429D40

Part of subcall function 004349B5: __getreent.CYGWIN1 ref: 004349E1

putchar.CYGWIN1(?,00000000,SONY,?,00417A4E), ref: 00429D70

Strings

(persistent), xrefs: 00429CB2
(current), xrefs: 00429CC6
SONY, xrefs: 00429AD6

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: __getreent$putchar
String ID: (current)$(persistent)$SONY
API String ID: 2381683211-2515241536
Opcode ID: de4521df91b287614e37805bb1ff95fec7c1090803dec9a436ad7704a08d69dd
Instruction ID: bc3280c2e7b4bba1a3b5d154900113313d1076d9bd67ea9c08d806435ce7e76a
Opcode Fuzzy Hash: de4521df91b287614e37805bb1ff95fec7c1090803dec9a436ad7704a08d69dd
Instruction Fuzzy Hash: DE718CB06083249ED720AF26D48425ABBE1FF85354F44C86EE4D887342E77CD989DF96

Function 0041E74C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 169COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 0041E8B3
puts.CYGWIN1 ref: 0041E8DB

Strings

OFF, xrefs: 0041E885
guD, xrefs: 0041E7A9
guD, xrefs: 0041E9FC

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: puts
String ID: OFF$guD$guD
API String ID: 2585676111-2493235301
Opcode ID: de977f4e72a165d822c5ee045654a294a6c0c7b1db7a1dd6bf02e6e0143d96e0
Instruction ID: d2f087444e10f81e1d05318f2be968bf303d01a69a9b78bbd595087de335f4bb
Opcode Fuzzy Hash: de977f4e72a165d822c5ee045654a294a6c0c7b1db7a1dd6bf02e6e0143d96e0
Instruction Fuzzy Hash: 64814BB45083589EDB21DF25C4897DABBE0BF44314F04C99EE8988B282D778D989CF56

Function 0040B410 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 147stringCOMMON

Download Yara Rule

APIs

strrchr.CYGWIN1 ref: 0040B451
isatty.CYGWIN1 ref: 0040B49D
_stat64.CYGWIN1 ref: 0040B4CE

Part of subcall function 00432FB2: fclose.CYGWIN1(?,00411113), ref: 00432FCE

Strings

., xrefs: 0040B446
mb@, xrefs: 0040B670

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: _stat64fcloseisattystrrchr
String ID: .$mb@
API String ID: 413855041-4137373399
Opcode ID: 2d4f7029b6bcced438aa867ff3c2a213e15661c7cbc08b05518bcf4144237f78
Instruction ID: a368fcc5ec5f262e4a3d7c6fc8a44fc726b63338765e410ec7d6b286476a2e18
Opcode Fuzzy Hash: 2d4f7029b6bcced438aa867ff3c2a213e15661c7cbc08b05518bcf4144237f78
Instruction Fuzzy Hash: F35127709093059BE710AF65C54135EBBF0EF88314F10C96FA598A7391E77CD981DB8A

Function 004036DA Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 112COMMON

Download Yara Rule

APIs

Part of subcall function 004348F0: __getreent.CYGWIN1(?,?,?,?,004345F9), ref: 004348FA

__getreent.CYGWIN1 ref: 004037C9

Strings

<C, xrefs: 00403818
9C, xrefs: 00403850
9C, xrefs: 00403800
, xrefs: 0040382C

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: __getreent
String ID: $9C$9C$<C
API String ID: 4170051706-2008553158
Opcode ID: 413217cb68411c6df695fef160036a6d1e72999b4107573a224fe997838a862b
Instruction ID: c69c207bb2e70ef190e1ee4e92de772d47b8d835000b95c7e53304a1100e594c
Opcode Fuzzy Hash: 413217cb68411c6df695fef160036a6d1e72999b4107573a224fe997838a862b
Instruction Fuzzy Hash: B3419DB1508741ABC310AF6AD54021EBFE4AF89328F10DA2EF4E44B3D2D778D9458B5B

Function 00417025 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

gettimeofday.CYGWIN1 ref: 004170D8
free.CYGWIN1 ref: 0041710C
free.CYGWIN1 ref: 0041716C
gettimeofday.CYGWIN1 ref: 0041718C

Strings

]D, xrefs: 00417115

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: freegettimeofday
String ID: ]D
API String ID: 2122708057-2593468940
Opcode ID: 49fed52b71c3c436fcec029e6e82763b0241d5a8d9273918bb1b6cd2a13cd60c
Instruction ID: a99ef7447a9c5800ed9f47a93ad9efca81dc1f8002296d63fb7b994eb10bb04b
Opcode Fuzzy Hash: 49fed52b71c3c436fcec029e6e82763b0241d5a8d9273918bb1b6cd2a13cd60c
Instruction Fuzzy Hash: 144105B09082199FCB10DF68C58469EBBF0FF48314F10862EE898A7351E738D984CF66

Function 0041D225 Relevance: 7.9, APIs: 3, Strings: 2, Instructions: 404stringCOMMON

Download Yara Rule

APIs

strstr.CYGWIN1 ref: 0041D4EB
strstr.CYGWIN1 ref: 0041D508
strstr.CYGWIN1 ref: 0041D51C

