Edit tour

Windows Analysis Report
SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Overview

General Information

Sample name:	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe
Analysis ID:	1447596
MD5:	3ea7144962bfbe89e0145695fd039655
SHA1:	38e4c4c1f1d104da067f12c1d06734d354ce0ce1
SHA256:	b0c1e15f1b660f639ea88e6999bbe4bab7b35e84337b92b1059638e0c7fa947f
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe (PID: 6332 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe" MD5: 3EA7144962BFBE89E0145695FD039655)

SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp (PID: 6308 cmdline: "C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp" /SL5="$1043A,2318969,53248,C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe" MD5: 52950AC9E2B481453082F096120E355A)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	ReversingLabs: Detection: 21%
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Virustotal: Detection: 31%			Perma Link

Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00478B6C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	1_2_00478B6C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00490094 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00490094
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00476A70 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	1_2_00476A70
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0046F16C FindFirstFileA,FindNextFileA,FindClose,	1_2_0046F16C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004511DC FindFirstFileA,GetLastError,	1_2_004511DC
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0045F3A4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0045F3A4
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0045F820 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0045F820
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0045DE20 FindFirstFileA,FindNextFileA,FindClose,	1_2_0045DE20

Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1665732024.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000002.2922256093.00000000020F0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1664682629.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000002.2922277470.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1668682583.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1669698962.00000000021A6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922656836.00000000021A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cyworld.nate.com/nuclear_mine
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1665732024.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1664682629.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000002.2922277470.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1668682583.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1669698962.00000000021A6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922656836.00000000021A4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922580890.0000000002195000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ispp.sourceforge.net/
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922580890.0000000002195000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ispp.sourceforge.net/Des
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666089570.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666996465.0000000002108000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/?ps
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666089570.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666996465.0000000002108000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/?psU

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00423B2C NtdllDefWindowProc_A,	1_2_00423B2C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004722D4 NtdllDefWindowProc_A,	1_2_004722D4
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00412580 NtdllDefWindowProc_A,	1_2_00412580
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0042ED38 NtdllDefWindowProc_A,	1_2_0042ED38
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004551F4 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_004551F4

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

Code function: 1_2_0042E6CC: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E6CC

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Code function: 0_2_004092A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_004092A0
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00453AF8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00453AF8

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Code function: 0_2_004082E8	0_2_004082E8
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00462994	1_2_00462994
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004797C1	1_2_004797C1
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00485FE0	1_2_00485FE0
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004800E8	1_2_004800E8
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0044416C	1_2_0044416C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004305D0	1_2_004305D0
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00444864	1_2_00444864
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004588EC	1_2_004588EC
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0046498C	1_2_0046498C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00434A2C	1_2_00434A2C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00444C70	1_2_00444C70
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0046AC90	1_2_0046AC90
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0047F238	1_2_0047F238
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0043D44C	1_2_0043D44C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0045B694	1_2_0045B694
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0042FB74	1_2_0042FB74
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00443BC4	1_2_00443BC4
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00433D28	1_2_00433D28

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: String function: 00405964 appears 100 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: String function: 00406A2C appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: String function: 00403400 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: String function: 004454D0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: String function: 00407894 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: String function: 00433C40 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: String function: 00455970 appears 95 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: String function: 00451AC0 appears 72 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: String function: 00403494 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: String function: 00455B70 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: String function: 004457A0 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: String function: 00403684 appears 204 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: String function: 00408BAC appears 44 times

Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666089570.0000000002360000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666996465.0000000002108000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: _RegDLL.tmp.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal48.winEXE@3/4@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Code function: 0_2_004092A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_004092A0
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00453AF8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00453AF8

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

Code function: 1_2_00454320 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

1_2_00454320

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Code function: 0_2_00409A04 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409A04

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

File created: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	ReversingLabs: Detection: 21%
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Virustotal: Detection: 31%

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Process created: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp "C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp" /SL5="$1043A,2318969,53248,C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Process created: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp "C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp" /SL5="$1043A,2318969,53248,C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Section loaded: msls31.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Static file information: File size 2596914 > 1048576

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

Code function: 1_2_0044AD34 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0044AD34

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Code function: 0_2_00406518 push 00406555h; ret	0_2_0040654D
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Code function: 0_2_00408D90 push 00408DC3h; ret	0_2_00408DBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Code function: 0_2_00407FE0 push ecx; mov dword ptr [esp], eax	0_2_00407FE5
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004098EC push 00409929h; ret	1_2_00409921
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004062CC push ecx; mov dword ptr [esp], eax	1_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004305D0 push ecx; mov dword ptr [esp], eax	1_2_004305D5
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00410678 push ecx; mov dword ptr [esp], edx	1_2_0041067D
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004128D0 push 00412933h; ret	1_2_0041292B
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0047C88C push 0047C96Ah; ret	1_2_0047C962
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00450A78 push 00450AABh; ret	1_2_00450AA3
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00442B3C push ecx; mov dword ptr [esp], ecx	1_2_00442B40
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0040CFD0 push ecx; mov dword ptr [esp], edx	1_2_0040CFD2
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004573DC push 00457420h; ret	1_2_00457418
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0045B38C push ecx; mov dword ptr [esp], eax	1_2_0045B391
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0040F530 push ecx; mov dword ptr [esp], edx	1_2_0040F532
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004715E8 push ecx; mov dword ptr [esp], edx	1_2_004715E9
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00419BD0 push ecx; mov dword ptr [esp], ecx	1_2_00419BD5
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00455C0C push 00455C44h; ret	1_2_00455C3C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0047DEE0 push ecx; mov dword ptr [esp], ecx	1_2_0047DEE5
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00409FE7 push ds; ret	1_2_00409FE8

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	File created: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	File created: C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	File created: C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	File created: C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00422804 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_00422804
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00423BB4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423BB4
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00423BB4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423BB4
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0042413C IsIconic,SetActiveWindow,	1_2_0042413C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00424184 IsIconic,SetActiveWindow,SetFocus,	1_2_00424184
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0047C25C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_0047C25C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0041832C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_0041832C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00417540 IsIconic,GetCapture,	1_2_00417540
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00417C76 IsIconic,SetWindowPos,	1_2_00417C76
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00417C78 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417C78

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

1_2_0044AD34

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-5350

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-51196

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00478B6C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	1_2_00478B6C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00490094 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00490094
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_00476A70 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	1_2_00476A70
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0046F16C FindFirstFileA,FindNextFileA,FindClose,	1_2_0046F16C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_004511DC FindFirstFileA,GetLastError,	1_2_004511DC
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0045F3A4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0045F3A4
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0045F820 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0045F820
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: 1_2_0045DE20 FindFirstFileA,FindNextFileA,FindClose,	1_2_0045DE20

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Code function: 0_2_00409948 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409948

Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922275657.00000000005CF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

API call chain: ExitProcess graph end node

graph_0-6724

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

1_2_0044AD34

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

Code function: 1_2_00471D70 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_00471D70

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

Code function: 1_2_0045A0E8 GetVersion,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree,

1_2_0045A0E8

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Code function: GetLocaleInfoA,	0_2_0040515C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	Code function: GetLocaleInfoA,	0_2_004051A8
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: GetLocaleInfoA,	1_2_00408508
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	Code function: GetLocaleInfoA,	1_2_00408554

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

Code function: 1_2_004566B8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_004566B8

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

Code function: 1_2_00453AB0 GetUserNameA,

1_2_00453AB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Code function: 0_2_00405C44 GetVersionExA,

0_2_00405C44

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Access Token Manipulation	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Access Token Manipulation	2 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Process Injection	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	2 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	3 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	15 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	21%	ReversingLabs
SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe	31%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_RegDLL.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_RegDLL.tmp	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_setup64.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_shfoldr.dll	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.remobjects.com/?ps	0%	URL Reputation	safe
http://www.remobjects.com/?psU	0%	URL Reputation	safe
http://cyworld.nate.com/nuclear_mine	0%	Avira URL Cloud	safe
http://ispp.sourceforge.net/Des	0%	Avira URL Cloud	safe
http://ispp.sourceforge.net/	0%	Avira URL Cloud	safe
http://ispp.sourceforge.net/	0%	Virustotal		Browse
http://cyworld.nate.com/nuclear_mine	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://cyworld.nate.com/nuclear_mine	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1665732024.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000002.2922256093.00000000020F0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1664682629.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000002.2922277470.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1668682583.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1669698962.00000000021A6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922656836.00000000021A4000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.innosetup.com/	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr	false	URL Reputation: safe	unknown
http://www.remobjects.com/?ps	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666089570.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666996465.0000000002108000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr	false	URL Reputation: safe	unknown
http://ispp.sourceforge.net/	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1665732024.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1664682629.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000002.2922277470.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1668682583.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1669698962.00000000021A6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922656836.00000000021A4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922580890.0000000002195000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ispp.sourceforge.net/Des	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922580890.0000000002195000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/?psU	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666089570.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666996465.0000000002108000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447596
Start date and time:	2024-05-26 02:24:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe
Detection:	MAL
Classification:	mal48.winEXE@3/4@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 91 Number of non-executed functions: 182
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, 6.d.a.8.b.e.f.b.0.0.0.0.0.0.0.0.4.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_RegDLL.tmp	957URl9ErB.exe	Get hash	malicious	Socks5Systemz	Browse
	C0eD7SKCnN.exe	Get hash	malicious	Unknown	Browse
	SW_PC_Interact2.3.5_Build6.exe	Get hash	malicious	DBatLoader	Browse
	SW_PC_Interact2.3.5_Build6.exe	Get hash	malicious	DBatLoader	Browse
	c56wcjIguT.exe	Get hash	malicious	Unknown	Browse
	c56wcjIguT.exe	Get hash	malicious	Unknown	Browse
	hw-vsp3-single_3-1-2.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.VbCrypt.150.26922.11894.exe	Get hash	malicious	Unknown	Browse
	jcreator_6i-6JJ1.exe	Get hash	malicious	Unknown	Browse
	jcreator_6i-6JJ1.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp	C0eD7SKCnN.exe	Get hash	malicious	Unknown	Browse
	SW_PC_Interact2.3.5_Build6.exe	Get hash	malicious	DBatLoader	Browse
	SW_PC_Interact2.3.5_Build6.exe	Get hash	malicious	DBatLoader	Browse
	VPNConnect.exe	Get hash	malicious	Unknown	Browse
	LGCMAIL_TW_XXXXX7292.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685056
Entropy (8bit):	6.469782512324722
Encrypted:	false
SSDEEP:	12288:L/vksLWtSNrPi37NzHDA6Y1gbl5d7Ifoz4mrNNpRpzqjxy:jvksLWtkrPi37NzHDA6Yg5dsfoTzsxy
MD5:	52950AC9E2B481453082F096120E355A
SHA1:	159C09DB1ABCEE9114B4F792FFBA255C78A6E6C3
SHA-256:	25FBC88C7C967266F041AE4D47C2EAE0B96086F9E440CCA10729103AEE7EF6CD
SHA-512:	5B61C28BBCAEDADB3B6CD3BB8A392D18016C354C4C16E01395930666ADDC95994333DFC45BEA1A1844F6F1585E79C729136D3714AC118B5848BECDE0BDB182BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: C0eD7SKCnN.exe, Detection: malicious, Browse Filename: SW_PC_Interact2.3.5_Build6.exe, Detection: malicious, Browse Filename: SW_PC_Interact2.3.5_Build6.exe, Detection: malicious, Browse Filename: VPNConnect.exe, Detection: malicious, Browse Filename: LGCMAIL_TW_XXXXX7292.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................`...................@...........................@...%... ...:..........................................................................................................CODE....4........................... ..`DATA....p...........................@...BSS.......... ...........................idata...%...@...&..................@....tls.........p.......8...................rdata...............8..............@..P.reloc...............:..............@..P.rsrc....:... ...:...:..............@..P.............`......................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_RegDLL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	4.012434743866195
Encrypted:	false
SSDEEP:	48:iAnz1hEU3FR/pmqBl8/QMCBaquEMx5BCwSS4k+bkguj0K:pz1eEFNcqBC/Qrex5MSKD
MD5:	C594B792B9C556EA62A30DE541D2FB03
SHA1:	69E0207515E913243B94C2D3A116D232FF79AF5F
SHA-256:	5DCC1E0A197922907BCA2C4369F778BD07EE4B1BBBDF633E987A028A314D548E
SHA-512:	387BD07857B0DE67C04E0ABF89B754691683F30515726045FF382DA9B6B7F36570E38FAE9ECA5C4F0110CE9BB421D8045A5EC273C4C47B5831948564763ED144
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: 957URl9ErB.exe, Detection: malicious, Browse Filename: C0eD7SKCnN.exe, Detection: malicious, Browse Filename: SW_PC_Interact2.3.5_Build6.exe, Detection: malicious, Browse Filename: SW_PC_Interact2.3.5_Build6.exe, Detection: malicious, Browse Filename: c56wcjIguT.exe, Detection: malicious, Browse Filename: c56wcjIguT.exe, Detection: malicious, Browse Filename: hw-vsp3-single_3-1-2.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.VbCrypt.150.26922.11894.exe, Detection: malicious, Browse Filename: jcreator_6i-6JJ1.exe, Detection: malicious, Browse Filename: jcreator_6i-6JJ1.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................\|.......\|.......\|......Rich............PE..L.....%E..................................... ....@..........................@..............................................l ..P....0..8............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...8....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.203889009972449
Encrypted:	false
SSDEEP:	48:SvTmfWvPcXegCWUo1vlZwrAxoONfHFZONfH3d1xCWMBgW2p3SS4k+bkg6j0K:nfkcXegjJ/ZgYNzcld1xamW2pCSKv
MD5:	B4604F8CD050D7933012AE4AA98E1796
SHA1:	36B7D966C7F87860CD6C46096B397AA23933DF8E
SHA-256:	B50B7AC03EC6DA865BF4504C7AC1E52D9F5B67C7BCB3EC0DB59FAB24F1B471C5
SHA-512:	3057AA4810245DA0B340E1C70201E5CE528CFDC5A164915E7B11855E3A5B9BA0ED77FBC542F5E4EB296EA65AF88F263647B577151068636BA188D8C4FD44E431
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d......E..........#............................@.............................`..............................................................<!.......P..8....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...8....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.996401190961517
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe
File size:	2'596'914 bytes
MD5:	3ea7144962bfbe89e0145695fd039655
SHA1:	38e4c4c1f1d104da067f12c1d06734d354ce0ce1
SHA256:	b0c1e15f1b660f639ea88e6999bbe4bab7b35e84337b92b1059638e0c7fa947f
SHA512:	eace33f7981f50db457a504ba6f08d909de47548e5f1daeb4d66c586cb4160e7bc47bb408e83c5fea7d80d05b869e05b31ca26b061b602a8aa42292b073eacaf
SSDEEP:	49152:v2FHdDBI88HSk1769bp27F7I8qMcs2THzTpeKrGmVXJq10SBWX7NcH6swr:uF9VI8ESK769bpnMl0NJXg1rWrNcH52
TLSH:	80C53302FD52A8F5C179ABF10E1EE9308E73BE6035292971563D944EAE63C73C01A767
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x409a58
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	884310b1928934402ea6fec1dbd3cf5e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007F09F8B97633h
call 00007F09F8B9883Ah
call 00007F09F8B9AA65h
call 00007F09F8B9AAACh
call 00007F09F8B9D2D3h
call 00007F09F8B9D43Ah
xor eax, eax
push ebp
push 0040A10Bh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040A0D4h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040C014h]
call 00007F09F8B9DE60h
call 00007F09F8B9D9C7h
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007F09F8B9B071h
mov edx, dword ptr [ebp-10h]
mov eax, 0040CDE4h
call 00007F09F8B976E4h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040CDE4h]
mov dl, 01h
mov eax, 004072A4h
call 00007F09F8B9B8DCh
mov dword ptr [0040CDE8h], eax
xor edx, edx
push ebp
push 0040A08Ch
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F09F8B9DED0h
mov dword ptr [0040CDF0h], eax
mov eax, dword ptr [0040CDF0h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F09F8B9E00Ah
mov eax, dword ptr [0040CDF0h]
mov edx, 00000028h
call 00007F09F8B9BCDDh
mov edx, dword ptr [0040CDF0h]
cmp eax, dword ptr [edx+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd000	0x950	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x2a00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x9174	0x9200	ea92e1415bc80e2738e334267ebbb921	False	0.614699272260274	data	6.566253815683607	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xb000	0x24c	0x400	f96da19d2571a42bdff1b9e8bd62ec99	False	0.3076171875	data	2.7350839451932765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xc000	0xe48	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xd000	0x950	0xa00	bb5485bf968b970e5ea81292af2acdba	False	0.414453125	data	4.430733069799036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xe000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xf000	0x18	0x200	9ba824905bf9c7922b6fc87a38b74366	False	0.052734375	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x10000	0x8b4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x2a00	0x2a00	d518cbb35132ce608adcf8c073865213	False	0.32719494047619047	data	4.487301679813622	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x11354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0x1147c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0x119e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0x11ccc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0x12574	0x2f2	data			0.35543766578249336
RT_STRING	0x12868	0x30c	data			0.3871794871794872
RT_STRING	0x12b74	0x2ce	data			0.42618384401114207
RT_STRING	0x12e44	0x68	data			0.75
RT_STRING	0x12eac	0xb4	data			0.6277777777777778
RT_STRING	0x12f60	0xae	data			0.5344827586206896
RT_RCDATA	0x13010	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0x1303c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x1307c	0x4b8	COM executable for DOS	English	United States	0.2740066225165563
RT_MANIFEST	0x13534	0x47e	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4330434782608696

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
Dutch	Netherlands
English	United States

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 26, 2024 02:25:48.519448996 CEST	53	52072	162.159.36.2	192.168.2.4
May 26, 2024 02:25:49.415170908 CEST	53	64007	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	20:25:00
Start date:	25/05/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe"
Imagebase:	0x400000
File size:	2'596'914 bytes
MD5 hash:	3EA7144962BFBE89E0145695FD039655
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	20:25:01
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp" /SL5="$1043A,2318969,53248,C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe"
Imagebase:	0x400000
File size:	685'056 bytes
MD5 hash:	52950AC9E2B481453082F096120E355A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.3%
Total number of Nodes:	1534
Total number of Limit Nodes:	18

Executed Functions

Function 00409948 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 0040995A
VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409965
VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 004099A6
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 004099D8
VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 004099E8

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 2c2c90e72dc40e46b51dc553d84ebc029875cc2798a18ec57c7a7b28b8fc0619
Instruction ID: c51dc94dc7e70e4f078c95023904a162ea503a2a47d9e89981edb447ffe3f24e
Opcode Fuzzy Hash: 2c2c90e72dc40e46b51dc553d84ebc029875cc2798a18ec57c7a7b28b8fc0619
Instruction Fuzzy Hash: 5F216DF12002046BDA309A598D85E6BB7D89B45360F08492FFA89E37C3D738ED40D669

Function 0040515C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
Instruction ID: b78bf48cff894a3999656c5243e329942f020ab22272e2e872fdbeeaebf0035e
Opcode Fuzzy Hash: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
Instruction Fuzzy Hash: EDE09271B0021426D711A9699C86AEB735DDB58310F0006BFB904EB3C6EDB49E8046ED

Function 00408EFC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00408F95,?,?,?,?,00000000,?,00409A87), ref: 00408F1C
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408F22
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00408F95,?,?,?,?,00000000,?,00409A87), ref: 00408F36
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408F3C

Strings

Wow64RevertWow64FsRedirection, xrefs: 00408F2C
kernel32.dll, xrefs: 00408F17, 00408F31
Wow64DisableWow64FsRedirection, xrefs: 00408F12
shell32.dll, xrefs: 00408F68

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 8f04cc14bccfcdb17213992c023d8f7c3ecead8bf0913e3ac44b7e7d270b511d
Instruction ID: ef4badd54955bda93fd7c631ce084268f05c1d5093e10ec72b10b69b713a5d4b
Opcode Fuzzy Hash: 8f04cc14bccfcdb17213992c023d8f7c3ecead8bf0913e3ac44b7e7d270b511d
Instruction Fuzzy Hash: D701F770108301EEE700BB72DE57B163A59D745718F60443FF248761C2CE7C4904CA2D

Function 00409EE4 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409F40
SetWindowLongA.USER32(0001043A,000000FC,00409730), ref: 00409F57

Part of subcall function 00406AB8: GetCommandLineA.KERNEL32(00000000,00406AFC,?,?,?,?,00000000,?,00409FC8,?), ref: 00406AD0

Part of subcall function 004097BC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,020F1AA0,004098A8,00000000,0040988F), ref: 0040982C
Part of subcall function 004097BC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,020F1AA0,004098A8,00000000), ref: 00409840
Part of subcall function 004097BC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409859
Part of subcall function 004097BC: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 0040986B
Part of subcall function 004097BC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,020F1AA0,004098A8), ref: 00409874

RemoveDirectoryA.KERNEL32(00000000,0040A096,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A043
73A25CF0.USER32(0001043A,0040A096,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A057

Strings

STATIC, xrefs: 00409F39
InnoSetupLdrWindow, xrefs: 00409F34
/SL5="$%x,%d,%d,, xrefs: 00409F97

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 978128352-3001827809
Opcode ID: 236cca2b7f0ad913bc20f36f3a7df695144f04c2335042181becfcebe84b62ef
Instruction ID: 4f29ae81ace6c5531c846cbde0b22070d88524e95894dc47e3de1b2ea254153d
Opcode Fuzzy Hash: 236cca2b7f0ad913bc20f36f3a7df695144f04c2335042181becfcebe84b62ef
Instruction Fuzzy Hash: 19412A70600205DFD711EBA9EE85B9E7BA5EB88304F10427BF510B72E2DB789805DB5D

Function 00409F08 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00409394: GetLastError.KERNEL32(00000000,00409437,?,0040B240,?,020F1AA0), ref: 004093B8

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409F40
SetWindowLongA.USER32(0001043A,000000FC,00409730), ref: 00409F57

Part of subcall function 00406AB8: GetCommandLineA.KERNEL32(00000000,00406AFC,?,?,?,?,00000000,?,00409FC8,?), ref: 00406AD0

Part of subcall function 004097BC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,020F1AA0,004098A8,00000000,0040988F), ref: 0040982C
Part of subcall function 004097BC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,020F1AA0,004098A8,00000000), ref: 00409840
Part of subcall function 004097BC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409859
Part of subcall function 004097BC: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 0040986B
Part of subcall function 004097BC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,020F1AA0,004098A8), ref: 00409874

RemoveDirectoryA.KERNEL32(00000000,0040A096,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A043
73A25CF0.USER32(0001043A,0040A096,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A057

Strings

STATIC, xrefs: 00409F39
InnoSetupLdrWindow, xrefs: 00409F34
/SL5="$%x,%d,%d,, xrefs: 00409F97

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryErrorExitLastLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 240127915-3001827809
Opcode ID: cecf565c0961afba62185dae83a1111a0a24350c08567557d89fa88e41d9bdcc
Instruction ID: 8d10768f6f352a97fd7f45d9d75da35781c42c574274e542ef9de71c66c7d0f2
Opcode Fuzzy Hash: cecf565c0961afba62185dae83a1111a0a24350c08567557d89fa88e41d9bdcc
Instruction Fuzzy Hash: 26410B70A00205DBD711EBA9EE86B9E7BA5EB48304F10427BF510B73E2DB789805DB5D

Function 004097BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,020F1AA0,004098A8,00000000,0040988F), ref: 0040982C
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,020F1AA0,004098A8,00000000), ref: 00409840
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409859
GetExitCodeProcess.KERNEL32(?,0040B240), ref: 0040986B
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,020F1AA0,004098A8), ref: 00409874

Part of subcall function 00409394: GetLastError.KERNEL32(00000000,00409437,?,0040B240,?,020F1AA0), ref: 004093B8

Strings

D, xrefs: 00409806

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: c5e523d568ed87ab69b8de1fa4de2ba8e9d12516204b82cc72ca68b77ef72ee6
Instruction ID: 4b44df64f6e4367ebc453b3e314358db19e806afbd12f45635a8daf6f5489de3
Opcode Fuzzy Hash: c5e523d568ed87ab69b8de1fa4de2ba8e9d12516204b82cc72ca68b77ef72ee6
Instruction Fuzzy Hash: F71145716102086EDB10FBE6CC52F9E77ACDF49714F50413BBA04F72C6DA785D048669

Function 00409EF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409F40
SetWindowLongA.USER32(0001043A,000000FC,00409730), ref: 00409F57
RemoveDirectoryA.KERNEL32(00000000,0040A096,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A043
73A25CF0.USER32(0001043A,0040A096,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A057

Strings

/SL5="$%x,%d,%d,, xrefs: 00409F97

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CreateDirectoryLongRemove
String ID: /SL5="$%x,%d,%d,
API String ID: 3138356250-3932573195
Opcode ID: b613a7ce4edcb41dc67f34e270572c8bd45005561bf10fdcf5b8ae4482e344bf
Instruction ID: 92da378220fa86c3d7769582b63b95c30d1cbd5b696cf01c1bf744cbf4438da8
Opcode Fuzzy Hash: b613a7ce4edcb41dc67f34e270572c8bd45005561bf10fdcf5b8ae4482e344bf
Instruction Fuzzy Hash: B6313870A00205DFC715EBA9EE85B9E3BA5EB48304F10427BE450B73E2DB789805DB9D

Function 00409188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00409277,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004091CE
GetLastError.KERNEL32(00000000,00000000,?,00000000,00409277,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004091D7

Strings

.tmp, xrefs: 004091B7

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 2a9b5b531dfd0466f51cddb5784c326d8b9171bad11d05e807471eb9e268ae76
Instruction ID: b3c939f821d6d3b02d73a6ffc60c10d65ff6e2c1a1ef0f9f166dc2fc0ea9728e
Opcode Fuzzy Hash: 2a9b5b531dfd0466f51cddb5784c326d8b9171bad11d05e807471eb9e268ae76
Instruction Fuzzy Hash: 16214774A00209ABDB01EFA1C9429DFB7B9EB88304F50457FE501B73C2DA7C9E058BA5

Function 00409C56 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409CBA

Strings

.tmp, xrefs: 00409D00

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message
String ID: .tmp
API String ID: 2030045667-2986845003
Opcode ID: e37c67d54dac57feaabedb1cd41a5786e804cc8be819c9315e680249df306dc9
Instruction ID: 59ccd3a8e5ff0a6346b3f4a7db234678dac937939a17de0d6313a761c5d443a3
Opcode Fuzzy Hash: e37c67d54dac57feaabedb1cd41a5786e804cc8be819c9315e680249df306dc9
Instruction Fuzzy Hash: B141C130604241DFD715EF29DE92A5A7BA6FB49308B11457AF800B73E2CB79AC01DB9D

Function 00409C71 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409CBA

Strings

.tmp, xrefs: 00409D00

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message
String ID: .tmp
API String ID: 2030045667-2986845003
Opcode ID: f91dc667a2d24a60a81ae003db88dd446dde78fb0bef1b00c0f9948de59b2fab
Instruction ID: 097be32f3f4cb42389ad5c0a501b1885a0adcc09f85d4dbd7a75a59d9c7c1898
Opcode Fuzzy Hash: f91dc667a2d24a60a81ae003db88dd446dde78fb0bef1b00c0f9948de59b2fab
Instruction Fuzzy Hash: 6A41AF30600245DFD715EF29DE92A5A7BA6FB49308B10457AF800B73E2CB79AC01DB9D

Function 00406EC4 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008000), ref: 00406ECE
LoadLibraryA.KERNEL32(00000000,00000000,00406F18,?,00000000,00406F36,?,00008000), ref: 00406EFD

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 730de3fdc093f184fd2de9ac27439434a3bd3e782f0b7281efe78e7bb3385372
Instruction ID: 5e20ffdb52ff7e8261d23daca573ea8644dcd49689b218f11c6781c5bce8f48d
Opcode Fuzzy Hash: 730de3fdc093f184fd2de9ac27439434a3bd3e782f0b7281efe78e7bb3385372
Instruction Fuzzy Hash: D7F089705147047EDB119F769C6241ABBECD749B047534875F910A26D2E53C4C208568

Function 00407544 Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040755B
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 0040756A

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 92944724dee91b38b7ee5b374f910e74d6c8544434624f4b14ecda59d71e3572
Instruction ID: 34e576fd7e6559e3ef6c853e67441063c40c11266019ec046b6cc2e4d5471cd5
Opcode Fuzzy Hash: 92944724dee91b38b7ee5b374f910e74d6c8544434624f4b14ecda59d71e3572
Instruction Fuzzy Hash: ABE06DA1A081507AEB20965AAC85FAB66DC8BC5314F04417BF904DB282C678DC00C27A

Function 00407584 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 004075A3
GetLastError.KERNEL32(?,?,?,00000000), ref: 004075AB

Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,020F03AC,?,00409AE1,00000001,00000000,00000002,00000000,0040A0D4,?,00000000,0040A10B), ref: 004073A7

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 64234936368745cadff0884a95fa07edb9d6d799bdb4626fca8da24a174aceff
Instruction ID: 1215520e40270bbf1c42edbfe5ddbfad2f0444ede1f1e4d22e24bec04403dad1
Opcode Fuzzy Hash: 64234936368745cadff0884a95fa07edb9d6d799bdb4626fca8da24a174aceff
Instruction Fuzzy Hash: 6FE092B66081006BD700D55DC881A9B33DCDFC5364F044136BA54EB2C1D6B5EC008376

Function 004074DC Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004074F3
GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004074FF

Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,020F03AC,?,00409AE1,00000001,00000000,00000002,00000000,0040A0D4,?,00000000,0040A10B), ref: 004073A7

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 7dcdc125b41699120aae8acb46450914bebfaac92dc1c1f3d4146a6219e6b847
Instruction ID: 3a188f8a391a656106576682ef5fc0e36605e971047c99b326a67709d18e7f8b
Opcode Fuzzy Hash: 7dcdc125b41699120aae8acb46450914bebfaac92dc1c1f3d4146a6219e6b847
Instruction Fuzzy Hash: B4E04FB1600210AFEB20EEB98981B9272D89F44364F0485B6EA14DF2C6D274DC00C766

Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 131490d6f48dacc0ee8608d3ef2a2ee0f0ac383d87a6c057b82cac812cab049b
Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
Opcode Fuzzy Hash: 131490d6f48dacc0ee8608d3ef2a2ee0f0ac383d87a6c057b82cac812cab049b
Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9

Function 004051D0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00405306), ref: 004051EF

Part of subcall function 00404C2C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404C49

Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
Instruction ID: c760dbbb10683706500036a577470844d35ac6ab0c013c9c95042e4326961867
Opcode Fuzzy Hash: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
Instruction Fuzzy Hash: 3B313D75E00119ABCB00EF95C8C19EEB779FF84304F158977E815BB285E739AE058B98

Function 004068B4 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0040693A,00000000,00406960,?,?,?,?,00000000,?,00406975), ref: 004068DC

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 71189d5fdb67734adcc989176e972d73cabe0a8508cd7dda32cb2fd1e54b45a1
Instruction ID: 028ce23b60034aad2079abf39c8673be77ca980571763ae766079fdae63e366f
Opcode Fuzzy Hash: 71189d5fdb67734adcc989176e972d73cabe0a8508cd7dda32cb2fd1e54b45a1
Instruction Fuzzy Hash: 59F0BE523019341BC6117A7F18815AFA7888B86709752417FF506FB382DE3EAE6352AE

Function 0040748E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004074D0

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 15eb5b8bcf830c4b195572af03a6c999168ba8d47e453751ce572d84692466fb
Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
Opcode Fuzzy Hash: 15eb5b8bcf830c4b195572af03a6c999168ba8d47e453751ce572d84692466fb
Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8

Function 00407490 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004074D0

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 460f9172ef9680e9bf065e809d42603cad769bb4ead04fe75bdd308fccde6f1f
Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
Opcode Fuzzy Hash: 460f9172ef9680e9bf065e809d42603cad769bb4ead04fe75bdd308fccde6f1f
Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8

Function 00406918 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 004068B4: CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0040693A,00000000,00406960,?,?,?,?,00000000,?,00406975), ref: 004068DC

GetFileAttributesA.KERNEL32(00000000,00000000,00406960,?,?,?,?,00000000,?,00406975,00406CA3,00000000,00406CE8,?,?,?), ref: 00406943

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesCharFilePrev
String ID:
API String ID: 4082512850-0
Opcode ID: ce07a51bfea017e2e55e9614cb9ba507b4cfa1873d9ff840f51688b3279052b8
Instruction ID: 89044d1ea86e4fdb03922753e0a58770fdf95516ab6f2bcb8662fa4781c06fed
Opcode Fuzzy Hash: ce07a51bfea017e2e55e9614cb9ba507b4cfa1873d9ff840f51688b3279052b8
Instruction Fuzzy Hash: 04E09B713043047FD701EFB2DD53E59B7ECD789704B524476B501F7682D5785E108468

Function 004075E0 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004075F7

Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,020F03AC,?,00409AE1,00000001,00000000,00000002,00000000,0040A0D4,?,00000000,0040A10B), ref: 004073A7

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 40637416ea930bd2570c4396363680a61cc257afb866cc0a67376a26f5c88c76
Instruction ID: cd18fb99e22355188e9d2f817127a110343b64b119c62ac1cd4bac3fbb067e43
Opcode Fuzzy Hash: 40637416ea930bd2570c4396363680a61cc257afb866cc0a67376a26f5c88c76
Instruction Fuzzy Hash: 66E06D726081106BEB10A65ED880E6B67DCCFC6364F04447BBA04EB241C575AC0096B6

Function 004071A8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00408F7F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00408F95), ref: 004071C7

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: b5d7a52e02d208d464bf7f6ecdaab9899475a573c382e68083ca8db3329c0493
Instruction ID: 5be2c53bb0bc0b7205463fa080de9070734fc39b970025fcf129f6524892d52e
Opcode Fuzzy Hash: b5d7a52e02d208d464bf7f6ecdaab9899475a573c382e68083ca8db3329c0493
Instruction Fuzzy Hash: F8E0D8B179830135F22500A44C87B76160E4780700F20403A3B10EE3D2D9BEA50A415F

Function 004075C4 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,02108000,00409E9B,00000000), ref: 004075CB

Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,020F03AC,?,00409AE1,00000001,00000000,00000002,00000000,0040A0D4,?,00000000,0040A10B), ref: 004073A7

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: db8739a5fd2cf61c38ac8d555984da3fa994a5017d3c1d655494e9af8eb405ba
Instruction ID: 3dced8f94abca6fd64a7c9696b134c452ef52fe1396460a469a389ba9e9200de
Opcode Fuzzy Hash: db8739a5fd2cf61c38ac8d555984da3fa994a5017d3c1d655494e9af8eb405ba
Instruction Fuzzy Hash: 78C04CA160410057DB50A7BE8AC2A0672D85F5820430441B6B908DB287D678EC009615

Function 00406F1F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00406F3D), ref: 00406F30

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3473aa6fdb671349066f074fc3b2aebd5c1d3b8cb352d1e979c386aa55b3b604
Instruction ID: f94a5d2238f2ee5303b4d558b5d93000027bb0092eeb8c65c9d9a83f01a259cd
Opcode Fuzzy Hash: 3473aa6fdb671349066f074fc3b2aebd5c1d3b8cb352d1e979c386aa55b3b604
Instruction Fuzzy Hash: A4B09BB661C2015DE705DAD5745153863D4D7C47103E14577F114D25C0D53C94154518

Function 00406F3B Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00406F3D), ref: 00406F30

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5557acf2148e23312bf2bdc7768f633380236e382c485dac7de260305449c299
Instruction ID: 8ce709a7dcc0858879a49907ae7d49f16bd3fabbd46d8b550b3201db24fc95e8
Opcode Fuzzy Hash: 5557acf2148e23312bf2bdc7768f633380236e382c485dac7de260305449c299
Instruction Fuzzy Hash: 46A022B8C00003B2CE80E2F08080A3C23282A883003C00AA2320EB2080C23EC0000A0A

Function 00407DB4 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407E44

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4b604b7c04c55a97cf12a425da2613599e639526dade8246110179d0dcd9af86
Instruction ID: e346e479d4e19dc6fbf4ec70e04c611644565a823529d475df5ed673f567dbda
Opcode Fuzzy Hash: 4b604b7c04c55a97cf12a425da2613599e639526dade8246110179d0dcd9af86
Instruction Fuzzy Hash: 521172716082059BDB10FF19C881B5B3794AF84359F04847AF958AB3C6DA38EC008B6B

Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,004018BF), ref: 004016B2

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8

Function 00407460 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00407470

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 57bb830fb3630d9a83ec57f7eac22a277ae175c199a92d969abe11a9c095749b
Instruction ID: 0a303eee8e17872e34e3f08f3f74197a254d67d3e0467507f6d8b9a4d6bdce8a
Opcode Fuzzy Hash: 57bb830fb3630d9a83ec57f7eac22a277ae175c199a92d969abe11a9c095749b
Instruction Fuzzy Hash: 9FD0A7C1B00A6017D315F6BF498865B96C85F88685F08843BF684E73D1D67CAC00C3CD

Function 00407D5C Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,00407E3A), ref: 00407D73

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: f18d662fc38f0284a7c8bdb2170b2a8644905928442529ab0c2341243e9dd2c5
Instruction ID: 987a95dec6bedafdacc6f30d71d69a0298e18a8a9a30f6cccb61f0e346f0d057
Opcode Fuzzy Hash: f18d662fc38f0284a7c8bdb2170b2a8644905928442529ab0c2341243e9dd2c5
Instruction Fuzzy Hash: 6FD0E9B17557045BDB90EEB94CC1B1237D97F48600F5044B66904EB296E674E800D614

Non-executed Functions

Function 004092A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004092AF
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004092B5
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004092CE
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004092F5
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004092FA
ExitWindowsEx.USER32(00000002,00000000), ref: 0040930B

Strings

SeShutdownPrivilege, xrefs: 004092C7

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 2a0162333a77e08806ee048c8adb2592b0adbd8e17023ac1d43b711a23017a7c
Instruction ID: 46e638963846eb8b1a8eef1e5041d40b59806408d3aca7422040dec9ba119927
Opcode Fuzzy Hash: 2a0162333a77e08806ee048c8adb2592b0adbd8e17023ac1d43b711a23017a7c
Instruction Fuzzy Hash: 3FF012B079430276E620AAB58D07F6B62885BC5B48F50493EBA51FA1D3D7BCD8044A6E

Function 00409A04 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409A0E
SizeofResource.KERNEL32(00000000,00000000,?,00409AF9,00000000,0040A08C,?,00000001,00000000,00000002,00000000,0040A0D4,?,00000000,0040A10B), ref: 00409A21
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409AF9,00000000,0040A08C,?,00000001,00000000,00000002,00000000,0040A0D4,?,00000000), ref: 00409A33
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409AF9,00000000,0040A08C,?,00000001,00000000,00000002,00000000,0040A0D4), ref: 00409A44

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 13ffe1952f0d95e29d084444e35be522072a07585fb49b2685a126b429e6487b
Instruction ID: d67f3324bf52c58dde7a17cbdb2efc6a036c8c105ddb558a6a56d7c7a7ea3d45
Opcode Fuzzy Hash: 13ffe1952f0d95e29d084444e35be522072a07585fb49b2685a126b429e6487b
Instruction Fuzzy Hash: 30E07E913A434225FA6036F708C3B6A014C8BA670EF04503BBB00792C3DEBC8C04452E

Function 004051A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
Instruction ID: dec8dcb9893e8432c944e1b70884c8cc40709e939aac0c2d0d2241257bb7fc31
Opcode Fuzzy Hash: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
Instruction Fuzzy Hash: D3D05EB631E6502AE210519B2D85EBB4EACCAC57A4F14443BF648DB242D2248C069776

Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748

Function 00405C44 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00406540,00000000,0040654E,?,?,?,?,?,00409A78), ref: 00405C52

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
Instruction ID: 6a84e84a5bdb2c7c5b206d002f2a3fc227ad50a79849cf1aa773f1ea3c1cbc6a
Opcode Fuzzy Hash: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
Instruction Fuzzy Hash: 5AC0126040470186E7109B319C42B1672D4A744310F4805396DA4953C2E73C81018A5A

Function 004082E8 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: bf64fe3dbf7489daa5b396f442bfdc43c732794851cc1dd68f6a4bedb61b4a1f
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: 7F32E875E00219DFCB14CF99CA80A9DB7B2BF88314F24816AD855B7395DB34AE42CF54

Function 00406F48 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0040704D), ref: 00406F71
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00406F77
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0040704D), ref: 00406FC5

Strings

.DEFAULT\Control Panel\International, xrefs: 00406F9C
kernel32.dll, xrefs: 00406F6C
Control Panel\Desktop\ResourceLocale, xrefs: 00406FD4
GetUserDefaultUILanguage, xrefs: 00406F67
Locale, xrefs: 00406FB4

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: f607686cc0d7273f9df9d94dd6e76e9aefdf0fdd96e28e4fed3be5d0e4603d73
Instruction ID: 82a514a35929d101a3f87db01d263b67a2005a07a92a8f1bbb0e3c876c3699bd
Opcode Fuzzy Hash: f607686cc0d7273f9df9d94dd6e76e9aefdf0fdd96e28e4fed3be5d0e4603d73
Instruction Fuzzy Hash: F3214130E44209AFDB10EAA1CC56B9F77B8AB44304F60857BA605F72C1D77CAA05C79E

Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
GetLastError.KERNEL32(000000F5), ref: 00403C1E

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D

Function 00405314 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,0040555C,?,?,?,?,00000000,00000000,00000000,?,0040653B,00000000,0040654E), ref: 0040532E

Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A

Part of subcall function 004051A8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB

Strings

mmmm d, yyyy, xrefs: 0040541F
:mm:ss, xrefs: 0040552A
:mm, xrefs: 00405510
m/d/yy, xrefs: 004053FD
AMPM, xrefs: 004054F9

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
Instruction ID: f22f4b18e1885e1925b87b286fa486de3d96a381b4aec2b7527aff107c54c5fa
Opcode Fuzzy Hash: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
Instruction Fuzzy Hash: 8E514234B00648ABDB00EBA59C91B9F776ADB89304F50957BB514BB3C6CA3DCA058B5C

Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
LocalFree.KERNEL32(0066EE90,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(?,00000000,00008000,0066EE90,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(0066D338,?,00000000,00008000,0066EE90,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D

Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
ExitProcess.KERNEL32 ref: 00403DE5

Strings

Error, xrefs: 00403D91
9@, xrefs: 00403D29, 00403D34
Runtime error at 00000000, xrefs: 00403D96, 00403DA9

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000$9@
API String ID: 1220098344-1503883590
Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E

Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: daf431a3c2bb6397145c0312c95092c7dd6e0c4ca2be07fc82856b41fd6094de
Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
Opcode Fuzzy Hash: daf431a3c2bb6397145c0312c95092c7dd6e0c4ca2be07fc82856b41fd6094de
Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD

Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,020F1C58,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,020F1C58,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,020F1C58,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,020F1C58,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00409A6E), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,00409A6E), ref: 004030EE

Strings

U1hd.@, xrefs: 00403103

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: U1hd.@
API String ID: 2123368496-2904493091
Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD

Function 00409330 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A02F,000000FA,00000032,0040A096), ref: 0040934F
Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A02F,000000FA,00000032,0040A096), ref: 0040935F
GetLastError.KERNEL32(?,?,?,0000000D,?,0040A02F,000000FA,00000032,0040A096), ref: 00409372
GetLastError.KERNEL32(?,?,?,0000000D,?,0040A02F,000000FA,00000032,0040A096), ref: 0040937C

Memory Dump Source

Source File: 00000000.00000002.2922048505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922029032.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922072495.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922094483.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 3a4a69ca31a42f451232f6dfa0c76d71d3bd0a4d90442bfbcbe60d550a1314de
Instruction ID: e54841d902c556b0a825a3a9b48dc11fcb5fd53647a295a33fe7abc41a02d5de
Opcode Fuzzy Hash: 3a4a69ca31a42f451232f6dfa0c76d71d3bd0a4d90442bfbcbe60d550a1314de
Instruction Fuzzy Hash: C6F0B472A0031497CB34A5EF9986A6F628DEADA768710403BFD04F73C3D538DD014AAD

Analysis Process: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmpPID: 6308, Parent PID: 6332COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	58

Executed Functions

Function 00485FE0 Relevance: 136.6, APIs: 22, Strings: 55, Instructions: 1871COMMON