Strings

\tD, xrefs: 0041D782
help, xrefs: 0041D5BC

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: strstr
String ID: \tD$help
API String ID: 1392478783-4140273622
Opcode ID: 00c35ead012145f9f5e12499a5ca8cd271b27037da2d606429986ef0907122b5
Instruction ID: 086fc898b109aa4e97122090d168ada935231f8ec5f972e5dcea20796ec03163
Opcode Fuzzy Hash: 00c35ead012145f9f5e12499a5ca8cd271b27037da2d606429986ef0907122b5
Instruction Fuzzy Hash: 66028EB0A047559BD724DF25C4807AABBF1FF44314F14C69AE8A88B391D338E985CF85

Function 0040ABA0 Relevance: 7.6, APIs: 5, Instructions: 103COMMON

Download Yara Rule

APIs

isatty.CYGWIN1 ref: 0040ABB2
_fstat64.CYGWIN1 ref: 0040ABE0
_lseek64.CYGWIN1 ref: 0040AC61
read.CYGWIN1 ref: 0040AC9C
_lseek64.CYGWIN1 ref: 0040ACCE

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: _lseek64$_fstat64isattyread
String ID:
API String ID: 1656159448-0
Opcode ID: fef454a7cd9d8bae884c2435055f9444aca90099e2d3b255ee958630cdffd4d7
Instruction ID: fd959fbbf3952352fb23be845150aa059c6e00f81672a3c5890cfc0659fead63
Opcode Fuzzy Hash: fef454a7cd9d8bae884c2435055f9444aca90099e2d3b255ee958630cdffd4d7
Instruction Fuzzy Hash: 7E413AB08087698ADB749F29C844399BBF1BF45324F54C399D4F8A62D0CF389A858FC5

Function 00421CFA Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 65stringCOMMON

Download Yara Rule

APIs

strstr.CYGWIN1 ref: 00421D4F
strstr.CYGWIN1 ref: 00421D63
strstr.CYGWIN1 ref: 00421DA4
strstr.CYGWIN1 ref: 00421DB8

Strings

RICOH, xrefs: 00421D2A

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: strstr
String ID: RICOH
API String ID: 1392478783-534238704
Opcode ID: b89533def77f0cbee3e08dec1597b1a26d7629f211a0597f0ba4afe9f309d659
Instruction ID: 7b5bc32848ee95dcda8284a30c6e29fad663ba8e3cabf1bf898069e7c314f2fe
Opcode Fuzzy Hash: b89533def77f0cbee3e08dec1597b1a26d7629f211a0597f0ba4afe9f309d659
Instruction Fuzzy Hash: 1E218170604A28EBEB119F14D4802ADBBA1EF14714F45C85ED8845B351CB3DEE82CFDA

Function 00419157 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

puts.CYGWIN1(?,?,?,?,?,?,00418EF1), ref: 00419190

Part of subcall function 0042E3DA: __getreent.CYGWIN1 ref: 0042E3E0

putchar.CYGWIN1 ref: 00419385
putchar.CYGWIN1 ref: 004193D6

Strings

not , xrefs: 004191EE, 00419216

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: putchar$__getreentputs
String ID: not
API String ID: 907719599-3372961547
Opcode ID: 8557f0e3852de3ffc16552aba7d36f8103731fd5a5a5de90ae146de1f40b2c9d
Instruction ID: 757ccb2f3b3e85dd7a1225e9374a69f74be9881c0cc76e7932363735ee9dd929
Opcode Fuzzy Hash: 8557f0e3852de3ffc16552aba7d36f8103731fd5a5a5de90ae146de1f40b2c9d
Instruction Fuzzy Hash: 50A1FDF040C3949ED7059F66815536ABFE09F8A319F09C89FE8D88E296D37CC541DB2A

Function 0041E414 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 0041E496

Strings

pvD, xrefs: 0041E4D2
b, xrefs: 0041E644
guDguD, xrefs: 0041E447, 0041E460, 0041E4C4, 0041E4FE, 0041E55D, 0041E5F1, 0041E621

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: puts
String ID: b$guDguD$pvD
API String ID: 2585676111-1725531769
Opcode ID: 9cfb4b2973921bd08db3412f198f2a2d6dc77d4c70ac0270bb1900b79dd85723
Instruction ID: 73d5ba8ee4183e51099541423058686b8764d6754764c65b02c062a955ccf846
Opcode Fuzzy Hash: 9cfb4b2973921bd08db3412f198f2a2d6dc77d4c70ac0270bb1900b79dd85723
Instruction Fuzzy Hash: C091C3B490430A9FCB14CF99C18469EBBF1FF88318F24852EE858AB351D7749985CF96

Function 00430D57 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

__errno.CYGWIN1 ref: 00430DEF
__errno.CYGWIN1 ref: 00430DF9

Strings

ASPI, xrefs: 00430E12
SPTI, xrefs: 00430E04

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: __errno
String ID: ASPI$SPTI
API String ID: 1422650102-2941854592
Opcode ID: 39d23f2e5579443c325b63b7b60fe2f0b45f847d78a934b23d36abad1bc9b103
Instruction ID: b3edbef09e86d90f4bc199f2665acf05d84e14db6dd7ac3f6a065129a09262fa
Opcode Fuzzy Hash: 39d23f2e5579443c325b63b7b60fe2f0b45f847d78a934b23d36abad1bc9b103
Instruction Fuzzy Hash: D9514A70608705DBDB209F65D496369B7F1FB0830AF049A2FE49487396D7BCD884CB8A

Function 0042CFEB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

atoi.CYGWIN1 ref: 0042D02F
atoi.CYGWIN1 ref: 0042D095
__errno.CYGWIN1 ref: 0042D11A

Part of subcall function 0042D16C: __errno.CYGWIN1(?,0042CF3B,?,?,?,?,?,0042CEC8), ref: 0042D19C
Part of subcall function 0042D16C: __errno.CYGWIN1(?,0042CF3B,?,?,?,?,?,0042CEC8), ref: 0042D1A6

Strings

P, xrefs: 0042D074

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: __errno$atoi
String ID: P
API String ID: 3381749239-3110715001
Opcode ID: daf431092985774caa94b5f8f4c24d99d1dea551c2cc275e9c0ef95863fd9cc4
Instruction ID: e8b3074b1664050e6c8779d5819df3a6e6f15a87cc7d94aac915d34c667225dc
Opcode Fuzzy Hash: daf431092985774caa94b5f8f4c24d99d1dea551c2cc275e9c0ef95863fd9cc4
Instruction Fuzzy Hash: 3D41B2B4A087189FCB10EF69C18129EBBF4EF49754F40891EE8989B351D3789985CF4A

Function 0042033A Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 403stringCOMMON

Download Yara Rule

APIs

strstr.CYGWIN1 ref: 0042061C
strstr.CYGWIN1 ref: 00420639
strstr.CYGWIN1 ref: 0042064D

Strings

help, xrefs: 004206ED

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: strstr
String ID: help
API String ID: 1392478783-143088812
Opcode ID: 57012943afae8bcf509226e00122b83ced4da15634f01d642254b1f0deeb1053
Instruction ID: 14f00fac876acb1e1d4e25c0aa4157b4e61e72b8268c6b25dc96887d479517a5
Opcode Fuzzy Hash: 57012943afae8bcf509226e00122b83ced4da15634f01d642254b1f0deeb1053
Instruction Fuzzy Hash: A5027C706047289BD724DF25D48076ABBE1FF85314F54C69EE8A88B392D378E981CF85

Function 00422C0F Relevance: 6.2, APIs: 4, Instructions: 202fileCOMMON

Download Yara Rule

APIs

fputc.CYGWIN1(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00422D58
fputc.CYGWIN1(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00422D96
fputc.CYGWIN1(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00422DAB
fwrite.CYGWIN1(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00422DF7

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: fputc$fwrite
String ID:
API String ID: 4291123875-0
Opcode ID: 67708faf0ae3ab4b916f64a1a8506bcb52f26dc80f5e0e219ea53829f2251c86
Instruction ID: bb07def9f83c28baa9b9a275ea45804b386e716983d5a64ba7c7e69e942bf304
Opcode Fuzzy Hash: 67708faf0ae3ab4b916f64a1a8506bcb52f26dc80f5e0e219ea53829f2251c86
Instruction Fuzzy Hash: A991E3B0A04724AFDB10EF59D18069EBBF0FF88314F51C91EE8989B241D7B89941DF5A

Function 00410F24 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

getenv.CYGWIN1 ref: 00410F79
getenv.CYGWIN1 ref: 00410FDA
atoi.CYGWIN1 ref: 00411003
getenv.CYGWIN1 ref: 0041104A

Part of subcall function 00432FFD: rewind.CYGWIN1(?,004110C9), ref: 00433019

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: getenv$atoirewind
String ID:
API String ID: 3338748910-0
Opcode ID: 73c63e13f4ad75d3c5c2f180438aa43bfe0657234113f12f48f5f0eb3bb18e17
Instruction ID: de7310a6697af2ca52bb80776a36365fb33d02b922c1a18204d78b7b2dfec197
Opcode Fuzzy Hash: 73c63e13f4ad75d3c5c2f180438aa43bfe0657234113f12f48f5f0eb3bb18e17
Instruction Fuzzy Hash: 305194B49047469BD720AFA5C5813AFBBF0BF48314F00492FE69497341E7B8C9C18B5A

Function 0041771E Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 129stringCOMMON

Download Yara Rule

APIs

strchr.CYGWIN1(?,?,?,?,?,?,00000001,?,?,0041771C), ref: 00417780
strchr.CYGWIN1(?,?,?,?,?,?,00000001,?,?,0041771C), ref: 004177BA
strncmp.CYGWIN1(?,?,?,?,?,?,00000001,?,?,0041771C), ref: 0041781F