Download Yara Rule

Strings

GETENV, xrefs: 004864A7
REGQUERYDWORDVALUE, xrefs: 00486DED
REMOVEBACKSLASHUNLESSROOT, xrefs: 004865CD
SETINISTRING, xrefs: 004862DA
SETNTFSCOMPRESSION, xrefs: 004875B9
GETINIBOOL, xrefs: 004861CB
GETSHORTNAME, xrefs: 00486675
GETSYSTEMDIR, xrefs: 004866DA
GETTEMPDIR, xrefs: 0048672A
STRINGCHANGEEX, xrefs: 004867B9
FONTEXISTS, xrefs: 004874E7
USINGWINNT, xrefs: 0048682D
CONVERTPERCENTSTRING, xrefs: 004868D4
DIREXISTS, xrefs: 00486060
ADDBACKSLASH, xrefs: 0048655D
GETCMDTAIL, xrefs: 004864DF
INIKEYEXISTS, xrefs: 00486236
FILEEXISTS, xrefs: 00486027
DELETEINISECTION, xrefs: 0048646D
REMOVEBACKSLASH, xrefs: 00486595
REGDELETEKEYINCLUDINGSUBKEYS, xrefs: 00486A34
ISINISECTIONEMPTY, xrefs: 00486292
STRINGCHANGE, xrefs: 00486752
SETINIINT, xrefs: 00486349
REMOVEQUOTES, xrefs: 0048663D
REGQUERYBINARYVALUE, xrefs: 00486ECA
GETINIINT, xrefs: 00486146
REGQUERYSTRINGVALUE, xrefs: 00486C69
REGQUERYMULTISTRINGVALUE, xrefs: 00486D2B
REGKEYEXISTS, xrefs: 00486915
REGWRITEBINARYVALUE, xrefs: 004873BF
REGGETVALUENAMES, xrefs: 00486BFC
PARAMSTR, xrefs: 0048652B
GETSYSWOW64DIR, xrefs: 00486702
REGWRITEMULTISTRINGVALUE, xrefs: 004871E1
ADDQUOTES, xrefs: 00486605
REGDELETEKEYIFEMPTY, xrefs: 00486A8F
REGWRITEDWORDVALUE, xrefs: 004872EB
CHARLENGTH, xrefs: 00487578
ADDPERIOD, xrefs: 00487540
GETWINDIR, xrefs: 004866B2
REGVALUEEXISTS, xrefs: 00486992
REGGETSUBKEYNAMES, xrefs: 00486B8F
REGDELETEVALUE, xrefs: 00486AEA
FILECOPY, xrefs: 00486851
SETINIBOOL, xrefs: 004863B4
GETUILANGUAGE, xrefs: 0048751B
GETINISTRING, xrefs: 004860D2
REGWRITESTRINGVALUE, xrefs: 00486FE9
ISPOWERUSERLOGGEDON, xrefs: 004874C3
ISADMINLOGGEDON, xrefs: 0048749F
DELETEINIENTRY, xrefs: 0048641F
FILEORDIREXISTS, xrefs: 00486099
PARAMCOUNT, xrefs: 00486507
REGWRITEEXPANDSTRINGVALUE, xrefs: 00487100

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ADDBACKSLASH$ADDPERIOD$ADDQUOTES$CHARLENGTH$CONVERTPERCENTSTRING$DELETEINIENTRY$DELETEINISECTION$DIREXISTS$FILECOPY$FILEEXISTS$FILEORDIREXISTS$FONTEXISTS$GETCMDTAIL$GETENV$GETINIBOOL$GETINIINT$GETINISTRING$GETSHORTNAME$GETSYSTEMDIR$GETSYSWOW64DIR$GETTEMPDIR$GETUILANGUAGE$GETWINDIR$INIKEYEXISTS$ISADMINLOGGEDON$ISINISECTIONEMPTY$ISPOWERUSERLOGGEDON$PARAMCOUNT$PARAMSTR$REGDELETEKEYIFEMPTY$REGDELETEKEYINCLUDINGSUBKEYS$REGDELETEVALUE$REGGETSUBKEYNAMES$REGGETVALUENAMES$REGKEYEXISTS$REGQUERYBINARYVALUE$REGQUERYDWORDVALUE$REGQUERYMULTISTRINGVALUE$REGQUERYSTRINGVALUE$REGVALUEEXISTS$REGWRITEBINARYVALUE$REGWRITEDWORDVALUE$REGWRITEEXPANDSTRINGVALUE$REGWRITEMULTISTRINGVALUE$REGWRITESTRINGVALUE$REMOVEBACKSLASH$REMOVEBACKSLASHUNLESSROOT$REMOVEQUOTES$SETINIBOOL$SETINIINT$SETINISTRING$SETNTFSCOMPRESSION$STRINGCHANGE$STRINGCHANGEEX$USINGWINNT
API String ID: 0-3658119371
Opcode ID: 789088b229e86f4f9a1f1d2f706c7aaf27d2d51285bd5630a46190d2fd968b3d
Instruction ID: 1f533a3817926901e21f115ced2a71318d89b1f82f9318c6f77aeb51c9d307cf
Opcode Fuzzy Hash: 789088b229e86f4f9a1f1d2f706c7aaf27d2d51285bd5630a46190d2fd968b3d
Instruction Fuzzy Hash: E6D24174B042155BDB00FF79C8925AEB6A5AF99704F21883FF401AB346DE3CED068799

Function 00423BB4 Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3b1d29a4fbc1aed71327faafbbd414fabc03ccb6ce4f64ba57c149148d7331
Instruction ID: b3874c0ebfa8e5c98eb4c3a27b14194d81e346ea4a69c1a5551916dd99319231
Opcode Fuzzy Hash: 2d3b1d29a4fbc1aed71327faafbbd414fabc03ccb6ce4f64ba57c149148d7331
Instruction Fuzzy Hash: E4E1B134704125EFD710DF6AE585A5E77B0EB44304FA580A6E5069B362CB7CEE82DB18

Function 00422804 Relevance: 18.3, APIs: 12, Instructions: 255
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 0042299C
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422B66), ref: 004229AC

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: 7c78141ab0ca7620344792f2af95c3ff183131d8e274d08cb6d6ff51276b74f8
Instruction ID: 8c826587ba7af474f7b14690d684e7097f8878018e5f7bac2df75c57de2d2bfa
Opcode Fuzzy Hash: 7c78141ab0ca7620344792f2af95c3ff183131d8e274d08cb6d6ff51276b74f8
Instruction Fuzzy Hash: 1791A471B00214FFD710EFA9DA86F9E77F4AB15304F5500B6F500AB2A2C7B8AE419B58

Function 00462994 Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1620
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0048DA54: GetWindowRect.USER32(00000000), ref: 0048DA6A

LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00462D63

Part of subcall function 0041D658: GetObjectA.GDI32(?,00000018,00462D7D), ref: 0041D683

Part of subcall function 004627F0: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046288D
Part of subcall function 004627F0: ExtractIconA.SHELL32(00400000,00000000,?), ref: 004628B3
Part of subcall function 004627F0: SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 0046290F
Part of subcall function 004627F0: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00462935

Part of subcall function 0048DCB0: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 0048DCBA

Part of subcall function 0048D9A4: 73A1A570.USER32(00000000,?,?,?), ref: 0048D9C6
Part of subcall function 0048D9A4: SelectObject.GDI32(?,00000000), ref: 0048D9EC
Part of subcall function 0048D9A4: 73A1A480.USER32(00000000,?,0048DA4A,0048DA43,?,00000000,?,?,?), ref: 0048DA3D

Part of subcall function 0048DCA0: MulDiv.KERNEL32(0000004B,?,00000006), ref: 0048DCAA

GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,021AD0B4,021AED18,?,?,021AED40,?,?,021AED84,?), ref: 004639DB
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 004639EC
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00463A04

Strings

, xrefs: 00462E25
(Default), xrefs: 00463F97
STOPIMAGE, xrefs: 00462D58

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$AppendExtractFileIconInfoObject$A480A570BitmapLoadRectSelectSystemWindow
String ID: $(Default)$STOPIMAGE
API String ID: 2907157918-770201673
Opcode ID: edd87f1fb70ff78689207597ef215f3f1d8daab5004934605c616b6dfe41ea42
Instruction ID: 0ce2a7c8654b4bda645b85becf187eb8cd9f620879433755a56cf3d7b5830d6a
Opcode Fuzzy Hash: edd87f1fb70ff78689207597ef215f3f1d8daab5004934605c616b6dfe41ea42
Instruction Fuzzy Hash: 97F2E4386005609FCB00EF59D9D9F9A73F1BF8A304F1542B6E5049B36AD774AC46CB8A

Function 00478B6C Relevance: 9.1, APIs: 6, Instructions: 149fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,00000000,?,00000000,00478D68,?,00000000,00000000,?,?,00479E8F,?,?,00000000), ref: 00478BCC
FindNextFileA.KERNEL32(000000FF,?,00000000,?,?,00000000,?,00000000,00478D68,?,00000000,00000000,?,?,00479E8F,?), ref: 00478C15
FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,?,00000000,?,00000000,00478D68,?,00000000,00000000,?,?,00479E8F), ref: 00478C22
FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,00478D68,?,00000000,00000000,?,?,00479E8F,?), ref: 00478C6E
FindNextFileA.KERNEL32(000000FF,?,00000000,00478D3B,?,00000000,?,00000000,?,?,00000000,?,00000000,00478D68,?,00000000), ref: 00478D17
FindClose.KERNEL32(000000FF,00478D42,00478D3B,?,00000000,?,00000000,?,?,00000000,?,00000000,00478D68,?,00000000,00000000), ref: 00478D35

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 61b973198d0b1fe0a2792cb2d3ebe50e9fb866b9979b51b3a9d52b52c7d2fea2
Instruction ID: 54e57abadac26bdf6b50859d29d6f630f81932fdc3dee25b4239eb6d38c32597
Opcode Fuzzy Hash: 61b973198d0b1fe0a2792cb2d3ebe50e9fb866b9979b51b3a9d52b52c7d2fea2
Instruction Fuzzy Hash: 9C512171900658AFCB21EF65CC49ADEB7B8EB48315F1084BAA408E7391DA389F45CF58

Function 00408508 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004924C0,00000001,?,004085D3,?,00000000,004086B2), ref: 00408526

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e78cb18e13a677ec314dcfb13bf641d8481e9719d632e97f187bed88d7cfff22
Instruction ID: fb41a53da0808811ac7d324c7af8f56b416e217676924749333d5f26c846bbbb
Opcode Fuzzy Hash: e78cb18e13a677ec314dcfb13bf641d8481e9719d632e97f187bed88d7cfff22
Instruction Fuzzy Hash: 84E0927170022466D711A95A9C86AF6B35C9758314F00427FB948EB3C2EDB89E8046A9

Function 00423B2C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,004240F9,?,00000000,00424104), ref: 00423B56

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: e1688769fd7bd0d6dab607fe8fc3e2e26ffd360abf5a591b42ec6747995d87bd
Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
Opcode Fuzzy Hash: e1688769fd7bd0d6dab607fe8fc3e2e26ffd360abf5a591b42ec6747995d87bd
Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94

Function 0048A9FC Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000000,0048AEF1,?,?,?,?,00000000,00000000,00000000), ref: 0048AA3C
FindWindowA.USER32(00000000,00000000), ref: 0048AA6D

Strings

SENDBROADCASTNOTIFYMESSAGE, xrefs: 0048ACAB
SLEEP, xrefs: 0048AA26
SENDNOTIFYMESSAGE, xrefs: 0048AB73
SENDBROADCASTMESSAGE, xrefs: 0048AC09
POSTBROADCASTMESSAGE, xrefs: 0048AC57
FINDWINDOWBYWINDOWNAME, xrefs: 0048AA85
FREEDLL, xrefs: 0048ADE8
POSTMESSAGE, xrefs: 0048AB17
FINDWINDOWBYCLASSNAME, xrefs: 0048AA49
CHARTOOEMBUFF, xrefs: 0048AE92
SENDMESSAGE, xrefs: 0048AAC1
LOADDLL, xrefs: 0048ACFF
CALLDLLPROC, xrefs: 0048AD61
OEMTOCHARBUFF, xrefs: 0048AE4F
REGISTERWINDOWMESSAGE, xrefs: 0048ABCF
CREATEMUTEX, xrefs: 0048AE1D

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: 2a8871d8d55023be3087082fda80a682e2aee2b8b4ec1ca501907998ae9325a2
Instruction ID: 235d6cf6b0db6f7ade2b2b1cdaf506c84c5948104d9e726c8462171498c33706
Opcode Fuzzy Hash: 2a8871d8d55023be3087082fda80a682e2aee2b8b4ec1ca501907998ae9325a2
Instruction Fuzzy Hash: 52C183A0B402116BE714BF3E8C4252E559A9F95705B12CD3FB406DB78ACEBCDC1A435E

Function 0047C39C Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0047C3AD
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0047C3BA
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047C3C8
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0047C3D0
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 0047C3DC
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0047C3FD
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 0047C410
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0047C416
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047C42D

Strings

IsWow64Process, xrefs: 0047C3CA
kernel32.dll, xrefs: 0047C3A8
RegDeleteKeyExA, xrefs: 0047C406
advapi32.dll, xrefs: 0047C40B
GetNativeSystemInfo, xrefs: 0047C3B4
GetSystemWow64DirectoryA, xrefs: 0047C3F7

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 2230631259-2623177817
Opcode ID: d03775e633738299a729604fc9c01b73d2fbc3ca108d1ce9ff2f27538810c40c
Instruction ID: 06dcc6403529f5206617775aef830b133aa19bd788f334af9eebe881936bbdd9
Opcode Fuzzy Hash: d03775e633738299a729604fc9c01b73d2fbc3ca108d1ce9ff2f27538810c40c
Instruction Fuzzy Hash: 0511E255044341A8CB20B3B55DE6BFB26488B51B18F68C43F688C762D3D67CCC888AAF

Function 00464310 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60

RegCloseKey.ADVAPI32(?,0046452A,?,?,00000001,00000000,00000000,00464545,?,00000000,00000000,?), ref: 00464513

Strings

Inno Setup: Selected Components, xrefs: 00464432
Inno Setup: No Icons, xrefs: 004643FB
Inno Setup: User Info: Organization, xrefs: 004644E2
Inno Setup: Deselected Components, xrefs: 00464454
Inno Setup: Icon Group, xrefs: 004643EE
Inno Setup: User Info: Serial, xrefs: 004644F5
%s\%s_is1, xrefs: 0046438D
Inno Setup: Deselected Tasks, xrefs: 004644A1
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0046436F
Inno Setup: App Path, xrefs: 004643D2
Inno Setup: Selected Tasks, xrefs: 0046447F
Inno Setup: User Info: Name, xrefs: 004644CF
Inno Setup: Setup Type, xrefs: 00464422

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1093091907
Opcode ID: da52ca3c07eec67e3a71c249a625a344edc3886d0bb8355508e894d35cb1a976
Instruction ID: fc5077364d37a5906c2ffbe53c2f2339136cb7e8b2833831ee8049aef900e6f6
Opcode Fuzzy Hash: da52ca3c07eec67e3a71c249a625a344edc3886d0bb8355508e894d35cb1a976
Instruction Fuzzy Hash: 1D51D070A00244ABDF11DB64C552BDEBBF4EF85304F6080ABE941A7391E738AF01CB59

Function 0042381C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041F36C: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED4C,?,00423837,00423BB4,0041ED4C), ref: 0041F38A

GetClassInfoA.USER32(00400000,00423624), ref: 00423847
RegisterClassA.USER32(00491630), ref: 0042385F
GetSystemMetrics.USER32(00000000), ref: 00423881
GetSystemMetrics.USER32(00000001), ref: 00423890
SetWindowLongA.USER32(004105F8,000000FC,00423634), ref: 004238EC
SendMessageA.USER32(004105F8,00000080,00000001,00000000), ref: 0042390D
GetSystemMenu.USER32(004105F8,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BB4,0041ED4C), ref: 00423918
DeleteMenu.USER32(00000000,0000F030,00000000,004105F8,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BB4,0041ED4C), ref: 00423927
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004105F8,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423934
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004105F8,00000000,00000000,00400000,00000000,00000000,00000000), ref: 0042394A

Strings

$6B, xrefs: 0042383B, 004238BC

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID: $6B
API String ID: 183575631-3519776487
Opcode ID: c243faa105f484f8994615a9e18f86ab08e10570189d0b0026668523fc81ff00
Instruction ID: 44122239756f869d7af1fdba3570d6082de878778f6117c7260872992629901f
Opcode Fuzzy Hash: c243faa105f484f8994615a9e18f86ab08e10570189d0b0026668523fc81ff00
Instruction Fuzzy Hash: 2B31A1B17402107AEB10BF659C82F663698AB14708F10007BFA41EF2E7DABDED04876C

Function 004760F0 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(6FBC0000,SHGetFolderPathA), ref: 004761F2

Strings

SHGetFolderPathA, xrefs: 004761E7
shfolder.dll, xrefs: 00476155, 0047618E
shell32.dll, xrefs: 0047619D
Failed to get version numbers of _shfoldr.dll, xrefs: 00476148
Failed to get address of SHGetFolderPathA function, xrefs: 00476203
SHFOLDERDLL, xrefs: 0047612F
Failed to load DLL "%s", xrefs: 004761D5
_isetup\_shfoldr.dll, xrefs: 00476122

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address of SHGetFolderPathA function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
API String ID: 190572456-1072092678
Opcode ID: f8a945879734eb8a3e01e329d5f85791fe065c35f54aba2b2d6a486e5181d73e
Instruction ID: 226347d15c1c5d11692c613386f90c3546301fb27c77df9f9534ec7b1eb9fe62
Opcode Fuzzy Hash: f8a945879734eb8a3e01e329d5f85791fe065c35f54aba2b2d6a486e5181d73e
Instruction Fuzzy Hash: 68312130A009499FCB50EF95D9819DEB7B6EB45304F91C4B7E808E7252D738AE09CB59

Function 0045196C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451A05,?,?,?,?,00000000,?,00490B53), ref: 0045198C
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451992
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451A05,?,?,?,?,00000000,?,00490B53), ref: 004519A6
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004519AC

Strings

kernel32.dll, xrefs: 00451987, 004519A1
Wow64RevertWow64FsRedirection, xrefs: 0045199C
shell32.dll, xrefs: 004519D8
Wow64DisableWow64FsRedirection, xrefs: 00451982

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 3cbb67f4092de5c9cddfa2d9bfb7862d968d6380399a9768a187bea8b87d8782
Instruction ID: bc30ab95aa3e68d9a300d6e2b8d7baffeb65242bdbb5e2da560ca488e233ca82
Opcode Fuzzy Hash: 3cbb67f4092de5c9cddfa2d9bfb7862d968d6380399a9768a187bea8b87d8782
Instruction Fuzzy Hash: AF0184B0241744FEDB12EB729C56B5A3A98D711B19F60487BF840A51A3D7FC4D08CA6D

Function 00475DC4 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00475F37,?,?,00000000,00492628,00000000,00000000,?,00490529,00000000,004906D2,?,00000000), ref: 00475E57
GetLastError.KERNEL32(00000000,00000000,00000000,00475F37,?,?,00000000,00492628,00000000,00000000,?,00490529,00000000,004906D2,?,00000000), ref: 00475E60

Strings

\_setup64.tmp, xrefs: 00475EEF
Created temporary directory: , xrefs: 00475DF9
REGDLL_EXE, xrefs: 00475ED4
\_RegDLL.tmp, xrefs: 00475EC4
_isetup, xrefs: 00475E42

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup
API String ID: 1375471231-1421604804
Opcode ID: d971e988ddd947d72368aaad927c191851754868bdd5cef345a65f7cfcfe1743
Instruction ID: 2992479d9a41277d4ba3c51ea03d54e21519c43d7d484cf0d062ff4dd53bb91c
Opcode Fuzzy Hash: d971e988ddd947d72368aaad927c191851754868bdd5cef345a65f7cfcfe1743
Instruction Fuzzy Hash: 0E415674A105099BDB00EF91D881ADEB7B9FF44305F50843BE815BB396DB78AE058B58

Function 00430158 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23
registryclipboardthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430160
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0043016F
GetCurrentThreadId.KERNEL32 ref: 00430189
GlobalAddAtomA.KERNEL32(00000000), ref: 004301AA

Strings

commdlg_help, xrefs: 0043015B
commdlg_FindReplace, xrefs: 0043016A
WndProcPtr%.8X%.8X, xrefs: 0043019B

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: 28029589c3db21dee67d6af112ea14edfd7444fd649c35e836976e13e9a64ada
Instruction ID: 59c811c4a41a2c0c62e5dc841fd9799240dd828c67306f5793c7ecde0d0b434c
Opcode Fuzzy Hash: 28029589c3db21dee67d6af112ea14edfd7444fd649c35e836976e13e9a64ada
Instruction Fuzzy Hash: F0F0A7705483409AD700EB35C902B1A7BE4AB58708F004A3FF458A63E1D77A9900CB1F

Function 00423634 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 004236C4
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F8E,00000000,?,?,?,00000001), ref: 004236F1
OemToCharA.USER32(?,?), ref: 00423704
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F8E,00000000,?,?,?,00000001), ref: 00423744

Strings

2, xrefs: 00423692
MAINICON, xrefs: 004236B9

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: 224cf75db4ea10a89a7eebe0d84fc4cc31f478398fb3606dfc63747a48c8d72c
Instruction ID: 65266eba4a5d446380783eb4ad5427bb3c2b6e1eaca800c785880fb46d02af3b
Opcode Fuzzy Hash: 224cf75db4ea10a89a7eebe0d84fc4cc31f478398fb3606dfc63747a48c8d72c
Instruction Fuzzy Hash: E53193B0A042559ADB10EF29C8C57C67BE89F14308F4441BAE944DB393D7BED988CB59

Function 00418EE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 00418EE5
GlobalAddAtomA.KERNEL32(00000000), ref: 00418F06
GetCurrentThreadId.KERNEL32 ref: 00418F21
GlobalAddAtomA.KERNEL32(00000000), ref: 00418F42

Part of subcall function 00423070: 73A1A570.USER32(00000000,?,?,00000000,?,00418F7B,00000000,?,?,?,00000001), ref: 004230C6
Part of subcall function 00423070: EnumFontsA.GDI32(00000000,00000000,00423010,004105F8,00000000,?,?,00000000,?,00418F7B,00000000,?,?,?,00000001), ref: 004230D9
Part of subcall function 00423070: 73A24620.GDI32(00000000,0000005A,00000000,00000000,00423010,004105F8,00000000,?,?,00000000,?,00418F7B,00000000), ref: 004230E1
Part of subcall function 00423070: 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423010,004105F8,00000000,?,?,00000000,?,00418F7B,00000000), ref: 004230EC

Part of subcall function 00423634: LoadIconA.USER32(00400000,MAINICON), ref: 004236C4
Part of subcall function 00423634: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F8E,00000000,?,?,?,00000001), ref: 004236F1
Part of subcall function 00423634: OemToCharA.USER32(?,?), ref: 00423704
Part of subcall function 00423634: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F8E,00000000,?,?,?,00000001), ref: 00423744

Part of subcall function 0041F0C0: GetVersion.KERNEL32(?,00418F98,00000000,?,?,?,00000001), ref: 0041F0CE
Part of subcall function 0041F0C0: SetErrorMode.KERNEL32(00008000,?,00418F98,00000000,?,?,?,00000001), ref: 0041F0EA
Part of subcall function 0041F0C0: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F98,00000000,?,?,?,00000001), ref: 0041F0F6
Part of subcall function 0041F0C0: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F98,00000000,?,?,?,00000001), ref: 0041F104
Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F134
Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F15D
Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F172
Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F187
Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F19C
Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F1B1
Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F1C6
Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1DB
Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1F0
Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F205

Strings

ControlOfs%.8X%.8X, xrefs: 00418F33
Delphi%.8X, xrefs: 00418EF7

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A24620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 3864787166-2767913252
Opcode ID: ef7e27ba16645ad8f4c699e646a7607366e766e332a0da38ca4bd420b63be1db
Instruction ID: b182b06b3bcb1b2e8c3ba80a322d5fe38ad1e868bfed4ce1d31fb71d0c0c557e
Opcode Fuzzy Hash: ef7e27ba16645ad8f4c699e646a7607366e766e332a0da38ca4bd420b63be1db
Instruction Fuzzy Hash: 051142B06142406AC740FF36998274A76E1EBA4308F40853FF448EB3E1DB7D9945CB6E

Function 004135E4 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 0041360C
GetWindowLongA.USER32(?,000000F0), ref: 00413617
GetWindowLongA.USER32(?,000000F4), ref: 00413629
SetWindowLongA.USER32(?,000000F4,?), ref: 0041363C
SetPropA.USER32(?,00000000,00000000), ref: 00413653
SetPropA.USER32(?,00000000,00000000), ref: 0041366A

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 0a6263d03eac2d2bce2c4b1186c1d291e8e55930424baaf96426919c90c6d239
Instruction ID: f31fb67a9e11a3f95cb2897c8c98fc4a52a333ae5d38a5fa38f8a355adb326ca
Opcode Fuzzy Hash: 0a6263d03eac2d2bce2c4b1186c1d291e8e55930424baaf96426919c90c6d239
Instruction Fuzzy Hash: C911CC75500245BFDB00EF99DC84E9A37E8AB19364F104266F918DB2A1D738D9908B64

Function 004627F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115windowCOMMON

Download Yara Rule

APIs

SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046288D
ExtractIconA.SHELL32(00400000,00000000,?), ref: 004628B3

Part of subcall function 00462730: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 004627C8
Part of subcall function 00462730: DestroyCursor.USER32(00000000), ref: 004627DE

SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 0046290F
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00462935

Strings

c:\directory, xrefs: 00462888

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Icon$ExtractFileInfo$CursorDestroyDraw
String ID: c:\directory
API String ID: 2926980410-3984940477
Opcode ID: 053eec6837b37a16dfd373243ba5a34fa0dfe6360c683bd5468a3980c2d0a2d1
Instruction ID: 427904fd0b382b2f05c77991b1ac4ddebc586400d5837c21677a4a344efa396e
Opcode Fuzzy Hash: 053eec6837b37a16dfd373243ba5a34fa0dfe6360c683bd5468a3980c2d0a2d1
Instruction Fuzzy Hash: CD418D70700644BFDB10DB55CD8AFDBBBE8AB49304F1040A6F90497291D6B8AE84CA59

Function 00450C8C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

74D41520.VERSION(00000000,?,?,?,0048F996), ref: 00450CAC
74D41500.VERSION(00000000,?,00000000,?,00000000,00450D27,?,00000000,?,?,?,0048F996), ref: 00450CD9
74D41540.VERSION(?,00450D50,?,?,00000000,?,00000000,?,00000000,00450D27,?,00000000,?,?,?,0048F996), ref: 00450CF3

Strings

aE, xrefs: 00450D37, 00450CFF

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: D41500D41520D41540
String ID: aE
API String ID: 2153611984-88912727
Opcode ID: 5f4df345e488c05fd5bd4e33c36db4a7a4bcf57642fa48d89191aa24049eff36
Instruction ID: fa6cca6fee997d329f140acf62b9c68117f89c9724db0c09afd566eb7417e920
Opcode Fuzzy Hash: 5f4df345e488c05fd5bd4e33c36db4a7a4bcf57642fa48d89191aa24049eff36
Instruction Fuzzy Hash: 66215379A00649AFDB01DAE98C41DBFB7FCEB49301F55407AFD04E3242D679AE088769

Function 0042121C Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 00421309
SetMenu.USER32(00000000,00000000), ref: 00421326
SetMenu.USER32(00000000,00000000), ref: 0042135B
SetMenu.USER32(00000000,00000000), ref: 00421377

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: 69c3d24cbd3908ab398b23ff4996bcca6d71d6d9efd1b021582025e8ce73b4a6
Instruction ID: 0f81d55959a1cf47e4f4fbe1fb89748b5e36cc62268cbc8ca2fac5ad34181ecf
Opcode Fuzzy Hash: 69c3d24cbd3908ab398b23ff4996bcca6d71d6d9efd1b021582025e8ce73b4a6
Instruction Fuzzy Hash: 1341C37070025557EB20BB3AA88579A76924F65308F4901BFBC44DF3A7CA7DCC4683AC

Function 00416AEA Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 00416B2C
SetTextColor.GDI32(?,00000000), ref: 00416B46
SetBkColor.GDI32(?,00000000), ref: 00416B60
CallWindowProcA.USER32(?,?,?,?,?), ref: 00416B88

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: 94d5e14a106f4ce483550bedbdeace2163082f32d69035d86e8ad094192f6645
Instruction ID: b033cece6509217f2327ce801b750aa6be190e92d4bc00e16b2453bc82832c42
Opcode Fuzzy Hash: 94d5e14a106f4ce483550bedbdeace2163082f32d69035d86e8ad094192f6645
Instruction Fuzzy Hash: DA112EB2204610AFC710EE6ECDC5E9777ECEF49314715882AB59ADB612D638F8418B29

Function 00423A2C Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

EnumWindows.USER32(004239C4), ref: 00423A50
GetWindow.USER32(?,00000003), ref: 00423A65
GetWindowLongA.USER32(?,000000EC), ref: 00423A74
SetWindowPos.USER32(00000000,00424104,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,00424153,?,?,00423D1B), ref: 00423AAA

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: 2ac3058ad058fb58bc43d272a33111b98432a4fbb6a4c2e0798833925aa94dac
Instruction ID: 2aa942e0144c2f66fd74dad5558343876cb1daa91c8e5ea9adb7241dccc7aa7f
Opcode Fuzzy Hash: 2ac3058ad058fb58bc43d272a33111b98432a4fbb6a4c2e0798833925aa94dac
Instruction Fuzzy Hash: C9112E70704610ABDB10DF68DD85F5A77E4EB08725F11066AF994AB2E2C3789D41CB58

Function 00423070 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,?,?,00000000,?,00418F7B,00000000,?,?,?,00000001), ref: 004230C6
EnumFontsA.GDI32(00000000,00000000,00423010,004105F8,00000000,?,?,00000000,?,00418F7B,00000000,?,?,?,00000001), ref: 004230D9
73A24620.GDI32(00000000,0000005A,00000000,00000000,00423010,004105F8,00000000,?,?,00000000,?,00418F7B,00000000), ref: 004230E1
73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423010,004105F8,00000000,?,?,00000000,?,00418F7B,00000000), ref: 004230EC

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: A24620A480A570EnumFonts
String ID:
API String ID: 2630238358-0
Opcode ID: 541138733ee3697c01f8c81797123c03923b2bd4d964166bd9626717c6dd975c
Instruction ID: afad048246e6630919bdfa9f1eb422a1972ed3af21ea5203bed7575143a0f70f
Opcode Fuzzy Hash: 541138733ee3697c01f8c81797123c03923b2bd4d964166bd9626717c6dd975c
Instruction Fuzzy Hash: 9D01D2717043002AE700BF7A5C82B9B3A549F05319F44023BF804AF2C2D6BE9905876E

Function 00490B04 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00490B12), ref: 0040334B
Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00490B12), ref: 00403356

Part of subcall function 00409B20: 6F571CD0.COMCTL32(00490B21), ref: 00409B20

Part of subcall function 004108FC: GetCurrentThreadId.KERNEL32 ref: 0041094A

Part of subcall function 00418FE8: GetVersion.KERNEL32(00490B35), ref: 00418FE8

Part of subcall function 0044EE30: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00490B49), ref: 0044EE6B
Part of subcall function 0044EE30: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EE71

Part of subcall function 0045196C: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451A05,?,?,?,?,00000000,?,00490B53), ref: 0045198C
Part of subcall function 0045196C: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451992
Part of subcall function 0045196C: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451A05,?,?,?,?,00000000,?,00490B53), ref: 004519A6
Part of subcall function 0045196C: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004519AC

Part of subcall function 0045FCBC: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00490B67), ref: 0045FCCB
Part of subcall function 0045FCBC: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 0045FCD1

Part of subcall function 004678D8: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 004678ED

Part of subcall function 00472434: GetModuleHandleA.KERNEL32(kernel32.dll,?,00490B71), ref: 0047243A
Part of subcall function 00472434: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00472447
Part of subcall function 00472434: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00472457

Part of subcall function 0048DD14: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0048DD2D

SetErrorMode.KERNEL32(00000001,00000000,00490BB9), ref: 00490B8B

Part of subcall function 00490914: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00490B95,00000001,00000000,00490BB9), ref: 0049091E
Part of subcall function 00490914: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00490924

Part of subcall function 0042447C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0042449B

Part of subcall function 0042426C: SetWindowTextA.USER32(?,00000000), ref: 00424284

ShowWindow.USER32(?,00000005,00000000,00490BB9), ref: 00490BFC

Part of subcall function 0047B260: SetActiveWindow.USER32(?), ref: 0047B304

Strings

Setup, xrefs: 00490BE2

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule$Window$ActiveClipboardCommandCurrentErrorF571FormatLibraryLineLoadMessageModeRegisterSendShowTextThreadVersion
String ID: Setup
API String ID: 4284711697-3839654196
Opcode ID: 4a92e04b5a3bb167517f030a4e0266e5d02d6270ad180fa011e8cd7e0c68a178
Instruction ID: 93c4262b2fd0981b4a3bf9bbc89b82d5fe8812d296d35f6d6b268422da34e6e8
Opcode Fuzzy Hash: 4a92e04b5a3bb167517f030a4e0266e5d02d6270ad180fa011e8cd7e0c68a178
Instruction Fuzzy Hash: CC31C635204204AED605BBB7ED1391E3BA4EB8971CB61447FF404929A3DE7C5C518A7E

Function 0042DA40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,ProductType,00000000,?,00000000,?,00000000,0042DB61), ref: 0042DA78
RegQueryValueExA.ADVAPI32(?,ProductType,00000000,?,00000000,00000000,?,ProductType,00000000,?,00000000,?,00000000,0042DB61), ref: 0042DAD0

Strings

ProductType, xrefs: 0042DA76, 0042DACE

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue
String ID: ProductType
API String ID: 3660427363-120863269
Opcode ID: ab12decc903a6d1df9f117d79e0e5479a639dfb10b7c27d5f7c64920541e152b
Instruction ID: 22425fb9ba400e549f89719797a15a519fe31236383ac1a1c9c2ba634efda0a6
Opcode Fuzzy Hash: ab12decc903a6d1df9f117d79e0e5479a639dfb10b7c27d5f7c64920541e152b
Instruction Fuzzy Hash: 67416934E04128EFDF21DF95D890BEFBBB8EB45304F9185A7E510A7280D778AA44CB58

Function 004521A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0045228F,?,?,00000000,00492628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004521E6
GetLastError.KERNEL32(00000000,00000000,?,00000000,0045228F,?,?,00000000,00492628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004521EF

Strings

.tmp, xrefs: 004521CF

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 95b321a80a7f49f3410ff19ad884a03b5149450dce792f72d1a7e619d8ed1185
Instruction ID: 1cc7738378c32de01c08681629a8df9cd6432d6ac9a10e78220417a5cd0dd7bd
Opcode Fuzzy Hash: 95b321a80a7f49f3410ff19ad884a03b5149450dce792f72d1a7e619d8ed1185
Instruction Fuzzy Hash: 68213579A002089BDB01EFA1C9529DFB7B9EF49305F50457BF801B7342DA7C9E058A65

Function 004758D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,00475B5A,00000000,00475B70,?,?,?,?,00000000), ref: 00475936

Strings

RegisteredOrganization, xrefs: 00475925
RegisteredOwner, xrefs: 00475913

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: b3b711482d8e628ec3f61362cfc892467dbb757c2662bd40f62ad5005f9431cc
Instruction ID: 48b656342ec2bd2b5ab7dbcfa9b326a46bbbd2cb26f9bcc12124a5356ca6e139
Opcode Fuzzy Hash: b3b711482d8e628ec3f61362cfc892467dbb757c2662bd40f62ad5005f9431cc
Instruction Fuzzy Hash: 63F0F6B0B04144EBEB00DA72AC9279B3759D742304F60807BA2058F251D6B9AF01D74C

Function 004678D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E1E0: SetErrorMode.KERNEL32(00008000), ref: 0042E1EA
Part of subcall function 0042E1E0: LoadLibraryA.KERNEL32(00000000,00000000,0042E234,?,00000000,0042E252,?,00008000), ref: 0042E219

GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 004678ED

Strings

shell32.dll, xrefs: 004678E2
SHPathPrepareForWriteA, xrefs: 004678D8

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressErrorLibraryLoadModeProc
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2492108670-2683653824
Opcode ID: 2d4ab07854a1d4988602b7a8c2149ed72f66a48f089839e8f0029271a52bc1ea
Instruction ID: fa085d398d84bf6bdc376de8b0adffa78d8cd9c0cd14655664e75f653ebd6975
Opcode Fuzzy Hash: 2d4ab07854a1d4988602b7a8c2149ed72f66a48f089839e8f0029271a52bc1ea
Instruction Fuzzy Hash: 90B092E0B0474092EF0077BA584AB1A1454D78079CB64883BB040AB289EE7C8A18EB9E

Function 0047A918 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,00000000,0047AA50), ref: 0047A9E8
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0047A9F9
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 0047AA11

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Append$System
String ID:
API String ID: 1489644407-0
Opcode ID: f080a53e69ae36a7c53ecc201a6def57175b7aa651597f400192a04eb8f0c766
Instruction ID: 9416a2e69f94d1bacdcd5589100605e7a17a6fee69d6532038c11be2b18ca1fe
Opcode Fuzzy Hash: f080a53e69ae36a7c53ecc201a6def57175b7aa651597f400192a04eb8f0c766
Instruction Fuzzy Hash: BB31E5B07043442AE711EB359C82BAE3B945B91308F40843FB940AB2E3C67C9D18879E

Function 0044AA68 Relevance: 4.6, APIs: 3, Instructions: 74COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,?,00000000,00000000,0044AB69,?,0047B27B,?,?), ref: 0044AADD
SelectObject.GDI32(?,00000000), ref: 0044AB00
73A1A480.USER32(00000000,?,0044AB40,00000000,0044AB39,?,00000000,?,00000000,00000000,0044AB69,?,0047B27B,?,?), ref: 0044AB33

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: A480A570ObjectSelect
String ID:
API String ID: 1230475511-0
Opcode ID: 6206e762a1325ba623ac8cb259efe5e16e8ff7365d7f6aa6f873279f897fc210
Instruction ID: 5ebdf1d2f2544012dfa55b31c85aaba12dd464d1382fd60bb62d336af458de0c
Opcode Fuzzy Hash: 6206e762a1325ba623ac8cb259efe5e16e8ff7365d7f6aa6f873279f897fc210
Instruction Fuzzy Hash: 6E21C170E44248AFEB11DFA5C841B9EBBB9EB48304F4180BAF500A7281C77C9950CB2A

Function 0044A79C Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044A828,?,0047B27B,?,?), ref: 0044A7FA
DrawTextW.USER32(?,?,00000000,?,?), ref: 0044A80D
DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044A841

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DrawText$ByteCharMultiWide
String ID:
API String ID: 65125430-0
Opcode ID: 8317c523276f314509038111108d47a2590dbd1258818dab6b6b76e6ad298f5c
Instruction ID: 547ddd58e113f665f2c4bd30cca118ef6da0f4e8a03e0e68a63751e0d3c3e5d9
Opcode Fuzzy Hash: 8317c523276f314509038111108d47a2590dbd1258818dab6b6b76e6ad298f5c
Instruction Fuzzy Hash: 2F1108B27406047FEB00EBAA8C82D6FB7ECDB48724F10813BF504E72C0D5389E018A69

Function 004243A4 Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004243BA
TranslateMessage.USER32(?), ref: 00424437
DispatchMessageA.USER32(?), ref: 00424441

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 5ba890f0d626e851ae5eb072c17b98b7617e900c1ccbace483623866fa51125f
Instruction ID: 29ec6bb2c2fe33ce96073087ef8f049612c87f0656b6e82933878d2f51458537
Opcode Fuzzy Hash: 5ba890f0d626e851ae5eb072c17b98b7617e900c1ccbace483623866fa51125f
Instruction Fuzzy Hash: 1F11C43030435056DA20E6A4B94179B73D4CFC1708F85485EF9C957382D7BD9E4487AB

Function 004165EC Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

SetPropA.USER32(00000000,00000000), ref: 00416612
SetPropA.USER32(00000000,00000000), ref: 00416627
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 0041664E

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Prop$Window
String ID:
API String ID: 3363284559-0
Opcode ID: b31ba192d97bc2a8128d85a50ffa45febb98a78fe245b4b5ec301087639eabad
Instruction ID: 675018db8e1bdf4ebffe2da0d9b09b3c9fe28390eae3e6cfa7bb9a74213a9f8e
Opcode Fuzzy Hash: b31ba192d97bc2a8128d85a50ffa45febb98a78fe245b4b5ec301087639eabad
Instruction Fuzzy Hash: 9DF0B271701210BFDB109B599C85FA632DCBB19B15F160176BE08EF286D6B8DD40C7A8

Function 0047B260 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 0047B304

Strings

InitializeWizard, xrefs: 0047B2A7

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ActiveWindow
String ID: InitializeWizard
API String ID: 2558294473-2356795471
Opcode ID: 3a7496bf7c2806cc2f61ad9c515dd49884b44335ce2f4f167811691a48ea3c91
Instruction ID: 4e25cab65ed988d36d771276a92aef87a17e854c81311b79447974de30300cc1
Opcode Fuzzy Hash: 3a7496bf7c2806cc2f61ad9c515dd49884b44335ce2f4f167811691a48ea3c91
Instruction Fuzzy Hash: CA11A330204204AFD701EB69FD45B5A77E4E755324F2084BBF40A877A1D7796C41DB5D

Function 004757F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,00475A36,00000000,00475B70), ref: 00475835

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00475805

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: 32ef8136de0120a00000d409f2c8a2fabb2658739af061c3bbedf7e0271f1c3a
Instruction ID: 6f23ae70e013487785b82a96322c3c90f2bad5c8cb9ef8bfae3d8b83ecadceb2
Opcode Fuzzy Hash: 32ef8136de0120a00000d409f2c8a2fabb2658739af061c3bbedf7e0271f1c3a
Instruction Fuzzy Hash: A1F08231B0451467EA04B69A9C42B9EA79D9B84758F21407BF908DF342D9F99E0242AD

Function 0042DC44 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0042DC5E

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID: System\CurrentControlSet\Control\Windows
API String ID: 71445658-1109719901
Opcode ID: 22e0c054078c54348808a8319995cc634a026ba4b678fe1ea34de8a5361bc097
Instruction ID: 29d81e93da8360ba13d0a113dd5009aeb6b598c84d67836305bbff2bc9e8969e
Opcode Fuzzy Hash: 22e0c054078c54348808a8319995cc634a026ba4b678fe1ea34de8a5361bc097
Instruction Fuzzy Hash: B7D09E72910128BB9B109A89DC41DF7775DDB19760F44401AF904A7141C1B4AC519BE4

Function 0040AF70 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AF8A
FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B0E7,00000000,0040B0FF,?,?,?,00000000), ref: 0040AF9B

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindFree
String ID:
API String ID: 4097029671-0
Opcode ID: 8c30dec602ece8ae2a8e71100469382659f92ae3bfb2da213009fea87c39b6d5
Instruction ID: 1221a5199f13f7129315330983e0874b2bf41397b47310acc6f6b643a0b38e17
Opcode Fuzzy Hash: 8c30dec602ece8ae2a8e71100469382659f92ae3bfb2da213009fea87c39b6d5
Instruction Fuzzy Hash: FB012FB1300300AFDB00EF69DC82E1A33A9EB493087108077F500BB2D0DA799C11962A

Function 004231E4 Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 004231F1
LoadCursorA.USER32(00000000,00000000), ref: 0042321B

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: 97721f6b4bea7dfcfee2643c439e1d77a1de27f79bc3f669c874631e657f12ca
Instruction ID: 43eb0a081647544f07c75950a444ff3626244229c91a8f980807230630bdce3f
Opcode Fuzzy Hash: 97721f6b4bea7dfcfee2643c439e1d77a1de27f79bc3f669c874631e657f12ca
Instruction Fuzzy Hash: 56F05C11740110A6D6105D7E6CC0E2A7268DBC1735B7103BBFB7BD32D2C62E5C01417D

Function 0042E1E0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042E1EA
LoadLibraryA.KERNEL32(00000000,00000000,0042E234,?,00000000,0042E252,?,00008000), ref: 0042E219

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: df3f20b22e32febbdad40190a0324c62e8b0ac07168a33a3d01648edd1efc6b6
Instruction ID: a5bf76ec7fc0037a961c30f1a8367ec2ab03dc69631e0c622de06244be8b127b
Opcode Fuzzy Hash: df3f20b22e32febbdad40190a0324c62e8b0ac07168a33a3d01648edd1efc6b6
Instruction Fuzzy Hash: 6CF08270B14744BEDB019F779C6282BBBECEB4DB1479248B6F800A2691E63C4C10CD39

Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 08da3f0d1e78bfe9c634c9aa4f5f35e672582809eb99289594877bc0e4020af2
Instruction ID: 725a70dfb87e22c3967cff80d89a5dac4b2b1bb1b28326949d670fe9fc14322f
Opcode Fuzzy Hash: 08da3f0d1e78bfe9c634c9aa4f5f35e672582809eb99289594877bc0e4020af2
Instruction Fuzzy Hash: 82F0A772B0073067EB60596A4C81F5359C49FC5794F154076FD0DFF3E9D6B58C0142A9

Function 00477198 Relevance: 1.6, APIs: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

SendNotifyMessageA.USER32(0001043A,00000496,00002711,00000000), ref: 00477350

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageNotifySend
String ID:
API String ID: 3556456075-0
Opcode ID: 252e5136d57f140269efebacecac5dd0592624cb6a566e5f719c9ce0fa9de95c
Instruction ID: 16409b2b564c283e2081e6b17d670531f43b9e979188f2c8fa02a8160c9bfcf5
Opcode Fuzzy Hash: 252e5136d57f140269efebacecac5dd0592624cb6a566e5f719c9ce0fa9de95c
Instruction Fuzzy Hash: 8B4186343040009BC710FF66EC8255A77A9AB55309790C5B7B8049F3ABCA78EE06DB9D

Function 0040857C Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004086B2), ref: 0040859B

Part of subcall function 00406D8C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406DA9

Part of subcall function 00408508: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004924C0,00000001,?,004085D3,?,00000000,004086B2), ref: 00408526

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: 80ecc8c9aace017e09db60a449651f58f9edaaa4523f5ba9ad143ce156ad8401
Instruction ID: 8b9545330178279bc2ddac5e6fa168bd58cc03261140f3a6a95c7e376186b839
Opcode Fuzzy Hash: 80ecc8c9aace017e09db60a449651f58f9edaaa4523f5ba9ad143ce156ad8401
Instruction Fuzzy Hash: 86315035E00109ABCB00EF95CC819EEB779FF84314F518577E815BB285E738AE018B98