Strings

=, xrefs: 004177AF

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: strchr$strncmp
String ID: =
API String ID: 2197385779-2322244508
Opcode ID: f55ec86624e24f001fd34a6d039f90ec0b90a99e912528517b8a10f1627cbee5
Instruction ID: 85a6ab4041c0800820051a8b5ec9c3682acd30db56156ad399b4e854b62ca3cf
Opcode Fuzzy Hash: f55ec86624e24f001fd34a6d039f90ec0b90a99e912528517b8a10f1627cbee5
Instruction Fuzzy Hash: 5E417E70D082098BEF159FA9C9883EEBBF1FB44314F14452BE451A7381D77C9A82CB5A

Function 00413EA6 Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

gettimeofday.CYGWIN1 ref: 00413F3A
free.CYGWIN1 ref: 00413F67
free.CYGWIN1 ref: 00413FBE
gettimeofday.CYGWIN1 ref: 00413FDE

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: freegettimeofday
String ID:
API String ID: 2122708057-0
Opcode ID: 9f65ace0d4c6bfe3b44b9b5517f7bb249e0de993b4427afc441bd55266b59acf
Instruction ID: ec0fd1224acae599e97ac8243e48425c802f2837eac9c9e935b67c4681df4bd1
Opcode Fuzzy Hash: 9f65ace0d4c6bfe3b44b9b5517f7bb249e0de993b4427afc441bd55266b59acf
Instruction Fuzzy Hash: 6741E6B19043199FCB10EF69C18479EBBF4FF48314F10852EE89897351E3389985CBA6

Function 0040D1FB Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strchr.CYGWIN1(?,?,?,?,?,?,?,?,?,?,0040C5D0), ref: 0040D22E

Strings

;, xrefs: 0040D2D7
J, xrefs: 0040D31A
:, xrefs: 0040D223

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: strchr
String ID: :$;$J
API String ID: 2830005266-1295789066
Opcode ID: 60940ef7c557281642af93b9a055fcf4e4462fc404a0beeaaeebb241063efe87
Instruction ID: c7cbbbf6a685513af0ab67fdd97060bc901f0a2b874b10f28ccd6c42c3bd3e22
Opcode Fuzzy Hash: 60940ef7c557281642af93b9a055fcf4e4462fc404a0beeaaeebb241063efe87
Instruction Fuzzy Hash: 72414CB0D083059ED710AFA9C54026EBBF4BF85314F50896FE0D4A7281D3B89944CB97

Function 004219CF Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 00421A2F
sleep.CYGWIN1 ref: 00421A4B
puts.CYGWIN1 ref: 00421AC3
sleep.CYGWIN1 ref: 00421AD1

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: putssleep
String ID:
API String ID: 2929391209-0
Opcode ID: af60e78306a940b8fa9fc3abe69347b76b297bc681cbd251428829d3bfc8d293
Instruction ID: f49a62770f350ad38be6d21f1e8315529604093f54767b40138d9332ec04520b
Opcode Fuzzy Hash: af60e78306a940b8fa9fc3abe69347b76b297bc681cbd251428829d3bfc8d293
Instruction Fuzzy Hash: B0315EB4205B209AD7207F16E68132EBAE0FF14708F81580FE8C986752D77D9581CB8E

Function 0042B9EC Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON

Download Yara Rule

APIs

setmode.CYGWIN1 ref: 0042BA38
strcmp.CYGWIN1 ref: 0042BA58
_open64.CYGWIN1 ref: 0042BA95
close.CYGWIN1 ref: 0042BAB6

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: _open64closesetmodestrcmp
String ID:
API String ID: 3563893427-0
Opcode ID: 99c474749735a5b84bc63f98d8a30a24274779e8f4143c76bd13e8c56f727dc9
Instruction ID: e48742a28f866dc21c5f93ea16f79c5f78f4ce974092bd4b81ce8f1491eefd9e
Opcode Fuzzy Hash: 99c474749735a5b84bc63f98d8a30a24274779e8f4143c76bd13e8c56f727dc9
Instruction Fuzzy Hash: E33106B0604715CBCB11DF19E48076A7BE0FB48355F55447AED888B352D778DC80DB99

Function 0042BB7F Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

close.CYGWIN1(?,?,?,?,?,?,?,?,?,0040A78A), ref: 0042BBCF
free.CYGWIN1(?,?,?,?,?,?,?,?,?,0040A78A), ref: 0042BC03
free.CYGWIN1(?,?,?,?,?,?,?,?,?,0040A78A), ref: 0042BC0B
_lseek64.CYGWIN1 ref: 0042BC37

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: free$_lseek64close
String ID:
API String ID: 2448382481-0
Opcode ID: 47a7dc03e8a011f55c9a615d1a8f4121f04ce27bef1e648e4846010df194c3bd
Instruction ID: 4118335df5191fb41670b63749016d685a4d0646a1187d34ac6d8e16b9278bd7
Opcode Fuzzy Hash: 47a7dc03e8a011f55c9a615d1a8f4121f04ce27bef1e648e4846010df194c3bd
Instruction Fuzzy Hash: 2A21B3B4A04719DBCB20DF59D48121ABBE0FB18315F9484AEE9849B756D378EC80CF89

Function 0042C036 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

free.CYGWIN1 ref: 0042C06C
free.CYGWIN1 ref: 0042C093
free.CYGWIN1 ref: 0042C0BA
close.CYGWIN1 ref: 0042C103