Function 0041FB44 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FBE1

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoScroll
String ID:
API String ID: 629608716-0
Opcode ID: de4704f2c710e71cab7264c2153380fdf922c8bbe904c6d895339fb26e0428f4
Instruction ID: 2699cc02af870d89e6a5ad5e313ee30afbb4c435a81dca5bff53af4edc800ccf
Opcode Fuzzy Hash: de4704f2c710e71cab7264c2153380fdf922c8bbe904c6d895339fb26e0428f4
Instruction Fuzzy Hash: E22142B16087456FC340DF39D440696BBE4BB88314F04493EE498C3741D774E996CBD6

Function 004164F8 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 0041652D

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a90cc2cdc4384ce14c959999bf908b8a2b5a488b97049405d08f79aee015cd0a
Instruction ID: a820f4678b9f5f8a39c028f8276f7672b34f9079ce199e45b6728efe25cce622
Opcode Fuzzy Hash: a90cc2cdc4384ce14c959999bf908b8a2b5a488b97049405d08f79aee015cd0a
Instruction Fuzzy Hash: D5F019B2200510AFDB84CF9CD9C0F9373ECEB0C210B0481A6FA08CF24AD260EC108BB0

Function 0041495C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 00414997

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91

Function 0042CBB0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 0042CAA4: CharPrevA.USER32(?,00000000,?,00000001,?,?,0042CBD2,00000000,0042CBF8,?,00000001,?,?,00000000,?,0042CC4A), ref: 0042CACC

GetFileAttributesA.KERNEL32(00000000,00000000,0042CBF8,?,00000001,?,?,00000000,?,0042CC4A,00000000,004511A1,00000000,004511C2,?,00000000), ref: 0042CBDB

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesCharFilePrev
String ID:
API String ID: 4082512850-0
Opcode ID: 22241e4889f104e7f41f6a8233d5b92d6a893f3137f18e20c265477f4e7dcce1
Instruction ID: bcc2a10ba17e46f4a9e3aa80fd67cbe88bd74874a982435321d161081e45760d
Opcode Fuzzy Hash: 22241e4889f104e7f41f6a8233d5b92d6a893f3137f18e20c265477f4e7dcce1
Instruction Fuzzy Hash: 96E09B71304308BFD701EF62EC93E5EBBECDB85714BA14476F400E7641D5B9AE008418

Function 0044FADC Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044FB1C

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7da2e43c929a1b3cf4f1d1b3a38018dcf9ef8b29aa3a0f5ed13920a3cf2a8183
Instruction ID: b9ff2f1e843887c32db999b8e56f693fcf835da1e8ac5748e56ca63b18eefbc2
Opcode Fuzzy Hash: 7da2e43c929a1b3cf4f1d1b3a38018dcf9ef8b29aa3a0f5ed13920a3cf2a8183
Instruction Fuzzy Hash: 64E092A53501083ED340EEACAC52FA337CC9319754F048033B988C7351D4619D11CBA8

Function 0042E660 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004519EF,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E67F

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 5cdf8f27468f89c1e221846afb926f353a68fd9131fa2110eec1806da2fbbfdd
Instruction ID: e1450acef62d714b472a60d6f425ebfa2555b1e5ba62ff61a1a92b84590c1f2f
Opcode Fuzzy Hash: 5cdf8f27468f89c1e221846afb926f353a68fd9131fa2110eec1806da2fbbfdd
Instruction Fuzzy Hash: 2EE020723843111AF23550676C47B7F170D4790704F9580263B10DE3D2D9AEDD0F02AD

Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,00423624,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BB4), ref: 00406329

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1

Function 00414624 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0048DB6E,?,0048DB90,?,?,00000000,0048DB6E,?,?), ref: 00414643

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0

Function 00406EB0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406EC4

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 53bf0c971a6682272cbe113517155efe353acdf78c65c7717e273512bbedbf67
Instruction ID: 4d76dac8211929e62cce8888c47837621b30d3b0c7e20a3f427cea6db45cb60b
Opcode Fuzzy Hash: 53bf0c971a6682272cbe113517155efe353acdf78c65c7717e273512bbedbf67
Instruction Fuzzy Hash: 48D05B763082507AD620965BAC44DA76BDCCBC5770F11063EB558C71C1D6309C01C775

Function 004235F4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004235A0: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 004235B5

ShowWindow.USER32(004105F8,00000009,?,00000000,0041ED4C,004238E2,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BB4), ref: 0042360F

Part of subcall function 004235D0: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 004235EC

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: cb52d813e726ef3bf1f97996af8dbdf7dcfd597cb966ddb70d5cf92a6749ad4e
Instruction ID: 2a465d5d678e454343823bde05cb816eafc76b3616d44e2642b2febe52ce8396
Opcode Fuzzy Hash: cb52d813e726ef3bf1f97996af8dbdf7dcfd597cb966ddb70d5cf92a6749ad4e
Instruction Fuzzy Hash: F8D0A7123422343143203BB73845A8B46BC4DC62A7388043BB548CB303FD1E8F5130BC

Function 0042426C Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 00424284

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 627cc26754df0e5d4ac2449ef7fa78a92304547f29cb65040aa964a78537c4ea
Instruction ID: 464bc4534e7500a79cd72818e7fe6fdc88b43f9c3cedd93f67ec80ba9b13fbd8
Opcode Fuzzy Hash: 627cc26754df0e5d4ac2449ef7fa78a92304547f29cb65040aa964a78537c4ea
Instruction Fuzzy Hash: A8D05BE270113017C741BAED54C4AC577CC4B4825671540B7F904EF257C638CD404398

Function 0042CC08 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0045084B,00000000), ref: 0042CC13

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2ad41afce022a7edf35b9913b4ba60846e4e43961883ad7ce5a0ddd1fe693583
Instruction ID: 1275fb06175802a4eec18308edc692cabbb6af922db63e061f4609c964e4cce9
Opcode Fuzzy Hash: 2ad41afce022a7edf35b9913b4ba60846e4e43961883ad7ce5a0ddd1fe693583
Instruction Fuzzy Hash: 41C08CE13022001A9A1065FE2CC511F02C8891423A3A42F37F42EE33D2DA3D8C17201A

Function 00406E60 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A86C,0040CE18,?,00000000,?), ref: 00406E7D

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d547fc177cc010ebbf72a9c89b9c423b161151a012076ed4013ddf55a6f1100b
Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
Opcode Fuzzy Hash: d547fc177cc010ebbf72a9c89b9c423b161151a012076ed4013ddf55a6f1100b
Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C

Function 0042E23B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,0042E259), ref: 0042E24C

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0a051d32a78ad3617f7ea1dbaf78ac9652f3e2ca0c092313af1445ab26d6b84d
Instruction ID: 74ebc363d3dd9adc156b0186d58570fa2bbeeb99e87a8c897359723e7ad10afe
Opcode Fuzzy Hash: 0a051d32a78ad3617f7ea1dbaf78ac9652f3e2ca0c092313af1445ab26d6b84d
Instruction Fuzzy Hash: ABB09B7670C6009DB709D6D6755552D63D8D7C47203E145B7F015E2580D53C58004928

Function 00416594 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

73A25CF0.USER32(?), ref: 0041659B

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da20a264590b8da76bcc673a24629bda81143ece4f0058ab807c22f450b41b4b
Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
Opcode Fuzzy Hash: da20a264590b8da76bcc673a24629bda81143ece4f0058ab807c22f450b41b4b
Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58

Function 0045B160 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0045B1F0

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 40e67bd12d84b901d644a32061550c5eab03b59ca4c5dcb87dd2f004890e4884
Instruction ID: 4e53742ce62a887a6b6d1ed8658a57c71b670a96a09bd10cc268158586706a5e
Opcode Fuzzy Hash: 40e67bd12d84b901d644a32061550c5eab03b59ca4c5dcb87dd2f004890e4884
Instruction Fuzzy Hash: D01175716006049BDB00EF15C88175B77A4EF8435AF04846AFD589B2C7DB38EC09CBEA

Function 0041F36C Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED4C,?,00423837,00423BB4,0041ED4C), ref: 0041F38A

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 12d8c903e1d35d4ed3e61744099085c4d88952c6e60055fc50c96d732ccf1ffc
Instruction ID: 0cc0efa10282cde451e00f43d434c8f6590961a15256f6519a3dd582a972fe71
Opcode Fuzzy Hash: 12d8c903e1d35d4ed3e61744099085c4d88952c6e60055fc50c96d732ccf1ffc
Instruction Fuzzy Hash: 21115E746407059BC710DF19C880B86FBE5EF98750F10C53BE9A88B785D374E945CBA9

Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,00401973), ref: 00401766

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b62b8f1c307d4adcebf6fa1a253ea1af05d3ba4dba9aec1dff74914ddceb4cab
Instruction ID: 8116451f728c5aa32ea3c360de9e7882c02e29ec9bc76b399c7381bc7e3fefdc
Opcode Fuzzy Hash: b62b8f1c307d4adcebf6fa1a253ea1af05d3ba4dba9aec1dff74914ddceb4cab
Instruction Fuzzy Hash: F40170766057109FC3109F29DCC0E2677E8D780378F05413EDA84673A1D37A6C0187D8

Function 0045B108 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,0045B1E6), ref: 0045B11F

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 738f9e8baf208e14bafd32a0a90fff7df9624ba6fd4da3bc033a9b1b79592317
Instruction ID: 6d5ad091bc6b63f34aeb1917c6f1250fd7e3330d7d8b7736af9f6265ced051ec
Opcode Fuzzy Hash: 738f9e8baf208e14bafd32a0a90fff7df9624ba6fd4da3bc033a9b1b79592317
Instruction Fuzzy Hash: 5BD0E9B17557045BDF90EE794C81B1677D8BB48741F5044766904DB286E774E8048A58

Non-executed Functions

Function 0044AD34 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044ACE0: GetVersionExA.KERNEL32(00000094), ref: 0044ACFD

LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EE61,00490B49), ref: 0044AD5B
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AD73
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AD85
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AD97
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044ADA9
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044ADBB
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044ADCD
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044ADDF
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044ADF1
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AE03
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AE15
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AE27
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AE39
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AE4B
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AE5D
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AE6F
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AE81
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044AE93
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044AEA5
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044AEB7
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044AEC9
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044AEDB
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044AEED
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044AEFF
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044AF11
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044AF23
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044AF35
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044AF47
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044AF59
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044AF6B
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044AF7D
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044AF8F
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044AFA1
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044AFB3
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044AFC5
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044AFD7
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044AFE9
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044AFFB
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B00D
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B01F
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B031
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B043
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B055
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B067
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B079
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B08B
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B09D
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B0AF

Strings

GetThemePropertyOrigin, xrefs: 0044AF3F
DrawThemeIcon, xrefs: 0044AE43
CloseThemeData, xrefs: 0044AD7D
GetThemeMetric, xrefs: 0044AE8B
GetThemeSysColor, xrefs: 0044AF75
IsAppThemed, xrefs: 0044B005
GetCurrentThemeName, xrefs: 0044B071
GetThemePartSize, xrefs: 0044ADD7
SetThemeAppProperties, xrefs: 0044B05F
GetWindowTheme, xrefs: 0044B017
GetThemeTextExtent, xrefs: 0044ADE9
IsThemeDialogTextureEnabled, xrefs: 0044B03B
GetThemeSysColorBrush, xrefs: 0044AF87
IsThemeBackgroundPartiallyTransparent, xrefs: 0044AE67
GetThemeSysInt, xrefs: 0044AFE1
GetThemeString, xrefs: 0044AE9D
OpenThemeData, xrefs: 0044AD6B
GetThemeFilename, xrefs: 0044AF63
DrawThemeBackground, xrefs: 0044AD8F
DrawThemeText, xrefs: 0044ADA1
GetThemeSysString, xrefs: 0044AFCF
GetThemeBackgroundContentRect, xrefs: 0044ADB3, 0044ADC5
GetThemeInt, xrefs: 0044AEC1
EnableThemeDialogTexture, xrefs: 0044B029
EnableTheming, xrefs: 0044B0A7
GetThemeSysSize, xrefs: 0044AFAB
GetThemeBackgroundRegion, xrefs: 0044AE0D
GetThemeIntList, xrefs: 0044AF2D
HitTestThemeBackground, xrefs: 0044AE1F
DrawThemeEdge, xrefs: 0044AE31
uxtheme.dll, xrefs: 0044AD56
GetThemePosition, xrefs: 0044AEE5
GetThemeMargins, xrefs: 0044AF1B
GetThemeSysFont, xrefs: 0044AFBD
GetThemeAppProperties, xrefs: 0044B04D
GetThemeBool, xrefs: 0044AEAF
GetThemeRect, xrefs: 0044AF09
IsThemeActive, xrefs: 0044AFF3
GetThemeDocumentationProperty, xrefs: 0044B083
GetThemeFont, xrefs: 0044AEF7
GetThemeEnumValue, xrefs: 0044AED3
GetThemeColor, xrefs: 0044AE79
GetThemeSysBool, xrefs: 0044AF99
GetThemeTextMetrics, xrefs: 0044ADFB
IsThemePartDefined, xrefs: 0044AE55
DrawThemeParentBackground, xrefs: 0044B095
SetWindowTheme, xrefs: 0044AF51

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoadVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 1968650500-2910565190
Opcode ID: 05300c773c3fe8c519dd0aafd2a74ca4f4417e5fa76d1045a5fec025cdc9a15c
Instruction ID: 5169d35cc0c40435630ad3afe2d7a88fabdc5ea4a28e3ebae144798e7e1bad85
Opcode Fuzzy Hash: 05300c773c3fe8c519dd0aafd2a74ca4f4417e5fa76d1045a5fec025cdc9a15c
Instruction Fuzzy Hash: 1891D6B0A40B50EBEF00EFF59DC6A2636A8EB15B14714457BB444EF295D7B8C804CF99

Function 004566B8 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0045671F
QueryPerformanceCounter.KERNEL32(02193858,00000000,004569B2,?,?,02193858,00000000,?,004570AE,?,02193858,00000000), ref: 00456728
GetSystemTimeAsFileTime.KERNEL32(02193858,02193858), ref: 00456732
GetCurrentProcessId.KERNEL32(?,02193858,00000000,004569B2,?,?,02193858,00000000,?,004570AE,?,02193858,00000000), ref: 0045673B
CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004567B1
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02193858,02193858), ref: 004567BF
CreateFileA.KERNEL32(00000000,C0000000,00000000,00491A80,00000003,00000000,00000000,00000000,0045696E), ref: 00456807
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045695D,?,00000000,C0000000,00000000,00491A80,00000003,00000000,00000000,00000000,0045696E), ref: 00456840

Part of subcall function 0042D7A8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7BB

CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004568E9
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045691F
CloseHandle.KERNEL32(000000FF,00456964,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00456957

Part of subcall function 00451C18: GetLastError.KERNEL32(00000000,00452689,00000005,00000000,004526BE,?,?,00000000,00492628,00000004,00000000,00000000,00000000,?,00490395,00000000), ref: 00451C1B

Strings

Cannot utilize 64-bit features on this version of Windows, xrefs: 00456700
CreateFile, xrefs: 00456815
D, xrefs: 00456862
SetNamedPipeHandleState, xrefs: 00456849
CreateNamedPipe, xrefs: 004567CF
Helper process PID: %u, xrefs: 0045693C
64-bit helper EXE wasn't extracted, xrefs: 00456713
CreateProcess, xrefs: 004568F2
Starting 64-bit helper process., xrefs: 004566ED
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00456787
helper %d 0x%x, xrefs: 004568C8
h, xrefs: 0045689C

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$h$helper %d 0x%x
API String ID: 770386003-3739555822
Opcode ID: 7a652d3851aa2a46fc11de33a7847c7f814403f051549c5087853c1f47360dd1
Instruction ID: 11cc02d5b4c65d74a0167c6227b1ef0bb38041da715edce79722e55ed4dc78f9
Opcode Fuzzy Hash: 7a652d3851aa2a46fc11de33a7847c7f814403f051549c5087853c1f47360dd1
Instruction Fuzzy Hash: FD713370A00744AEDB11DB69CC41B9EBBF8EB09305F5181BAF908FB282D7785944CF69

Function 0045A0E8 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 172libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0045A102
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045A122
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoA), ref: 0045A12F
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoA), ref: 0045A13C
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045A14A
AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045A31E), ref: 0045A1E9
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045A31E), ref: 0045A1F2
LocalFree.KERNEL32(?,0045A2CC), ref: 0045A2BF

Strings

SetNamedSecurityInfoA, xrefs: 0045A136
GetNamedSecurityInfoA, xrefs: 0045A129
W, xrefs: 0045A200
advapi32.dll, xrefs: 0045A11D
SetEntriesInAclW, xrefs: 0045A144

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$AllocateErrorFreeHandleInitializeLastLocalModuleVersion
String ID: GetNamedSecurityInfoA$SetEntriesInAclW$SetNamedSecurityInfoA$W$advapi32.dll
API String ID: 4088882585-3389539026
Opcode ID: a750f6bc507d3a328a51a5dbc9105ee0b18db01a3e0f408d2edc8ea27e296f40
Instruction ID: 53dbb0a0fcd2a75aff2a5c1782a6a4235bf2da2959e2968fa151a2620b62acf5
Opcode Fuzzy Hash: a750f6bc507d3a328a51a5dbc9105ee0b18db01a3e0f408d2edc8ea27e296f40
Instruction Fuzzy Hash: 045182B1900608AFDB10DF99C845BAEB7F8EB08315F10816AF904F7382D2799E55CF69

Function 00471D70 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 77COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 00471DC3
GetLastError.KERNEL32(-00000010,?), ref: 00471DCC
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00471E19
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00471E3D
CloseHandle.KERNEL32(00000000,00471E6E,00000000,00000000,000000FF,000000FF,00000000,00471E67,?,-00000010,?), ref: 00471E61

Strings

MsgWaitForMultipleObjects, xrefs: 00471E26
<, xrefs: 00471D8E
ShellExecuteEx, xrefs: 00471DDD
GetExitCodeProcess, xrefs: 00471E46
ShellExecuteEx returned hProcess=0, xrefs: 00471DED
runas, xrefs: 00471D9C

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCodeErrorExecuteExitHandleLastMultipleObjectsProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 171997614-221126205
Opcode ID: 85f8e2aa896032996c12e34d9895de412d9f9db673f6e56ec0164cd69b6af82a
Instruction ID: 5ecb40f87429d7d11547f51ae298583b800dd69eb7e736ddd6194e700b57543d
Opcode Fuzzy Hash: 85f8e2aa896032996c12e34d9895de412d9f9db673f6e56ec0164cd69b6af82a
Instruction Fuzzy Hash: 73216574A40104AADB10EBAD8842BDE76A8DF05358F50843BF908E72A1DB7C99458B5D

Function 0041832C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0041833B
GetWindowPlacement.USER32(?,0000002C), ref: 00418358
GetWindowRect.USER32(?), ref: 00418374
GetWindowLongA.USER32(?,000000F0), ref: 00418382
GetWindowLongA.USER32(?,000000F8), ref: 00418397
ScreenToClient.USER32(00000000), ref: 004183A0
ScreenToClient.USER32(00000000,?), ref: 004183AB

Strings

,, xrefs: 00418344

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: e846b1d96ad6d403d5ac4900d6db5fa2b4fc685dffe037c5368f6a7b37d89c4b
Instruction ID: acb8bb2f18b9e5a8d0717189301f77369ef91ad6b472dfe09f3ff812f2607344
Opcode Fuzzy Hash: e846b1d96ad6d403d5ac4900d6db5fa2b4fc685dffe037c5368f6a7b37d89c4b
Instruction Fuzzy Hash: 70111971505201AFDB00DF69C885F9B77E8AF49314F18067EBD58DB286C739D900CBA9

Function 00453AF8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00453B07
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00453B0D
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00453B26
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00453B4D
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00453B52
ExitWindowsEx.USER32(00000002,00000000), ref: 00453B63

Strings

SeShutdownPrivilege, xrefs: 00453B1F

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 982ff0191f50bbd9cd411f2d5bf63d981ee67892c17860e9fb891ba62e1030d4
Instruction ID: 7f7469d741d4a2fc9540d00a6168bb4e8b3a9b73c98c3c4e7b422180d550d177
Opcode Fuzzy Hash: 982ff0191f50bbd9cd411f2d5bf63d981ee67892c17860e9fb891ba62e1030d4
Instruction Fuzzy Hash: E6F06870684302B5E610AE768D07F6B6188974078AF50092ABD45EA1C3D6BDEA0C4A3E

Function 00490094 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004901D2,?,?,00000000,00492628,?,0049035C,00000000,004903B0,?,?,00000000,00492628), ref: 004900EB
SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049016E
FindNextFileA.KERNEL32(000000FF,?,00000000,004901AA,?,00000000,?,00000000,004901D2,?,?,00000000,00492628,?,0049035C,00000000), ref: 00490186
FindClose.KERNEL32(000000FF,004901B1,004901AA,?,00000000,?,00000000,004901D2,?,?,00000000,00492628,?,0049035C,00000000,004903B0), ref: 004901A4

Strings

isRS-???.tmp, xrefs: 004900D5
isRS-, xrefs: 0049010B

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: a0909815745651a6e29cf20bd8b781976d1d4314a862de6b75aa5fb42f452788
Instruction ID: aeb5e1c6dec8106b2d0d5562d2962c543317903ced43ff168440b54f7dc1d23c
Opcode Fuzzy Hash: a0909815745651a6e29cf20bd8b781976d1d4314a862de6b75aa5fb42f452788
Instruction Fuzzy Hash: E1318671A006186FDF14EF65CC42ACEBBBDDB49314F5184B7A808B32A1D7389F458E58

Function 00476A70 Relevance: 9.2, APIs: 6, Instructions: 195fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,00000000,00476D36), ref: 00476AD1
FindNextFileA.KERNEL32(000000FF,?,00000000,00476BE1,?,00000000,?,?,?,?,00000000,00476D36), ref: 00476BBD
FindClose.KERNEL32(000000FF,00476BE8,00476BE1,?,00000000,?,?,?,?,00000000,00476D36), ref: 00476BDB
FindFirstFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00476C34

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$First$CloseNext
String ID:
API String ID: 2001080981-0
Opcode ID: e6f926a53b3c1e954d20b2074f6006038b3d4c05a9a49b0a12ac5ecd0ae4d054
Instruction ID: 14931f8a0e3cac93bb735ea196381e3f6523e98b7e5ca17cfb4e14f2e37d7476
Opcode Fuzzy Hash: e6f926a53b3c1e954d20b2074f6006038b3d4c05a9a49b0a12ac5ecd0ae4d054
Instruction Fuzzy Hash: 8F716F7090061DAFCF21EFA5CC41ADFBBB9EB49304F5184AAE408A7291D7399A45CF58