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: free$close
String ID:
API String ID: 3921480566-0
Opcode ID: 9bc433fd5e9f66a998df35642ae1c40870eed752f83b952d8193075c7edd4b7d
Instruction ID: 337c6b9f2362934633b34340c0474ccecb32e1702f2106d5d048e0a3724d8b95
Opcode Fuzzy Hash: 9bc433fd5e9f66a998df35642ae1c40870eed752f83b952d8193075c7edd4b7d
Instruction Fuzzy Hash: A0211670A04714DFDB10DF6AC089B69B7F0BF09324F4545AAE8988B792C778A894CFC5

Function 004356E0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

_fdopen64.CYGWIN1 ref: 00435715
_fseeko64.CYGWIN1(?,?,?,?,?,?,?,?,?,?,00433296), ref: 00435743
setbuf.CYGWIN1(?,?,?,?,?,?,?,?,00433296), ref: 00435759
close.CYGWIN1 ref: 0043577F

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: _fdopen64_fseeko64closesetbuf
String ID:
API String ID: 3854645751-0
Opcode ID: 5a8e960507b8d331f7de68d45e469e1e3c6fff02eed98a28486c716c91a77100
Instruction ID: a40c895a224cf0c0c0d5ace1d5abdd50f51c12f77ed84136804bddb6ef4d4abd
Opcode Fuzzy Hash: 5a8e960507b8d331f7de68d45e469e1e3c6fff02eed98a28486c716c91a77100
Instruction Fuzzy Hash: 181106B5A08708DBDB10AF69D48535EBBF4AF48754F15A86EE8C49B302C778E940CB85

Function 004046A6 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

usleep.CYGWIN1 ref: 00404704
sysconf.CYGWIN1 ref: 00404712
usleep.CYGWIN1 ref: 00404723
usleep.CYGWIN1 ref: 00404731

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: usleep$sysconf
String ID:
API String ID: 1957401871-0
Opcode ID: 51c5e5e6dacbea8f4b71a7312116fb8368af7d808ec98cc774c144370d9418f4
Instruction ID: c07da363c01c05c0008cf8cbd5b8f5b6a32025d71bc592da803bc25ea6cf2fe4
Opcode Fuzzy Hash: 51c5e5e6dacbea8f4b71a7312116fb8368af7d808ec98cc774c144370d9418f4
Instruction Fuzzy Hash: A6112BB45083059FC710AF29C48055ABBE8FF59324F45492EE9C897381D378E8418BA6

Function 004093CE Relevance: 6.0, APIs: 4, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 004093E6
SetPriorityClass.KERNEL32 ref: 004093F6
GetCurrentThread.KERNEL32 ref: 00409422
SetThreadPriority.KERNEL32 ref: 00409432

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: CurrentPriorityThread$ClassProcess
String ID:
API String ID: 1171435874-0
Opcode ID: 0fc7fd114b474f52194f642c6bd57922b5e8655bcd0960de81840b772c4962cc
Instruction ID: bcf1a2824c8d487b77428988f47c7b8ab9acccda357945b74f23ef40900d00c1
Opcode Fuzzy Hash: 0fc7fd114b474f52194f642c6bd57922b5e8655bcd0960de81840b772c4962cc
Instruction Fuzzy Hash: BB0184B050C30597DB10BFB5C58521E7BA4AF44368F10572EE4B49B3D2D77CD8858B9A

Function 00436CA7 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

__isnand.CYGWIN1(?,?,00000000,?,00436A87), ref: 00436CB7
strcpy.CYGWIN1 ref: 00436CCB
__isinfd.CYGWIN1(?,?,00000000,?,00436A87), ref: 00436CDD
strcpy.CYGWIN1 ref: 00436CF6

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: strcpy$__isinfd__isnand
String ID:
API String ID: 3578970381-0
Opcode ID: c61883194ee6c1e965265cc3674adf194dddbcc890074c2c841e88ed48d49bb7
Instruction ID: 5bdce38c72e0b8a63ac6c6e074cd507af4ae3d3cd86b4bacdb6403326ded6ac5
Opcode Fuzzy Hash: c61883194ee6c1e965265cc3674adf194dddbcc890074c2c841e88ed48d49bb7
Instruction Fuzzy Hash: 80F05EB0208A0CA2E7007F25F88565BBAA4DF48714F12E57EE4C44A642DB39C811C39A

Function 00411472 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 28stringCOMMON

Download Yara Rule

APIs

malloc.CYGWIN1 ref: 00411495
strcpy.CYGWIN1 ref: 004114A7

Strings

62D , xrefs: 004114B1
62D , xrefs: 00411481

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: mallocstrcpy
String ID: 62D $62D
API String ID: 2462975024-2729908260
Opcode ID: a9622dd4fdbd6b103e2b76f805fc000d4f5dbdafd90f8da0e8fb1cbf33f49f54
Instruction ID: c38d7ca071aab8b322bcbed0851286f32f7a0bb9d02a0f512bdf61827cc9fbbc
Opcode Fuzzy Hash: a9622dd4fdbd6b103e2b76f805fc000d4f5dbdafd90f8da0e8fb1cbf33f49f54
Instruction Fuzzy Hash: D6F03075D0471CABCB10AFA9844109DFBF4EF48720F51459EAC98A7381DA74DE408BC5