Function 004551F4 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 235windownativeCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00455271
PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00455298
SetForegroundWindow.USER32(?), ref: 004552A9
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00455574,?,00000000,004555B0), ref: 0045555F

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 004553E9

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: 099e3b808230fa4ae78bad551a04f96312a8d2ac3e3a530bfd6b6edaffce8ff0
Instruction ID: 392021ee4ceeb38a924916f9eb287e4a04e01d199228d5f5cdfc091a65a304ea
Opcode Fuzzy Hash: 099e3b808230fa4ae78bad551a04f96312a8d2ac3e3a530bfd6b6edaffce8ff0
Instruction Fuzzy Hash: 2C91F134604604EFD701CF55C961F6ABBF5EB89701F2080BAF80497796D678AE04DF18

Function 00454320 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00454454), ref: 00454350
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00454356

Strings

GetDiskFreeSpaceExA, xrefs: 00454346
kernel32.dll, xrefs: 0045434B

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 520f3e2607fe0fa08eb4d9a7f93f0e182fe4af2e7d12abdc28646ae8dc8ecfed
Instruction ID: 308890e583471f7d729b9dc2fcd7aa40e9e9c611359b8057d7b1245ba4b987a9
Opcode Fuzzy Hash: 520f3e2607fe0fa08eb4d9a7f93f0e182fe4af2e7d12abdc28646ae8dc8ecfed
Instruction Fuzzy Hash: E6318871A44259AFCF01DFA5C882AEEB7B8EF49704F508566F800F7252D63C5D49CB64

Function 0046F16C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0046F2BE,?,?,00000001,0049307C), ref: 0046F1C5
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,0046F2BE,?,?,00000001,0049307C), ref: 0046F28A
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,0046F2BE,?,?,00000001,0049307C), ref: 0046F298

Strings

unins???.*, xrefs: 0046F1AF
unins, xrefs: 0046F218

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: 36003060cf21bb4efa049de99e7bc8982056908e5327694f5b5213cd553c9e96
Instruction ID: 3c9c22acd9639b612fd9d01020641e4b72dcc3c09d6e577180f12476a66c67e0
Opcode Fuzzy Hash: 36003060cf21bb4efa049de99e7bc8982056908e5327694f5b5213cd553c9e96
Instruction Fuzzy Hash: 2831D474600108AFDB50EB69D891ADEB7BCEF05308F5044F6E848E72A2E7399F458F19

Function 00417C78 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417CB7
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417CD5
GetWindowPlacement.USER32(?,0000002C), ref: 00417D0B
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D32

Strings

,, xrefs: 00417CF9

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 1384c885decf350a388a6044328c4ef6f341b8841973c44ec72f33afddd09757
Instruction ID: 3ed2450f0a7179b47446a38646254312085a05cbd9a13da21c4f815be273b126
Opcode Fuzzy Hash: 1384c885decf350a388a6044328c4ef6f341b8841973c44ec72f33afddd09757
Instruction Fuzzy Hash: 26214CB16002089BDF10EF69D8C0ADA77A8AF48314F55856AFD18DF246D638E845CBA8

Function 0045F3A4 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,0045F561), ref: 0045F3D5
FindFirstFileA.KERNEL32(00000000,?,00000000,0045F534,?,00000001,00000000,0045F561), ref: 0045F464
FindNextFileA.KERNEL32(000000FF,?,00000000,0045F516,?,00000000,?,00000000,0045F534,?,00000001,00000000,0045F561), ref: 0045F4F6
FindClose.KERNEL32(000000FF,0045F51D,0045F516,?,00000000,?,00000000,0045F534,?,00000001,00000000,0045F561), ref: 0045F510

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: cfbc6f39b4e8b5bcaa8efc0914daf560513fda0f474cccf54896c9a6300cb9d6
Instruction ID: e743b63e75f8199e1de71fb1591aa20c9e7e702e030350ab1363ce7340e32dce
Opcode Fuzzy Hash: cfbc6f39b4e8b5bcaa8efc0914daf560513fda0f474cccf54896c9a6300cb9d6
Instruction Fuzzy Hash: 48416870A00618AFCB11EF65DC45ADEB7B8EB48315F4044BAF804A7392D63C9E4D8E59

Function 0045F820 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,0045FA07), ref: 0045F895
FindFirstFileA.KERNEL32(00000000,?,00000000,0045F9D2,?,00000001,00000000,0045FA07), ref: 0045F8DB
FindNextFileA.KERNEL32(000000FF,?,00000000,0045F9B4,?,00000000,?,00000000,0045F9D2,?,00000001,00000000,0045FA07), ref: 0045F990
FindClose.KERNEL32(000000FF,0045F9BB,0045F9B4,?,00000000,?,00000000,0045F9D2,?,00000001,00000000,0045FA07), ref: 0045F9AE

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 59525afeafe4148722d584f1d2047be4bc65e0fc6c60f27493fd8ef1fa6d9f1a
Instruction ID: b06fad13edd5318fdfd495eee050f4f7a9e8aa821ad8a724925d5bb9b3bb6141
Opcode Fuzzy Hash: 59525afeafe4148722d584f1d2047be4bc65e0fc6c60f27493fd8ef1fa6d9f1a
Instruction Fuzzy Hash: E1414471A00A18ABCB11EF65CC859DEB7B9EF88315F5044B6FC04E7341D7389E488E59

Function 0042E6CC Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004516BB,00000000,004516DC), ref: 0042E6EE
DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E719
GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004516BB,00000000,004516DC), ref: 0042E726
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004516BB,00000000,004516DC), ref: 0042E72E
SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004516BB,00000000,004516DC), ref: 0042E734

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: f18602867fbc86e501edeea524c91156c3b3802428a683b191dd3457d48d53f0
Instruction ID: 1e70605f52ae136b2496113c77cf63f65d5ab7d673e450a7d96165da6ee8aff6
Opcode Fuzzy Hash: f18602867fbc86e501edeea524c91156c3b3802428a683b191dd3457d48d53f0
Instruction Fuzzy Hash: 85F0CD713917203AF620B17A6C82F7B428C8785B68F10823ABB04FF1C1D9A84C05056D

Function 0047C25C Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0047C29A
GetWindowLongA.USER32(00000000,000000F0), ref: 0047C2B8
ShowWindow.USER32(00000000,00000005,00000000,000000F0,00492F5C,0047BAE6,0047BB1A,00000000,0047BB3A,?,?,00000001,00492F5C), ref: 0047C2DA
ShowWindow.USER32(00000000,00000000,00000000,000000F0,00492F5C,0047BAE6,0047BB1A,00000000,0047BB3A,?,?,00000001,00492F5C), ref: 0047C2EE

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: fed5852980bebdd882c35d2d98819e89d57ad67722e601b6875c178357f78e16
Instruction ID: fd372386a479fdc92fac3e2ef30eced7ce39e9e6ab59154070fbeb580aa605ee
Opcode Fuzzy Hash: fed5852980bebdd882c35d2d98819e89d57ad67722e601b6875c178357f78e16
Instruction Fuzzy Hash: E9017970E44245B6D710A7B5DD85FE633D56B15304F1840BFB8099B2A7CBBDCC42961C

Function 0045DE20 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0045DEF4), ref: 0045DE78
FindNextFileA.KERNEL32(000000FF,?,00000000,0045DED4,?,00000000,?,00000000,0045DEF4), ref: 0045DEB4
FindClose.KERNEL32(000000FF,0045DEDB,0045DED4,?,00000000,?,00000000,0045DEF4), ref: 0045DECE

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: a216a7bdbdee3682f527e071f5b1695ae15f696d728e6939e7ee4b5ef1c15c59
Instruction ID: 32c984a38fc023b26ff7fc855e6f7d071233f0675ee5b85f89907f23cc5ee99f
Opcode Fuzzy Hash: a216a7bdbdee3682f527e071f5b1695ae15f696d728e6939e7ee4b5ef1c15c59
Instruction Fuzzy Hash: D121DB31D046086EDB31EB65CC42ADEB7BCDF49705F5044B7EC08E6562D63C9D49CA18

Function 00424184 Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0042418C
SetActiveWindow.USER32(?,?,?,0046781F), ref: 00424199

Part of subcall function 004235F4: ShowWindow.USER32(004105F8,00000009,?,00000000,0041ED4C,004238E2,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BB4), ref: 0042360F

Part of subcall function 00423ABC: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021925AC,004241B2,?,?,?,0046781F), ref: 00423AF7

SetFocus.USER32(00000000,?,?,?,0046781F), ref: 004241C6

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: abf3d26623ce3f5f1df30a1bb2ccc38e960545179f371c4c6c880d0d7118eb6a
Instruction ID: 9d7b97b1588b57ef25092538823a17ee25a728ca1780dde3acf0986de5f54100
Opcode Fuzzy Hash: abf3d26623ce3f5f1df30a1bb2ccc38e960545179f371c4c6c880d0d7118eb6a
Instruction Fuzzy Hash: 36F03A717001209BCB00AFAAECC5B9632A8AF18304B55017BBC08DF34BCABCDD5187A8

Function 00417C76 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417CB7
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417CD5
GetWindowPlacement.USER32(?,0000002C), ref: 00417D0B
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D32

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: ccf45bac815ac9650c1eda7d7ee920735da51ae8acefeeb5a5ed1e1968a9009b
Instruction ID: 69af1cea5ab0db390c44c228a9afcc828c7f08346dc1f1cf855d2dc861a92e07
Opcode Fuzzy Hash: ccf45bac815ac9650c1eda7d7ee920735da51ae8acefeeb5a5ed1e1968a9009b
Instruction Fuzzy Hash: AF018471204104ABDB20EE69DCC1EEB77A8AF54324F158166FD0CCF246E639EC8187E8

Function 004511DC Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0045123F,?,?,-00000001,00000000), ref: 00451219
GetLastError.KERNEL32(00000000,?,00000000,0045123F,?,?,-00000001,00000000), ref: 00451221

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: a602d2efdf960d6167be496792d274a39b8ae1fe5526e10b942367c2e78b3dad
Instruction ID: 48b66b5ea5a2bd036d7052275c493811c4e0670e4fb7de4650a4648509248124
Opcode Fuzzy Hash: a602d2efdf960d6167be496792d274a39b8ae1fe5526e10b942367c2e78b3dad
Instruction Fuzzy Hash: B0F0F971A04604AB8B10DB6AAC4249EB7ECDB45725B6046BBFC14F3292DA784E048559

Function 00417540 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0041756B
GetCapture.USER32 ref: 00417574

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 91823dd687394a4ed8ee48a39c45190aee43210de23b0732d742fca1e8511f91
Instruction ID: f3ef26a9ec4c3639b3254842bc08cf6d9feb289c2be9135b2bbb431e5f50db89
Opcode Fuzzy Hash: 91823dd687394a4ed8ee48a39c45190aee43210de23b0732d742fca1e8511f91
Instruction Fuzzy Hash: B6F03171315601ABD720962AC885AAB72B69F84319B14483BE41ACBB55EB78DCC58258

Function 0042413C Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00424143

Part of subcall function 00423A2C: EnumWindows.USER32(004239C4), ref: 00423A50
Part of subcall function 00423A2C: GetWindow.USER32(?,00000003), ref: 00423A65
Part of subcall function 00423A2C: GetWindowLongA.USER32(?,000000EC), ref: 00423A74
Part of subcall function 00423A2C: SetWindowPos.USER32(00000000,00424104,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,00424153,?,?,00423D1B), ref: 00423AAA

SetActiveWindow.USER32(?,?,?,00423D1B,00000000,00424104), ref: 00424157

Part of subcall function 004235F4: ShowWindow.USER32(004105F8,00000009,?,00000000,0041ED4C,004238E2,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BB4), ref: 0042360F

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: 657f3c15db0d6cf34cada4c58ec239c69b7baa88831cd667e440955cb53f6524
Instruction ID: d512277381545323e1bd2a4b4845e65b82e595a2bd73893c0d57f68d30832658
Opcode Fuzzy Hash: 657f3c15db0d6cf34cada4c58ec239c69b7baa88831cd667e440955cb53f6524
Instruction Fuzzy Hash: B0E01AA1B0010097EB00EF69DCC9B9672A8BF58304F55017ABC0CCF24BD67CC8908724

Function 00412580 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0041277D), ref: 0041276B

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 84af43a7efb99244d046e7d510ceccf456a9c98264e621075b9ccc522f6ffcaf
Instruction ID: 0d09216766d9d5b385ece6e8cba1e36b912c6a1774b5342391935a21d5851d13
Opcode Fuzzy Hash: 84af43a7efb99244d046e7d510ceccf456a9c98264e621075b9ccc522f6ffcaf
Instruction Fuzzy Hash: 7551F431204205DFCB14DB6ADA81A9BF3E5FF98314B20817BE814C3791DBB8AC92C758

Function 004722D4 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00472422

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: a5a8acde2ea139e8bd48252c6c24868853d47a4937822392afe82ac5ea5e748c
Instruction ID: c3992268c3801ed1beac7631f2e5f9cad90702d4ee9162ede732c10c083e2767
Opcode Fuzzy Hash: a5a8acde2ea139e8bd48252c6c24868853d47a4937822392afe82ac5ea5e748c
Instruction Fuzzy Hash: 5F413575604108DFCB10CFA9D7809AAB7F5FB48310B25C996E848DB301D3BCEE41AB55

Function 00453AB0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 00453AC6

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 5296a1f906bcaa54e59ae334d9b19b6ea28d15cb2d3d13e924c6b19246622dfc
Instruction ID: 059ce6dee4a85458501d0894a56d11df68a23133cc4b2401fd590ab7d757c589
Opcode Fuzzy Hash: 5296a1f906bcaa54e59ae334d9b19b6ea28d15cb2d3d13e924c6b19246622dfc
Instruction Fuzzy Hash: 5AD0C2B120420053C701AE68DC8269B358C8B84316F10483E7CC6DA2C3E67DDF48A75A

Function 0042ED38 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042ED54

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 1618573b336cfe43e6365c49c1add1a31867e84e149d2e83090908c597df2fde
Instruction ID: 530d004986d911579cf02e8422d66cb1dcb863e7172150f09f51376a0a0a5638
Opcode Fuzzy Hash: 1618573b336cfe43e6365c49c1add1a31867e84e149d2e83090908c597df2fde
Instruction Fuzzy Hash: 64D0A77121010DAFCB00DE9AE840D6F33ACEB88700BA0C806F518C7201C234EC108BB4

Function 004696B4 Relevance: 65.1, APIs: 1, Strings: 36, Instructions: 391registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004695AC: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,0049307C,?,004697A3,?,00000000,00469BEA,?,_is1), ref: 004695CF

RegCloseKey.ADVAPI32(?,00469BF1,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,00469C39,?,?,00000001,0049307C), ref: 00469BE4

Strings

Contact, xrefs: 00469AE0
RegisterPreviousData, xrefs: 00469B9A
Inno Setup: App Path, xrefs: 004697C6
QuietUninstallString, xrefs: 004699F8
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 004696F6
HelpTelephone, xrefs: 00469A6C
DisplayVersion, xrefs: 00469A15
_is1, xrefs: 004696FC
Inno Setup: Deselected Components, xrefs: 0046988F
URLUpdateInfo, xrefs: 00469AA6
NoModify, xrefs: 00469B31
Inno Setup: Selected Tasks, xrefs: 004698B7
UninstallString, xrefs: 004699BE
Inno Setup: User, xrefs: 00469832
InstallLocation, xrefs: 004697E6
Inno Setup: Icon Group, xrefs: 004697F5
Publisher, xrefs: 00469A32
5.2.3, xrefs: 00469796
Inno Setup: User Info: Serial, xrefs: 00469918
Comments, xrefs: 00469AFD
Inno Setup: Selected Components, xrefs: 00469870
URLInfoAbout, xrefs: 00469A4F
ModifyPath, xrefs: 00469B1D
Inno Setup: Deselected Tasks, xrefs: 004698D6
HelpLink, xrefs: 00469A89
InstallDate, xrefs: 00469B64
DisplayIcon, xrefs: 00469984
" /SILENT, xrefs: 004699EB
DisplayName, xrefs: 00469967
Inno Setup: Setup Version, xrefs: 00469791
Inno Setup: User Info: Name, xrefs: 004698EE
Readme, xrefs: 00469AC3
Inno Setup: No Icons, xrefs: 00469813
NoRepair, xrefs: 00469B45
Inno Setup: User Info: Organization, xrefs: 00469903
Inno Setup: Setup Type, xrefs: 00469851

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseValue
String ID: " /SILENT$5.2.3$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
API String ID: 3132538880-1148470211
Opcode ID: 1a066fec2956ed7fb3ca26c1169ca7e0e404097702973f26aff6aed69efbdb2c
Instruction ID: b10ae86822701baf94b0909050c6c73479acdbc000c85b0031fe9b3e7e797c5a
Opcode Fuzzy Hash: 1a066fec2956ed7fb3ca26c1169ca7e0e404097702973f26aff6aed69efbdb2c
Instruction Fuzzy Hash: BEE13475A00109ABCB04EF55D98199F73BDEB44304F60847BE4056B395EBB9BE01CB6E

Function 00455F9C Relevance: 47.5, APIs: 11, Strings: 16, Instructions: 237filesynchronizationprocessCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00491A74,00000001,00000000,00000000,004562D1,?,?,?,00000001,?,004564EB,00000000,00456501,?,00000000,00492628), ref: 00455FE9
CreateFileMappingA.KERNEL32(000000FF,00491A74,00000004,00000000,00002018,00000000), ref: 00456021
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,004562A7,?,00491A74,00000001,00000000,00000000,004562D1,?,?,?), ref: 00456048
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456155
ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,004562A7,?,00491A74,00000001,00000000,00000000,004562D1), ref: 004560AD

Part of subcall function 00451C18: GetLastError.KERNEL32(00000000,00452689,00000005,00000000,004526BE,?,?,00000000,00492628,00000004,00000000,00000000,00000000,?,00490395,00000000), ref: 00451C1B

CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045616C
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004561A5
GetLastError.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004561B7
UnmapViewOfFile.KERNEL32(00000000,004562AE,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456289
CloseHandle.KERNEL32(00000000,004562AE,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456298
CloseHandle.KERNEL32(00000000,004562AE,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004562A1

Strings

GetProcAddress, xrefs: 00456215
Spawning _RegDLL.tmp, xrefs: 00455FC8
dE, xrefs: 004560DD, 00456143, 004560E0
D, xrefs: 00456116
_isetup\_RegDLL.tmp, xrefs: 004560D3
MapViewOfFile, xrefs: 00456056
_RegDLL.tmp %u %u, xrefs: 004560FD
CreateProcess, xrefs: 0045615E
CreateFileMapping, xrefs: 0045602F
REGDLL returned unknown result code %d, xrefs: 00456268
OleInitialize, xrefs: 004561F1
LoadLibrary, xrefs: 00456203
ReleaseMutex, xrefs: 004560B6
CreateMutex, xrefs: 00455FF7
REGDLL mutex wait failed (%d, %d), xrefs: 004561CB
REGDLL failed with exit code 0x%x, xrefs: 00456195

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp$dE
API String ID: 4012871263-2761909193
Opcode ID: 83662bab74edad31f8ddda3ae7b32a3842f160b385c6df833838aa9f7605bd42
Instruction ID: f83b799fad480325abbebf32ce7824c881fe6810fb4ea4fb229400168c5a50eb
Opcode Fuzzy Hash: 83662bab74edad31f8ddda3ae7b32a3842f160b385c6df833838aa9f7605bd42
Instruction Fuzzy Hash: E0918070A402149FDF10EBA9C841B9EB7B4EB48305F91856BF814EB393DB789948CF59

Function 0041F0C0 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00418F98,00000000,?,?,?,00000001), ref: 0041F0CE
SetErrorMode.KERNEL32(00008000,?,00418F98,00000000,?,?,?,00000001), ref: 0041F0EA
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F98,00000000,?,?,?,00000001), ref: 0041F0F6
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F98,00000000,?,?,?,00000001), ref: 0041F104
GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F134
GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F15D
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F172
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F187
GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F19C
GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F1B1
GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F1C6
GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1DB
GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1F0
GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F205
FreeLibrary.KERNEL32(00000001,?,00418F98,00000000,?,?,?,00000001), ref: 0041F217

Strings

Ctl3dDlgFramePaint, xrefs: 0041F191
Ctl3dUnAutoSubclass, xrefs: 0041F1D0
BtnWndProc3d, xrefs: 0041F1FA
Ctl3dRegister, xrefs: 0041F129
Ctl3dSubclassDlgEx, xrefs: 0041F17C
Ctl3dCtlColorEx, xrefs: 0041F1A6
Ctl3DColorChange, xrefs: 0041F1E5
Ctl3dUnregister, xrefs: 0041F152
Ctl3dSubclassCtl, xrefs: 0041F167
CTL3D32.DLL, xrefs: 0041F0F1
Ctl3dAutoSubclass, xrefs: 0041F1BB

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 2323315520-3614243559
Opcode ID: 39377f19203999d82cec5eda0a213dd08459800d8dedc3050573d9428b858516
Instruction ID: 9ff2825c27a268439dd1d1bb46a0bfc7fca62d380631be57860753cffe2250cf
Opcode Fuzzy Hash: 39377f19203999d82cec5eda0a213dd08459800d8dedc3050573d9428b858516
Instruction Fuzzy Hash: C4310DB5600701FBDB00EBF5AC86A763298B768764746093BB109DB1B2E77D484ACB1D

Function 0048F140 Relevance: 35.5, APIs: 3, Strings: 17, Instructions: 481COMMON

Download Yara Rule

Strings

Uninstall DAT: , xrefs: 0048F242
utCompiledCode[1] is invalid, xrefs: 0048F3BF
Install was done in 64-bit mode but not running 64-bit Windows now, xrefs: 0048F3F9
Setup version: Inno Setup version 5.2.3, xrefs: 0048F215
InitializeUninstall, xrefs: 0048F53E
Will not restart Windows automatically., xrefs: 0048F7F2
Original Uninstall EXE: , xrefs: 0048F21F
Removed all? %s, xrefs: 0048F648
DeinitializeUninstall, xrefs: 0048F888
UninstallNeedRestart, xrefs: 0048F67E, 0048F6B7
Uninstall command line: , xrefs: 0048F265
Will restart because UninstallNeedRestart returned True., xrefs: 0048F6CE
Need to restart Windows? %s, xrefs: 0048F71F
Cannot find utCompiledCode record for this version of the uninstaller, xrefs: 0048F391
Uninstall, xrefs: 0048F1C8
InitializeUninstall returned False; aborting., xrefs: 0048F576
Not calling UninstallNeedRestart because a restart has already been deemed necessary., xrefs: 0048F6FD