Function 00418389 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 285COMMON

Download Yara Rule

Strings

HeD, xrefs: 004187E8
HeD, xrefs: 00418407

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: __getreent
String ID: HeD$HeD
API String ID: 4170051706-656439930
Opcode ID: cda75ac86bacdbdc2da601d9c47d6bbc71c1535d02e2189b29a60e31b34e2dd8
Instruction ID: bf9fe87563906ebc6735491ab2a7f7ed4c34f89bac6d9f2c40c5c824827eb2fe
Opcode Fuzzy Hash: cda75ac86bacdbdc2da601d9c47d6bbc71c1535d02e2189b29a60e31b34e2dd8
Instruction Fuzzy Hash: 5CD171B04083559ED7119F25C4863DABFF0AF42314F15CA9EE8D84A286D778C589CFAA

Function 00420F4D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 0042119B
puts.CYGWIN1 ref: 004211C3

Part of subcall function 0042E3DA: __getreent.CYGWIN1 ref: 0042E3E0

Strings

OFF, xrefs: 0042116D

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: puts$__getreent
String ID: OFF
API String ID: 3147310380-3172671433
Opcode ID: 98cf0bc7fb410c3cace723dfd450c1bcfaa17ed4b34e6516f2699deffc8b3ffd
Instruction ID: e50f8e83f4cb7e78fb264c67bc12f135739af0029df79df89081f110ab93a5c8
Opcode Fuzzy Hash: 98cf0bc7fb410c3cace723dfd450c1bcfaa17ed4b34e6516f2699deffc8b3ffd
Instruction Fuzzy Hash: 3DB15CB06043699FD720DF15D48839EBBF0BF48714F50869EE898972A1D778C985CF4A

Function 00411F62 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 00412097

Strings

8D, xrefs: 004120A2
not , xrefs: 004120B5

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: puts
String ID: not $8D
API String ID: 2585676111-2430183909
Opcode ID: dd2712dd87d0a88662d7afd9478cb672302ecafb0f730b879f3d8185c158c959
Instruction ID: ca404d41f351358f104b74de5efd5c7319a43f13f7185364919c9ee1cbffda65
Opcode Fuzzy Hash: dd2712dd87d0a88662d7afd9478cb672302ecafb0f730b879f3d8185c158c959
Instruction Fuzzy Hash: C791E3B0909759AFDB10EF65C18439EFBF0BF88714F00892EE89897341D7789A85DB46

Function 0042A386 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 192COMMON

Download Yara Rule

APIs

putchar.CYGWIN1(?,?,?,0042A707), ref: 0042A55C
puts.CYGWIN1(?,?,?,0042A707), ref: 0042A681

Part of subcall function 004349B5: __getreent.CYGWIN1 ref: 004349E1

Strings

not , xrefs: 0042A3A7, 0042A4BC

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: __getreentputcharputs
String ID: not
API String ID: 2181172682-3372961547
Opcode ID: cb0012a0ac9d08308d420dbbc1fecf8b03aa1f1d97a7f2d615a6ddce3b04b990
Instruction ID: 8276116abdf1cc114203c21d42f8ddd507310a4f6ffca7d93818a08d2cb39a8d
Opcode Fuzzy Hash: cb0012a0ac9d08308d420dbbc1fecf8b03aa1f1d97a7f2d615a6ddce3b04b990
Instruction Fuzzy Hash: D58154F05082A05EE751AF3A844136ABFE09F8A305F49C49FE8D88A247D77CC551DB6B

Function 00419A91 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 00419AD2
puts.CYGWIN1 ref: 00419BDA

Strings

dkD, xrefs: 00419C7D

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: puts
String ID: dkD
API String ID: 2585676111-1193774347
Opcode ID: 056ce1f137a24104a2e24fbcd32f7e2c60a605b67beadbeb92fc2d6e643d96fd
Instruction ID: 3d4becc96a356f84f95507af156e2f7ba01d6a9dd107ae83c22112b1466cf889
Opcode Fuzzy Hash: 056ce1f137a24104a2e24fbcd32f7e2c60a605b67beadbeb92fc2d6e643d96fd
Instruction Fuzzy Hash: 9D713CB05047159FC710DF69C4842AABBF0FF45328F158A1EE4E987391E378E881CB9A

Function 00415F62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 004161A6

Part of subcall function 0042E3DA: __getreent.CYGWIN1 ref: 0042E3E0

Strings

<, xrefs: 004161C3
, xrefs: 004160FB

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: __getreentputs
String ID: $<
API String ID: 370402895-428540627
Opcode ID: 109712ec4c7aabe9692c01604f62642aadb638d1bcf145f8e5f0e13abc82574e
Instruction ID: 8c044d5f656f2cb556dd0564880ab63b3c35dc5500e20301102d08713f81d6ef
Opcode Fuzzy Hash: 109712ec4c7aabe9692c01604f62642aadb638d1bcf145f8e5f0e13abc82574e
Instruction Fuzzy Hash: 6E71E3B05087149BE310AF26C58539EBBF0FF84748F41C85EE4C987242D7B9D6898F9A

Function 00436A60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

Part of subcall function 00436CA7: __isnand.CYGWIN1(?,?,00000000,?,00436A87), ref: 00436CB7
Part of subcall function 00436CA7: strcpy.CYGWIN1 ref: 00436CCB

ecvt.CYGWIN1 ref: 00436AAF

Strings

gfff, xrefs: 00436B5F
c, xrefs: 00436B31

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: __isnandecvtstrcpy
String ID: c$gfff
API String ID: 3809784393-1983784439
Opcode ID: f35c23c6014346d34d6726d2f4e7ead19fffe7de6ed4082622d676acf83ff550
Instruction ID: 62bca5765db6049694b44df2134abcad3160532a4cbb977fb055c40603197a34
Opcode Fuzzy Hash: f35c23c6014346d34d6726d2f4e7ead19fffe7de6ed4082622d676acf83ff550
Instruction Fuzzy Hash: 8C41A23490425A9FCB11CF6DC4C169EBFF1FF5A300F1982AAD494DB246D374A946CB91

Function 00414007 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 00414047
puts.CYGWIN1 ref: 00414124

Strings

nID, xrefs: 0041408E

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: puts
String ID: nID
API String ID: 2585676111-3976351485
Opcode ID: a9b345f6b519c18639c464a1150be80e0b8acba5b52543f65560c64bbd1ada41
Instruction ID: 3693c5c52e56cb44a2dbdf2742570925184971eb0946a1dedeb6b7bfbcf89756
Opcode Fuzzy Hash: a9b345f6b519c18639c464a1150be80e0b8acba5b52543f65560c64bbd1ada41
Instruction Fuzzy Hash: CD417270504304ABC7149F69C44539ABBE0BF95329F148A5FD9E48B3D2E778D8C1CB4A

Function 0042C759 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

setsockopt.CYGWIN1(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C7FD
setsockopt.CYGWIN1(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C889

Strings

P, xrefs: 0042C777

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: setsockopt
String ID: P
API String ID: 3981526788-3110715001
Opcode ID: cc47c5b95c06fc8def438f39df8e3d5e65fb60c79401815ca068eea17c9b0ae4
Instruction ID: 4a854d67ac65e0cbc52a64b1265bf3bc801c7168991b44496d87642b05d26a52
Opcode Fuzzy Hash: cc47c5b95c06fc8def438f39df8e3d5e65fb60c79401815ca068eea17c9b0ae4
Instruction Fuzzy Hash: A941E5B0A043199FDB00DF59C084A9EBBF5BF84355F50C52AE9A88B341D378E885CF86

Function 004231B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

sleep.CYGWIN1 ref: 00423207

Strings

0, xrefs: 0042322F

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: sleep
String ID: 0
API String ID: 255050412-4108050209
Opcode ID: e3bb7f4775a375a4c4a9a7f7a03654a7ecab4fa47babc14201dceedc66a34366
Instruction ID: 140647f02a6547b1e03772427b747107391f00f7f723353bbf5f193e09899d7b
Opcode Fuzzy Hash: e3bb7f4775a375a4c4a9a7f7a03654a7ecab4fa47babc14201dceedc66a34366
Instruction Fuzzy Hash: 5F218EB1704224CBDB106F25E98027A7AF0FF55395F9109AFDC859A202D73DDA80CB9A

Function 00412D0F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 00412D6E

Strings

l, xrefs: 00412D82
*GD, xrefs: 00412DDD

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: puts
String ID: *GD$l
API String ID: 2585676111-2314160629
Opcode ID: 5c0e50d6b9ea4bcc4a9753f22e5778f44a3bdfdde90becf4a507881870f3846c
Instruction ID: 5b3156b7c2be4ec71873a808f47ee1094b31c198983e3d870893f3cbc7482b47
Opcode Fuzzy Hash: 5c0e50d6b9ea4bcc4a9753f22e5778f44a3bdfdde90becf4a507881870f3846c
Instruction Fuzzy Hash: 8A2157B09043549FDB109F29C5813AABFB0BB41304F05858ED9D08B686C7B9EA55EB95

Function 00408F99 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

puts.CYGWIN1 ref: 0040903B
write.CYGWIN1 ref: 00409058

Part of subcall function 00434616: exit.CYGWIN1(?,?,?,?,00434607), ref: 0043464F
Part of subcall function 00434616: strerror.CYGWIN1(?,?,?,?,?,004345B4), ref: 0043467C

Strings

0, xrefs: 00408FE8

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: exitputsstrerrorwrite
String ID: 0
API String ID: 1345487986-3879967912
Opcode ID: a94dbf99953a54759d015187e6362681404ff6993b65b96266e505d499665758
Instruction ID: dbfef77f0a195bb684d38ed06597fcf278a3efb82c1d47ea86bc6a44d8f8c932
Opcode Fuzzy Hash: a94dbf99953a54759d015187e6362681404ff6993b65b96266e505d499665758
Instruction Fuzzy Hash: 0321E9B55053059FD700AF29C58566EBBE0FF88318F05891EE8E88B392E778E440CF56