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$Show
String ID: Cannot find utCompiledCode record for this version of the uninstaller$DeinitializeUninstall$InitializeUninstall$InitializeUninstall returned False; aborting.$Install was done in 64-bit mode but not running 64-bit Windows now$Need to restart Windows? %s$Not calling UninstallNeedRestart because a restart has already been deemed necessary.$Original Uninstall EXE: $Removed all? %s$Setup version: Inno Setup version 5.2.3$Uninstall$Uninstall DAT: $Uninstall command line: $UninstallNeedRestart$Will not restart Windows automatically.$Will restart because UninstallNeedRestart returned True.$utCompiledCode[1] is invalid
API String ID: 3609083571-2151202259
Opcode ID: 17d8b5f42ab7f82cb7451de9c533369e7edc4c53996bed38a7280d377b86ce4a
Instruction ID: 2b269d8c764b7bac30a443b9f4bc23fd7acbfe7da633e0682c37f6fe37a00802
Opcode Fuzzy Hash: 17d8b5f42ab7f82cb7451de9c533369e7edc4c53996bed38a7280d377b86ce4a
Instruction Fuzzy Hash: 2C12B234A00244AFD711FF65D842B5E7BA1AB5A709F50487BF800AB3A6CB7C9D49CB1D

Function 0041C9B4 Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,?,0041A8EC,?), ref: 0041C9E8
73A24C40.GDI32(?,00000000,?,0041A8EC,?), ref: 0041C9F4
73A26180.GDI32(0041A8EC,?,00000001,00000001,00000000,00000000,0041CC0A,?,?,00000000,?,0041A8EC,?), ref: 0041CA18
73A24C00.GDI32(?,0041A8EC,?,00000000,0041CC0A,?,?,00000000,?,0041A8EC,?), ref: 0041CA28
SelectObject.GDI32(0041CDE4,00000000), ref: 0041CA43
FillRect.USER32(0041CDE4,?,?), ref: 0041CA7E
SetTextColor.GDI32(0041CDE4,00000000), ref: 0041CA93
SetBkColor.GDI32(0041CDE4,00000000), ref: 0041CAAA
PatBlt.GDI32(0041CDE4,00000000,00000000,0041A8EC,?,00FF0062), ref: 0041CAC0
73A24C40.GDI32(?,00000000,0041CBC3,?,0041CDE4,00000000,?,0041A8EC,?,00000000,0041CC0A,?,?,00000000,?,0041A8EC), ref: 0041CAD3
SelectObject.GDI32(00000000,00000000), ref: 0041CB04
73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CBB2,?,?,00000000,0041CBC3,?,0041CDE4,00000000,?,0041A8EC), ref: 0041CB1C
73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CBB2,?,?,00000000,0041CBC3,?,0041CDE4,00000000,?), ref: 0041CB25
73A18830.GDI32(0041CDE4,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CBB2,?,?,00000000,0041CBC3), ref: 0041CB34
73A122A0.GDI32(0041CDE4,0041CDE4,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CBB2,?,?,00000000,0041CBC3), ref: 0041CB3D
SetTextColor.GDI32(00000000,00000000), ref: 0041CB56
SetBkColor.GDI32(00000000,00000000), ref: 0041CB6D
73A24D40.GDI32(0041CDE4,00000000,00000000,0041A8EC,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CBB2,?,?,00000000), ref: 0041CB89
SelectObject.GDI32(00000000,?), ref: 0041CB96
DeleteDC.GDI32(00000000), ref: 0041CBAC

Part of subcall function 0041A000: GetSysColor.USER32(?), ref: 0041A00A

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$ObjectSelect$A122A18830Text$A26180A570DeleteFillRect
String ID:
API String ID: 1381628555-0
Opcode ID: c8262b5c9687899cb3da658a9da79215068cbf101d5c2b8ed1964b5729b21c16
Instruction ID: ff179a34f285c3436bc621bb31859736a2280516ecfda4d40c06e70735cb6950
Opcode Fuzzy Hash: c8262b5c9687899cb3da658a9da79215068cbf101d5c2b8ed1964b5729b21c16
Instruction Fuzzy Hash: 8E61DE71A44608ABDF10EBE9DC86FDFB7B8EF48704F10446AF504E7281D67CA9408B69

Function 0042DEAC Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 178memorylibraryloaderCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(00491788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DEE6
GetVersion.KERNEL32(00000000,0042E090,?,00491788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF03
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E090,?,00491788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF1C
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DF22
FreeSid.ADVAPI32(00000000,0042E097,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E08A

Strings

CheckTokenMembership, xrefs: 0042DF12
advapi32.dll, xrefs: 0042DF17

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProcVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 1717332306-1888249752
Opcode ID: 5f5c98329cab989edc111d9b036305000fa4ba23c93f54e06945bc06275b7e1f
Instruction ID: c9ca30b7fa2e8a9abceabce4e586e827254369ae75abf0d5bc05731ff3bd77e9
Opcode Fuzzy Hash: 5f5c98329cab989edc111d9b036305000fa4ba23c93f54e06945bc06275b7e1f
Instruction Fuzzy Hash: 2B51C571B44625AEDB10EAF69D42F7F7BACDB09704F94087BB600E7282C5BC9805866D

Function 004903C0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,00490758,?,?,00000000,?,00000000,00000000,?,00490A99,00000000,00490AA3,?,00000000), ref: 00490443
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00490758,?,?,00000000,?,00000000,00000000,?,00490A99,00000000), ref: 00490456
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00490758,?,?,00000000,?,00000000,00000000), ref: 00490466
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00490487
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00490758,?,?,00000000,?,00000000), ref: 00490497

Part of subcall function 0042D330: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3BE,?,?,00000000,?,?,0048FE54,00000000,0049001D,?,?,00000005), ref: 0042D365

Strings

Setup, xrefs: 0049042F
/REG, xrefs: 004903F5
.msg, xrefs: 004904BA
.lst, xrefs: 004904D4
/REGU, xrefs: 00490419
Inno-Setup-RegSvr-Mutex, xrefs: 0049044D

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 2000705611-3672972446
Opcode ID: 3699ef8ba76cb401735b22bcdb05d11d0a8b461a6bb93247a14510d4b066adbb
Instruction ID: 6666ff25eec7c53b5eb866eda449138b93a1580bdca8663c56f4b5746ffc9271
Opcode Fuzzy Hash: 3699ef8ba76cb401735b22bcdb05d11d0a8b461a6bb93247a14510d4b066adbb
Instruction Fuzzy Hash: 4E91C430A04244AFDF11EBA5C852BAF7BB4EB49314F5144B7F900AB692C77CAC15CB69

Function 00457FB8 Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 199COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00458252,?,?,?,?,?,00000006,?,00000000,0048F8FB,?,00000000,0048F996), ref: 00458104

Strings

.chm, xrefs: 00458054
The file appears to be in use (%d). Will delete on restart., xrefs: 0045814D
.chw, xrefs: 0045806D
.gid, xrefs: 00458008
.fts, xrefs: 0045802C
.hlp, xrefs: 00457FEF
Stripped read-only attribute., xrefs: 004580DD
Failed to strip read-only attribute., xrefs: 004580E9
Failed to delete the file; it may be in use (%d)., xrefs: 004581F3
Deleting file: %s, xrefs: 004580A3

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-1593206319
Opcode ID: 65522557b16a1cbde8cdd02fe37cdddf060d0912458871050b3dee5c91aa5157
Instruction ID: f32569dbdd6adc11da929e147044c40dcc52494f0e71e5ec630e07cd073e3049
Opcode Fuzzy Hash: 65522557b16a1cbde8cdd02fe37cdddf060d0912458871050b3dee5c91aa5157
Instruction Fuzzy Hash: 666192307046449BDB00EB6988517AE7BA4AB49715F5184AFFC01EB383CF7C9E49CB59

Function 0041B354 Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON

Download Yara Rule

APIs

73A24C40.GDI32(00000000,?,00000000,?), ref: 0041B36B
73A24C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B375
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B387
73A26180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B39E
73A1A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3AA
73A24C00.GDI32(00000000,0000000B,?,00000000,0041B403,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3D7
73A1A480.USER32(00000000,00000000,0041B40A,00000000,0041B403,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3FD
SelectObject.GDI32(00000000,?), ref: 0041B418
SelectObject.GDI32(?,00000000), ref: 0041B427
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B453
SelectObject.GDI32(00000000,00000000), ref: 0041B461
SelectObject.GDI32(?,00000000), ref: 0041B46F
DeleteDC.GDI32(00000000), ref: 0041B478
DeleteDC.GDI32(?), ref: 0041B481

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$Select$Delete$A26180A480A570Stretch
String ID:
API String ID: 359944910-0
Opcode ID: e92431f9581d06db8cd21544c0e7e04c7f7b808437c697100934415fbb48ef82
Instruction ID: f97b2a76bc4940b7567ba323b4cd0a089c72401e81ca6e31c969396a69b82abf
Opcode Fuzzy Hash: e92431f9581d06db8cd21544c0e7e04c7f7b808437c697100934415fbb48ef82
Instruction Fuzzy Hash: 4941BF71E40609AFDF10DAE9D846FEFB7B8EB08704F104466B614FB281C77869418BA4

Function 0046CE64 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 317COMMON

Download Yara Rule

APIs

Part of subcall function 0042C6FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C720

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0046CFF7
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046D0EA
SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 0046D100
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046D125

Strings

target.lnk, xrefs: 0046D16F
.url, xrefs: 0046CF33
{group}\, xrefs: 0046CEBB
.lnk, xrefs: 0046CEED
Filename: %s, xrefs: 0046CF99
Desktop.ini, xrefs: 0046D1A6
.pif, xrefs: 0046CF10, 0046D06E

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
API String ID: 971782779-3668018701
Opcode ID: 15655358d0d1de2a64c2a888f53485090e8f4bbb5d0d251c73c18022aa3e10a2
Instruction ID: 7241237f7b2753aa4bad096b30eb67052993fe11f1c9b15bd1d8ff4051f223ab
Opcode Fuzzy Hash: 15655358d0d1de2a64c2a888f53485090e8f4bbb5d0d251c73c18022aa3e10a2
Instruction Fuzzy Hash: E5D10174E002499FDB01EF99D885BDDBBF5AF08318F14406AF804B7392D678AE45CB69

Function 00452EAC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60

RegQueryValueExA.ADVAPI32(0045841A,00000000,00000000,?,00000000,?,00000000,00453145,?,0045841A,00000003,00000000,00000000,0045317C), ref: 00452FC5

Part of subcall function 0042E660: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004519EF,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E67F

RegQueryValueExA.ADVAPI32(0045841A,00000000,00000000,00000000,?,00000004,00000000,0045308F,?,0045841A,00000000,00000000,?,00000000,?,00000000), ref: 00453049
RegQueryValueExA.ADVAPI32(0045841A,00000000,00000000,00000000,?,00000004,00000000,0045308F,?,0045841A,00000000,00000000,?,00000000,?,00000000), ref: 00453078

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452EE3
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452F1C
, xrefs: 00452F36
RegOpenKeyEx, xrefs: 00452F48

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: e1411df6ceafc0478c986fe7b9f71ee5aec4cc66ec50f85e14bddc139ce29aae
Instruction ID: 928035bd272ea07f578a002d221a9efba8d97d5daeae889991e526f08aa7b5e3
Opcode Fuzzy Hash: e1411df6ceafc0478c986fe7b9f71ee5aec4cc66ec50f85e14bddc139ce29aae
Instruction Fuzzy Hash: 70913671E00208ABDB10DFA5D941BDEB7F9EB49746F10446BF900F7282D6789E098B69

Function 00456B34 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00456B6B
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00456B87
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00456B95
GetExitCodeProcess.KERNEL32(?), ref: 00456BA6
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456BED
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456C09

Strings

Helper process exited, but failed to get exit code., xrefs: 00456BDF
Stopping 64-bit helper process. (PID: %u), xrefs: 00456B5D
Helper isn't responding; killing it., xrefs: 00456B77
Helper process exited., xrefs: 00456BB5
Helper process exited with failure code: 0x%x, xrefs: 00456BD3

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 77dbf362da9f19e54cd8de27c356b651535bcd490225afbe62cf3a86257faec4
Instruction ID: 9d7a733ba7e4b400d55abe2d76827c4ec82c7121443a5166b5708a03c4d9d847
Opcode Fuzzy Hash: 77dbf362da9f19e54cd8de27c356b651535bcd490225afbe62cf3a86257faec4
Instruction Fuzzy Hash: 37217C70604B009ADB20E779C446B5BB7D49F08315F81882FB8D9CB293D67CF8488B6A

Function 00452B60 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC38

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00452D37,?,00000000,00452DFB), ref: 00452C87
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00452D37,?,00000000,00452DFB), ref: 00452DC3

Part of subcall function 0042E660: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004519EF,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E67F

Strings

RegCreateKeyEx, xrefs: 00452BFB
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452B9F
, xrefs: 00452BE9
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452BCF

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: 6f124a48ecf100d3e8553b578cd000851431d6a6b6a63acb158ce1470409b43d
Instruction ID: 541388b9b65ddcc629600b839954f269b6f8816a0d78520760673cf251dcd2db
Opcode Fuzzy Hash: 6f124a48ecf100d3e8553b578cd000851431d6a6b6a63acb158ce1470409b43d
Instruction Fuzzy Hash: A381ED75A00209ABDB01DFD5D941BEEB7B9EF49305F50442BF900F7282D778AA09CB69

Function 0048EDB4 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00452038: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048EF85,_iu,?,00000000,00452172), ref: 00452127
Part of subcall function 00452038: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048EF85,_iu,?,00000000,00452172), ref: 00452137

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0048EE31
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,0048EF85), ref: 0048EE52
CreateWindowExA.USER32(00000000,STATIC,0048EF94,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0048EE79
SetWindowLongA.USER32(?,000000FC,0048E60C), ref: 0048EE8C
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0048EF58,?,?,000000FC,0048E60C,00000000,STATIC,0048EF94), ref: 0048EEBC
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 0048EF30
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0048EF58,?,?,000000FC,0048E60C,00000000), ref: 0048EF3C

Part of subcall function 00452388: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0045246F

73A25CF0.USER32(?,0048EF5F,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0048EF58,?,?,000000FC,0048E60C,00000000,STATIC), ref: 0048EF52

Strings

STATIC, xrefs: 0048EE72
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 0048EEEB

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 170458502-2312673372
Opcode ID: d286ce31f0742afd55fe71401d241f91e74279016cdde02258f129c258f02059
Instruction ID: 899c3a807d8ebef90b2c1b053718f2bfa0ca9862065cd7989ddb6901344ff065
Opcode Fuzzy Hash: d286ce31f0742afd55fe71401d241f91e74279016cdde02258f129c258f02059
Instruction Fuzzy Hash: 3E415370A44248BFDB00FBA6DD42F9E77B8EB19704F50497AF604F72D1D6799A008B58

Function 0045E0C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0045E0CC
GetModuleHandleA.KERNEL32(user32.dll), ref: 0045E0E0
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0045E0ED
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0045E0FA
GetWindowRect.USER32(?,00000000), ref: 0045E146
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 0045E184

Strings

(, xrefs: 0045E125
GetMonitorInfoA, xrefs: 0045E0F4
MonitorFromWindow, xrefs: 0045E0E7
user32.dll, xrefs: 0045E0DB

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: 73036e16f42da6acd576e16728c400c4a88c57da147c7a5b0db3527e42c6b991
Instruction ID: ef411939a0946b870fd052df56d83547aac6ed7b4a766e15f820ec3551d64de0
Opcode Fuzzy Hash: 73036e16f42da6acd576e16728c400c4a88c57da147c7a5b0db3527e42c6b991
Instruction Fuzzy Hash: CE21D475705B04AFD3149669CD81F3F3299DB88B11F08453AFD44DB382DA78DD068AA9

Function 0042EA60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042EA6C
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042EA80
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042EA8D
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042EA9A
GetWindowRect.USER32(?,00000000), ref: 0042EAE6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042EB24

Strings

MonitorFromWindow, xrefs: 0042EA87
user32.dll, xrefs: 0042EA7B
(, xrefs: 0042EAC5
GetMonitorInfoA, xrefs: 0042EA94

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: a4cb5d69fce430bae7c1880873c7e2b8c2455fe2b3b354cb8798867c4811814b
Instruction ID: de6f8a07dda85d31b5a5cc2262033447bbfd7554ac1e79db9a4c9fe52e5b2086
Opcode Fuzzy Hash: a4cb5d69fce430bae7c1880873c7e2b8c2455fe2b3b354cb8798867c4811814b
Instruction Fuzzy Hash: 2A21C271701614AFD700EA79DCD1F3B3B98DB88710F48452AF945DB382DA78FC008AA9

Function 00401A90 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(00492420,00000000,00401B68), ref: 00401ABD
LocalFree.KERNEL32(005A2550,00000000,00401B68), ref: 00401ACF
VirtualFree.KERNEL32(?,00000000,00008000,005A2550,00000000,00401B68), ref: 00401AEE
LocalFree.KERNEL32(005A3550,?,00000000,00008000,005A2550,00000000,00401B68), ref: 00401B2D
RtlLeaveCriticalSection.KERNEL32(00492420,00401B6F), ref: 00401B58
RtlDeleteCriticalSection.KERNEL32(00492420,00401B6F), ref: 00401B62

Strings

P5Z, xrefs: 00401B1B, 00401B26, 00401B32
P%Z, xrefs: 00401AC9, 00401AD6
t;Z, xrefs: 00401B07
$;Z, xrefs: 00401B11

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: $;Z$P%Z$P5Z$t;Z
API String ID: 3782394904-2626233235
Opcode ID: 13d60d6258edcbf522f01d7291c019f1f170a7a552ba6335bbe69aef08fb1927
Instruction ID: fb38efb60124e33bd0d6d544a4e8ce278d04d8a52801059130394851150c0a80
Opcode Fuzzy Hash: 13d60d6258edcbf522f01d7291c019f1f170a7a552ba6335bbe69aef08fb1927
Instruction Fuzzy Hash: C611BF30A017407AEB15AB659E82F263BE8A76170CF44007BF40067AF2D7FC9840C7AE

Function 00456D0C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00456EEB,?,00000000,00456F4E,?,?,02193858,00000000), ref: 00456D69
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00002034,00000014,02193858,?,00000000,00456E80,?,00000000,00000001,00000000,00000000,00000000,00456EEB), ref: 00456DC6
GetLastError.KERNEL32(?,-00000020,0000000C,-00002034,00000014,02193858,?,00000000,00456E80,?,00000000,00000001,00000000,00000000,00000000,00456EEB), ref: 00456DD3
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00456E1F
GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00456E59,?,-00000020,0000000C,-00002034,00000014,02193858,?,00000000,00456E80,?,00000000), ref: 00456E45
GetLastError.KERNEL32(?,?,00000000,00000001,00456E59,?,-00000020,0000000C,-00002034,00000014,02193858,?,00000000,00456E80,?,00000000), ref: 00456E4C

Part of subcall function 00451C18: GetLastError.KERNEL32(00000000,00452689,00000005,00000000,004526BE,?,?,00000000,00492628,00000004,00000000,00000000,00000000,?,00490395,00000000), ref: 00451C1B

Strings

TransactNamedPipe, xrefs: 00456DDF
CreateEvent, xrefs: 00456D77

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: 48229fdc3ef61929d6ac761d7619ebca0006deda708ad69f0594bdf8de0f3da7
Instruction ID: 3505877414f257bb21a012f26b9d0d7704acec035ae139655f100219df004d2f
Opcode Fuzzy Hash: 48229fdc3ef61929d6ac761d7619ebca0006deda708ad69f0594bdf8de0f3da7
Instruction Fuzzy Hash: 6C41C275A00208AFDB05DF95CD82F9EB7F9FB08714F5140AAF904E7292C6789E44CB68

Function 00454B2C Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00454C91,?,?,00000031,?), ref: 00454B54
GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00454B5A
LoadTypeLib.OLEAUT32(00000000,?), ref: 00454BA7

Part of subcall function 00451C18: GetLastError.KERNEL32(00000000,00452689,00000005,00000000,004526BE,?,?,00000000,00492628,00000004,00000000,00000000,00000000,?,00490395,00000000), ref: 00451C1B

Strings

OLEAUT32.DLL, xrefs: 00454B4F
LoadTypeLib, xrefs: 00454BB2
ITypeLib::GetLibAttr, xrefs: 00454BDD
UnRegisterTypeLib, xrefs: 00454C13
UnRegisterTypeLib, xrefs: 00454B4A
GetProcAddress, xrefs: 00454B67

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: 267718d7f289f145d4860ce98bfa165204caeedbe32666a38feb01051b1adf5e
Instruction ID: e4400bf96c166b5c8e97fc258379556c86f091726ab19f10260670aaeab998db
Opcode Fuzzy Hash: 267718d7f289f145d4860ce98bfa165204caeedbe32666a38feb01051b1adf5e
Instruction Fuzzy Hash: 3831B475600604AFDB12EFAACC01E5BB7B9EBC870971144AAF814DB752DA38D984C628

Function 0042ED78 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90windowregistryCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042EDA7
GetFocus.USER32 ref: 0042EDAF
RegisterClassA.USER32(004917AC), ref: 0042EDD0
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042EEA4,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042EE0E
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042EE54
ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042EE65
SetFocus.USER32(00000000,00000000,0042EE87,?,?,?,00000001,00000000,?,004564AE,00000000,00492628), ref: 0042EE6C

Strings

TWindowDisabler-Window, xrefs: 0042EE07, 0042EE4D
(&I, xrefs: 0042EE7E, 0042EE37, 0042EE44

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CreateFocus$ActiveClassRegisterShow
String ID: (&I$TWindowDisabler-Window
API String ID: 3167913817-491212620
Opcode ID: c97347664f234b384af7137d1076830138c21674df7d1872669ff5baeb9184fc
Instruction ID: 82027174cfd9f418450fe8ca69ab33f3320fea0b1784bdf35dac21ea3b2746f1
Opcode Fuzzy Hash: c97347664f234b384af7137d1076830138c21674df7d1872669ff5baeb9184fc
Instruction Fuzzy Hash: E0218171740710BAE710EB62ED02F1B76A8EB04B04F62453BF604AB6D1D7B86D50C6ED

Function 0042E264 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E369,?,?,00000001,00000000,?,?,00000001,00000000,00000002,00000000,0047A008), ref: 0042E28D
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E293
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E369,?,?,00000001,00000000,?,?,00000001), ref: 0042E2E1

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0042E2F0
.DEFAULT\Control Panel\International, xrefs: 0042E2B8
Locale, xrefs: 0042E2D0
kernel32.dll, xrefs: 0042E288
GetUserDefaultUILanguage, xrefs: 0042E283

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 483f878939a1d75b5fa373088ebdec22d0b5c61e1835e4ed4c89f0f78693b90c
Instruction ID: b5527917e10b0fb8c326f7aa8ff769b2caa43ea40ee794feba058f86ebb39bc0
Opcode Fuzzy Hash: 483f878939a1d75b5fa373088ebdec22d0b5c61e1835e4ed4c89f0f78693b90c
Instruction Fuzzy Hash: 0C215334B00219EBDB00EBA7DC55A9F77A9EB44705FA0447BA900E7291DBBC9A05CB5C