Function 00434DC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00436955: fileno.CYGWIN1(00435310,?,?,?,?,?,?,?,?,?,0043548C,?,?,?,?,004355AC), ref: 00436962

fileno.CYGWIN1 ref: 00434DE7

Part of subcall function 00435380: read.CYGWIN1(00000000,?,00434DFC), ref: 004353AE

fread.CYGWIN1(?,?,?,?,?,?,?,004106E5), ref: 00434E11

Strings

0/D, xrefs: 00434E47

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: fileno$freadread
String ID: 0/D
API String ID: 1302424121-3095888230
Opcode ID: d9b9c25fa69018e8d62a5354eaadc083c55ffa891a6d0c12748544ae0a9fc373
Instruction ID: 57e76965e7a05aa11e3ee2a5fc33d070f2dbb314752dda484e191de1945c8d86
Opcode Fuzzy Hash: d9b9c25fa69018e8d62a5354eaadc083c55ffa891a6d0c12748544ae0a9fc373
Instruction Fuzzy Hash: 7E01CCB48083149BCB10AF55C58525DFBF5AF48314F11984EED9467351C378A9408F46

Function 0040A15E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_mmap64.CYGWIN1 ref: 0040A1A8
close.CYGWIN1 ref: 0040A1CB

Strings

!, xrefs: 0040A18D

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: _mmap64close
String ID: !
API String ID: 3964727440-2657877971
Opcode ID: d375c1b388737246103e20e83c7e8daad22c544451ef48a8cc107e60a9ee55de
Instruction ID: 4859410c49d37a7c6b36124fadc47c4561a7244ccf15619c0157cbc35046b461
Opcode Fuzzy Hash: d375c1b388737246103e20e83c7e8daad22c544451ef48a8cc107e60a9ee55de
Instruction Fuzzy Hash: EE1109B0808704ABC700EF59C44435EFBF4AB88734F118A5EE8A45B3D1C3B899849F86

Function 00406B58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

getrlimit.CYGWIN1 ref: 00406B6C
setrlimit.CYGWIN1 ref: 00406BBC

Strings

m%, xrefs: 00406B5E

Memory Dump Source

Source File: 00000000.00000002.3282108894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3282088649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282145456.0000000000438000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282164346.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3282194890.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000__cdrecord.jbxd

Similarity

API ID: getrlimitsetrlimit
String ID: m%
API String ID: 3102480915-4260472848
Opcode ID: a00bdf7ce11e47342c4d9b5eef5f4f95bb753ca2a1fef7d353884372dd67bcae
Instruction ID: b0d21926038125afd9b46935187538cbae303d4e0d691f43fb0c271d384b9f76
Opcode Fuzzy Hash: a00bdf7ce11e47342c4d9b5eef5f4f95bb753ca2a1fef7d353884372dd67bcae
Instruction Fuzzy Hash: 32F0E2B0808308ABD710EF54C04134EFFF4AB48318F028A5EE4E8A7281D378A5948F46

File type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.425791093873699
TrID:	Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	_cdrecord.exe
File size:	433'295 bytes
MD5:	af7468dd406bd65837e1bf8fdb2e2e90
SHA1:	1ecf40e9d93f046ca2462556f13f260f143212db
SHA256:	07fcf0f808b802c8c4b568069f31f4b007cc64fec5af385325150709788ed34b
SHA512:	488f27ca75c0957fa2956c7814f75f12abc82b2bdc711fae119b136e26a0babd2e2840934588eb6594a5b31b62f1d51171ad83d038086dd7938b58267549721a
SSDEEP:	6144:ZdRktjzLtUiDuxXmb6KVceQZus+7dMdm18uMWVUbP/gt/NTV0AhjEk/:jGHtUiduKvQZB+xsH/gHNxEa
TLSH:	C5946B04FA976CF6CD52017685C7E62F273CE1E0CA229F43D7844E25DE63CE22969B52
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......E.\|..j..........8.n.......<................@........................................... ............................

Entrypoint:	0x401000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x45C705CE [Mon Feb 5 10:24:14 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	59504c3317a2479bacfc1b5c3f27c25c

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre


Icon Hash:	00928e8e8686b000

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report _cdrecord.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: _cdrecord.exePID: 5556, Parent PID: 1028

General

Chronological Activities

Analysis Process: conhost.exePID: 6804, Parent PID: 5556

General

Chronological Activities

Disassembly

Analysis Process: _cdrecord.exePID: 5556, Parent PID: 1028COMMON

Non-executed Functions

Function 0042FC80 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 137COMMON

Function 00431E80 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 388COMMON

Function 00414D51 Relevance: 5.0, APIs: 3, Instructions: 468COMMON

Function 004325C0 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 301COMMON

Function 0042FA68 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Function 00432C5C Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Function 004329A0 Relevance: 1.5, APIs: 1, Instructions: 214COMMON

Windows Analysis Report
_cdrecord.exe