Function 004019CC Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(00492420,00000000,00401A82,?,?,0040222E,00492460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
RtlEnterCriticalSection.KERNEL32(00492420,00492420,00000000,00401A82,?,?,0040222E,00492460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
LocalAlloc.KERNEL32(00000000,00000FF8,00492420,00000000,00401A82,?,?,0040222E,00492460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
RtlLeaveCriticalSection.KERNEL32(00492420,00401A89,00000000,00401A82,?,?,0040222E,00492460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

`$I, xrefs: 00401A55
P%Z, xrefs: 00401A24, 00401A29, 00401A37
t;Z, xrefs: 00401A04
`$I, xrefs: 00401A4B
$;Z, xrefs: 00401A0E

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: $;Z$P%Z$`$I$`$I$t;Z
API String ID: 730355536-1610350602
Opcode ID: 45966a33f2cca9af6227f06f99b0f7a08db919fa22154029dacd4e349c8f896d
Instruction ID: 60313ebd75f34371d34e31ab956689d8a0b747d94a089b2a958688c132db86d3
Opcode Fuzzy Hash: 45966a33f2cca9af6227f06f99b0f7a08db919fa22154029dacd4e349c8f896d
Instruction Fuzzy Hash: AA01C0706452407EFB1AAB6A9A06B263ED8E795748F11803BF440A6AF1C6FC4840CB6D

Function 00416D28 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 00416DBB
SaveDC.GDI32(?), ref: 00416DCF
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416DF2
RestoreDC.GDI32(?,?), ref: 00416E0D
CreateSolidBrush.GDI32(00000000), ref: 00416E8D
FrameRect.USER32(?,?,?), ref: 00416EC0
DeleteObject.GDI32(?), ref: 00416ECA
CreateSolidBrush.GDI32(00000000), ref: 00416EDA
FrameRect.USER32(?,?,?), ref: 00416F0D
DeleteObject.GDI32(?), ref: 00416F17

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 9eaa094af12716ba6a712ed9638624616ca55e3879d61aed165e71946b14b20b
Instruction ID: b1e82343d8b9ba510e891f63597e6edb4555071dc73553b60de04657c1de1759
Opcode Fuzzy Hash: 9eaa094af12716ba6a712ed9638624616ca55e3879d61aed165e71946b14b20b
Instruction Fuzzy Hash: 32513C712086445FDB50EF69C8C0B9B77E8AF48314F15466AFD48CB286C778EC81CB99

Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
GetFileType.KERNEL32(?,000000F5), ref: 00404C11
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
GetLastError.KERNEL32(000000F5), ref: 00404C46

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D

Function 00422190 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004221DB
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004221F9
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422206
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422213
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422220
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0042222D
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0042223A
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00422247
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00422265
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422281

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 2ac919316b1e548bcce60f4eb3ccb73fb66cb5d1796470b9090fa35795744f24
Instruction ID: 142bb334ff85b79c2121110e2d141a600bd35af2d4b4289324417f29a70e323f
Opcode Fuzzy Hash: 2ac919316b1e548bcce60f4eb3ccb73fb66cb5d1796470b9090fa35795744f24
Instruction Fuzzy Hash: 802136703457457BE720D725DD8BFAB7AD89B08708F0440A5B6447F2D3C6FDEA4086A8

Function 0047A510 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 167windowCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000), ref: 0047A6B8
FreeLibrary.KERNEL32(00000000), ref: 0047A6CC
SendNotifyMessageA.USER32(0001043A,00000496,00002710,00000000), ref: 0047A731

Strings

Not restarting Windows because Setup is being run from the debugger., xrefs: 0047A6ED
DeinitializeSetup, xrefs: 0047A5C9
Restarting Windows., xrefs: 0047A70C
Deinitializing Setup., xrefs: 0047A52E
GetCustomSetupExitCode, xrefs: 0047A56D

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeLibrary$MessageNotifySend
String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 3817813901-1884538726
Opcode ID: 7f94562b06cf16aec7fed6c22f1f9bdc246657c7fdb5891cc2b878ec11392670
Instruction ID: f287f9a6f42f295c8f4485c9d1258599c6f04b79e283e83c7e33560143f14427
Opcode Fuzzy Hash: 7f94562b06cf16aec7fed6c22f1f9bdc246657c7fdb5891cc2b878ec11392670
Instruction Fuzzy Hash: 8C51D034600200AFD315DF65D885B9EBBA4FB9A315F61C4BBE808C73A1CB389D55CB5A

Function 0045CDF0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0042CAA4: CharPrevA.USER32(?,00000000,?,00000001,?,?,0042CBD2,00000000,0042CBF8,?,00000001,?,?,00000000,?,0042CC4A), ref: 0042CACC

SHGetMalloc.SHELL32(?), ref: 0045CE2B
GetActiveWindow.USER32 ref: 0045CE8F
CoInitialize.OLE32(00000000), ref: 0045CEA3
SHBrowseForFolder.SHELL32(?), ref: 0045CEBA
756CD120.OLE32(0045CEFB,00000000,?,?,?,?,?,00000000,0045CF7F), ref: 0045CECF
SetActiveWindow.USER32(?,0045CEFB,00000000,?,?,?,?,?,00000000,0045CF7F), ref: 0045CEE5
SetActiveWindow.USER32(?,?,0045CEFB,00000000,?,?,?,?,?,00000000,0045CF7F), ref: 0045CEEE

Strings

A, xrefs: 0045CE63

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ActiveWindow$BrowseCharD120FolderInitializeMallocPrev
String ID: A
API String ID: 2093991911-3554254475
Opcode ID: a57be843ccaacac0a46b99ad4989412c07f02d64ca0905ed98f03eef16ad0010
Instruction ID: 44e22db6f723d0e43817c9017cb3acb801a4f8e8d8f4fd9594430335e44c7cfb
Opcode Fuzzy Hash: a57be843ccaacac0a46b99ad4989412c07f02d64ca0905ed98f03eef16ad0010
Instruction Fuzzy Hash: 7A310F70E00308AFDB01EFB6D886A9EBBF8EB09304F51447AF914E7252D6785A44CB59

Function 00418BFC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000E), ref: 00418C18
GetSystemMetrics.USER32(0000000D), ref: 00418C20
6F552980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C26

Part of subcall function 00409958: 6F54C400.COMCTL32((&I,000000FF,00000000,00418C54,00000000,00418CB0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 0040995C

6F5BCB00.COMCTL32((&I,00000000,00000000,00000000,00000000,00418CB0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C76
6F5BC740.COMCTL32(00000000,?,(&I,00000000,00000000,00000000,00000000,00418CB0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418C81
6F5BCB00.COMCTL32((&I,00000001,?,?,00000000,?,(&I,00000000,00000000,00000000,00000000,00418CB0,?,00000000,0000000D,00000000), ref: 00418C94
6F550860.COMCTL32((&I,00418CB7,?,00000000,?,(&I,00000000,00000000,00000000,00000000,00418CB0,?,00000000,0000000D,00000000,0000000E), ref: 00418CAA

Strings

(&I, xrefs: 00418C4C, 00418C64, 00418C72, 00418C90, 00418CA6, 00418C75, 00418C93, 00418CA9

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem$C400C740F550860F552980
String ID: (&I
API String ID: 1828538299-96580698
Opcode ID: cb724f8f61eeec6223193507a99a441db1e856c55be7018474d1ece8e95461e9
Instruction ID: 46645d9a52805bd5c852c20026195d53dd59d6b8e5b8ddd5dae0d8f2325046d5
Opcode Fuzzy Hash: cb724f8f61eeec6223193507a99a441db1e856c55be7018474d1ece8e95461e9
Instruction Fuzzy Hash: 8B113671B44604BBDB10EBA5DC82F5EB3B8DB48714F50446EBA04F73D2EAB99D408768

Function 0045A7A8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045A7B1
GetProcAddress.KERNEL32(00000000,inflate), ref: 0045A7C1
GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045A7D1
GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045A7E1

Strings

inflateInit_, xrefs: 0045A7AB
inflateEnd, xrefs: 0045A7CB
inflateReset, xrefs: 0045A7DB
inflate, xrefs: 0045A7BB

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 190572456-3516654456
Opcode ID: 174d8b13224192ef84b630455ef95026d12c70233b8f3b0abbd4307774cc5ebe
Instruction ID: 8bdbbd7099bf23791bc9fd54354aee5868bc2dbadb77176a7910e3edbd90d505
Opcode Fuzzy Hash: 174d8b13224192ef84b630455ef95026d12c70233b8f3b0abbd4307774cc5ebe
Instruction Fuzzy Hash: 8E0125B0500B00EED728EF32AE8872336B5A764345F14C17B9805652BBDBF8045EDA1D

Function 0041A884 Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,00000000), ref: 0041A961
73A24D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041A99B
SetBkColor.GDI32(?,?), ref: 0041A9B0
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041A9FA
SetTextColor.GDI32(00000000,00000000), ref: 0041AA05
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA15
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AA54
SetTextColor.GDI32(00000000,00000000), ref: 0041AA5E
SetBkColor.GDI32(00000000,?), ref: 0041AA6B

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: c5f223bee4bb783086f44ddf098ec2f005a4e4987d44d46892a6de9d9b7dd681
Instruction ID: e254907fa32ae31809fa254cf51b9897988a5b4c94e3051facbc65a4db038bdb
Opcode Fuzzy Hash: c5f223bee4bb783086f44ddf098ec2f005a4e4987d44d46892a6de9d9b7dd681
Instruction Fuzzy Hash: 6161E5B5A00105EFCB40EFA9D985E9AB7F8EF08314B11856AF518DB262C734ED41CF69

Function 00455D18 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0042D7A8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7BB

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00455ECC,?, /s ",?,regsvr32.exe",?,00455ECC), ref: 00455E3E

Strings

D, xrefs: 00455DF4
Spawning 64-bit RegSvr32: , xrefs: 00455DA3
/u, xrefs: 00455D7A
CreateProcess, xrefs: 00455E30
regsvr32.exe", xrefs: 00455D5F
/s ", xrefs: 00455D87
0x%x, xrefs: 00455E61
Spawning 32-bit RegSvr32: , xrefs: 00455DC5

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: 8956d8217134ec924540eaef24f8b7af3bddc5cdde220baed02106d84dc35579
Instruction ID: 20fae124b9662d37c7335df2d5232179d222b48998ad5ae4538026d20c86275f
Opcode Fuzzy Hash: 8956d8217134ec924540eaef24f8b7af3bddc5cdde220baed02106d84dc35579
Instruction Fuzzy Hash: 71413771E007086BDB11EFD5C852BDDB7F9AF48305F50803BA808BB296D7789A09CB58

Function 0044C864 Relevance: 13.6, APIs: 9, Instructions: 90COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044C895
GetSysColor.USER32(00000014), ref: 0044C89C
SetTextColor.GDI32(00000000,00000000), ref: 0044C8B4
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044C8DD
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044C8E7
GetSysColor.USER32(00000010), ref: 0044C8EE
SetTextColor.GDI32(00000000,00000000), ref: 0044C906
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044C92F
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044C95A

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: 57028361129e52f9431e5318b710a4d40606affc4f959fc4e5e926226b5bbf1d
Instruction ID: b575c18274847aba3012457626d0aaea5839951ed62bd291699816a0262c3fb5
Opcode Fuzzy Hash: 57028361129e52f9431e5318b710a4d40606affc4f959fc4e5e926226b5bbf1d
Instruction Fuzzy Hash: 0321A0B42016047FC710FB6ACD8AE9B7BDCDF19319B04457AB918EB3A3C678DD408669

Function 0047174C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00471674: GetWindowThreadProcessId.USER32(00000000), ref: 0047167C
Part of subcall function 00471674: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00471773,\/I,00000000), ref: 0047168F
Part of subcall function 00471674: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00471695

SendMessageA.USER32(00000000,0000004A,00000000,00471B06), ref: 00471781
GetTickCount.KERNEL32 ref: 004717C6
GetTickCount.KERNEL32 ref: 004717D0
MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00471825

Strings

\/I, xrefs: 00471753
CallSpawnServer: Unexpected status: %d, xrefs: 0047180E
CallSpawnServer: Unexpected response: $%x, xrefs: 004717B6

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d$\/I
API String ID: 613034392-4045567746
Opcode ID: 0bdae429eff8d1580745a98c8e118b2776b597856db30de61ff8ebb473ee6832
Instruction ID: f11b9d24a016228fd55770aab2269764d20f87266426001b19c3ff40abdb7d86
Opcode Fuzzy Hash: 0bdae429eff8d1580745a98c8e118b2776b597856db30de61ff8ebb473ee6832
Instruction Fuzzy Hash: E0317F78F002159BDB10EBBD88867EEB6A59F04704F50843AB548EB3A2D67C9D01879E

Function 0048E658 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0044FC44: SetEndOfFile.KERNEL32(?,?,004599C5,00000000,00459B68,?,00000000,00000002,00000002), ref: 0044FC4B

Part of subcall function 00406EF0: DeleteFileA.KERNEL32(00000000,00492628,004906E1,00000000,00490736,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EFB

GetWindowThreadProcessId.USER32(00000000,?), ref: 0048E6E9
OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 0048E6FD
SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 0048E717
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 0048E723
CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 0048E729
Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 0048E73C

Strings

Deleting Uninstall data files., xrefs: 0048E65F

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 1570157960-2568741658
Opcode ID: 9d067bf5239d494c11ca6ea2ee92c558df55eaca7c9a40dc827b20b8e50aa70c
Instruction ID: 7eb9b81ebef4b9935662b2bd99c088e093be0b50f7952a605171971ca98b3156
Opcode Fuzzy Hash: 9d067bf5239d494c11ca6ea2ee92c558df55eaca7c9a40dc827b20b8e50aa70c
Instruction Fuzzy Hash: 5B216F74744204BEE721FBBADC86B2B3698E759319F50053BF9119A1A2DA789D009B1C

Function 0046A7E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046A8E1,?,?,?,?,00000000), ref: 0046A84B
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046A8E1), ref: 0046A862
AddFontResourceA.GDI32(00000000), ref: 0046A87F
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0046A893

Strings

Failed to open Fonts registry key., xrefs: 0046A869
AddFontResource, xrefs: 0046A89D
Failed to set value in Fonts registry key., xrefs: 0046A854

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseFontMessageNotifyOpenResourceSendValue
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 955540645-649663873
Opcode ID: 4f0b21af98cfc754761b164548fb728c356102c5a86faa4868257e3bcd0555eb
Instruction ID: 1afd192ee4ee27fe0430144d256ae41832f88f75df52154e79e2d4afe470c12e
Opcode Fuzzy Hash: 4f0b21af98cfc754761b164548fb728c356102c5a86faa4868257e3bcd0555eb
Instruction Fuzzy Hash: 2D2191707406047AE710BB668C42B6E679CDB45704F604437B900FB2C2E67CDE169A6F

Function 0045E500 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004163B8: GetClassInfoA.USER32(00400000,?,?), ref: 00416427
Part of subcall function 004163B8: UnregisterClassA.USER32(?,00400000), ref: 00416453
Part of subcall function 004163B8: RegisterClassA.USER32(?), ref: 00416476

GetVersion.KERNEL32 ref: 0045E530
SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 0045E56E
SHGetFileInfo.SHELL32(0045E60C,00000000,?,00000160,00004011), ref: 0045E58B
LoadCursorA.USER32(00000000,00007F02), ref: 0045E5A9
SetCursor.USER32(00000000,00000000,00007F02,0045E60C,00000000,?,00000160,00004011), ref: 0045E5AF
SetCursor.USER32(?,0045E5EF,00007F02,0045E60C,00000000,?,00000160,00004011), ref: 0045E5E2

Strings

Explorer, xrefs: 0045E54A

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
String ID: Explorer
API String ID: 2594429197-512347832
Opcode ID: 04dae18e0789727a76a8890a65ab041c4f98a0ef290a8ca75c183f3cffa742e1
Instruction ID: e5db7c9749215eeb2d02e5ed912e0b3fe28138e3e2d2d7ddb3fe69776e4d8daf
Opcode Fuzzy Hash: 04dae18e0789727a76a8890a65ab041c4f98a0ef290a8ca75c183f3cffa742e1
Instruction Fuzzy Hash: 80213D717803087AEB14BBB69C47B9A36889B05709F4100BFBE05EA1C3EDBC8D05866C

Function 0045775C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,004578DE,?,00000000,?,00000000,?,00000006,?,00000000,0048F8FB,?,00000000,0048F996), ref: 00457822

Part of subcall function 00452A2C: FindClose.KERNEL32(000000FF,00452B22), ref: 00452B11

Strings

Failed to strip read-only attribute., xrefs: 004577F0
Failed to delete directory (%d). Will retry later., xrefs: 0045783B
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 004577FC
Deleting directory: %s, xrefs: 004577AB
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00457897
Failed to delete directory (%d)., xrefs: 004578B8
Stripped read-only attribute., xrefs: 004577E4

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: c942cc8746309d6c4fde1d13e5877ff426f738c54e561dd9b6452c2f2059cbe1
Instruction ID: 7ed85959ced61155a0d0e848b4d98e2feb505fad3b81ad5ee62f34683386d719
Opcode Fuzzy Hash: c942cc8746309d6c4fde1d13e5877ff426f738c54e561dd9b6452c2f2059cbe1
Instruction Fuzzy Hash: 1941F830A182089BDB00EB69A8053AF76E59F49316F54857BAC01DB393D77C9E0CC75E

Function 00422DF8 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00422E4C
GetCapture.USER32 ref: 00422E5B
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422E61
ReleaseCapture.USER32 ref: 00422E66
GetActiveWindow.USER32 ref: 00422E75
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422EF4
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422F58
GetActiveWindow.USER32 ref: 00422F67

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: fab0767262203ab9b8eef4ea09c7b9bd12ecfbe98aad2e612e19eb807ad95d19
Instruction ID: 0cb4f9409eeca59ffb975aedecb23b840502150724600c34407ecb599f309318
Opcode Fuzzy Hash: fab0767262203ab9b8eef4ea09c7b9bd12ecfbe98aad2e612e19eb807ad95d19
Instruction Fuzzy Hash: BA416270B00254BFDB10EB69DA42B9EB7F1EB44304F5540BAF444AB292D7B89E40DB1C

Function 00429428 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000), ref: 00429432
GetTextMetricsA.GDI32(00000000), ref: 0042943B

Part of subcall function 0041A190: CreateFontIndirectA.GDI32(?), ref: 0041A24F

SelectObject.GDI32(00000000,00000000), ref: 0042944A
GetTextMetricsA.GDI32(00000000,?), ref: 00429457
SelectObject.GDI32(00000000,00000000), ref: 0042945E
73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00429466
GetSystemMetrics.USER32(00000006), ref: 0042948B
GetSystemMetrics.USER32(00000006), ref: 004294A5

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
String ID:
API String ID: 361401722-0
Opcode ID: 9834c26a9960500f6a9ecfd8d753213a1de3cd4ea19aff41d6da438e204e4863
Instruction ID: 1059aa7a6e273236e125af25209637a8817c3066b806c9f95c2c1fc45335f5e0
Opcode Fuzzy Hash: 9834c26a9960500f6a9ecfd8d753213a1de3cd4ea19aff41d6da438e204e4863
Instruction Fuzzy Hash: 830100917087503BF710B27A9CC2F6B5588DB8435CF80003FFA469A3C3DA6C8C41826A

Function 0041DDCC Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,?,00419001,00490B35), ref: 0041DDCF
73A24620.GDI32(00000000,0000005A,00000000,?,00419001,00490B35), ref: 0041DDD9
73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419001,00490B35), ref: 0041DDE6
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DDF5
GetStockObject.GDI32(00000007), ref: 0041DE03
GetStockObject.GDI32(00000005), ref: 0041DE0F
GetStockObject.GDI32(0000000D), ref: 0041DE1B
LoadIconA.USER32(00000000,00007F00), ref: 0041DE2C

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ObjectStock$A24620A480A570IconLoad
String ID:
API String ID: 3573811560-0
Opcode ID: 9c1e6b037cfcf526f883390b7a6738af9fd81bafc879f9cac69ea1757f065c58
Instruction ID: 4ac4bd4aadafbff56ec06caa1a3c2c499f9ae773c567f2f7cd71ce954fcb2d20
Opcode Fuzzy Hash: 9c1e6b037cfcf526f883390b7a6738af9fd81bafc879f9cac69ea1757f065c58
Instruction Fuzzy Hash: F81142706453416AE740FF795E92BA63694EB24748F00803BF604EF6D2D7BD1C449B5E

Function 0045E910 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 0045EA14
SetCursor.USER32(00000000,00000000,00007F02,00000000,0045EAA9), ref: 0045EA1A
SetCursor.USER32(?,0045EA91,00007F02,00000000,0045EAA9), ref: 0045EA84

Strings

, xrefs: 0045ECAA
Internal error: Item already expanding, xrefs: 0045E9B1
, xrefs: 0045EC8F

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $Internal error: Item already expanding
API String ID: 1675784387-1948079669
Opcode ID: 062bc24e025f87a5132b01d4a23ebbd0a7af6c8b69919735a7d8bfb9171ae665
Instruction ID: dca47056957fcd899ad7342011e10480afea1a1a27e56c2873f80f5661136381
Opcode Fuzzy Hash: 062bc24e025f87a5132b01d4a23ebbd0a7af6c8b69919735a7d8bfb9171ae665
Instruction Fuzzy Hash: 35B1BF30A042449FDB25DF2AC585B9ABBF0BF04305F5484AAEC459B793D738EE49CB45

Function 00452388 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0045246F

Strings

[rename], xrefs: 004524D2, 0045250E
MoveFileEx, xrefs: 0045267F
NUL, xrefs: 00452531
.tmp, xrefs: 0045242B
WININIT.INI, xrefs: 0045241D

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: 45e843453f2affb6e33b9457c2c394c31b255a0f61839c8a32d89fd390f5010c
Instruction ID: b02a2244c8ac043b1712f4d5d459e41a201eed142cab655ca7120e0de3a2e1df
Opcode Fuzzy Hash: 45e843453f2affb6e33b9457c2c394c31b255a0f61839c8a32d89fd390f5010c
Instruction Fuzzy Hash: BA91F330A001099BDB11EFA5D982BDEB7F5AF49305F50847BE90077392D7B8AE09CB59

Function 004547A4 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 178COMMON

Download Yara Rule

APIs

756FE550.OLE32(00491A3C,00000000,00000001,00491774,?,00000000,0045499A), ref: 004547E0

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

756FE550.OLE32(00491764,00000000,00000001,00491774,?,00000000,0045499A), ref: 00454804
SysFreeString.OLEAUT32(00000000), ref: 0045495F

Strings

IShellLink::QueryInterface, xrefs: 004548D7
IPersistFile::Save, xrefs: 00454931
CoCreateInstance, xrefs: 0045480F

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: E550String$AllocByteCharFreeMultiWide
String ID: CoCreateInstance$IPersistFile::Save$IShellLink::QueryInterface
API String ID: 2757340368-615220198
Opcode ID: 30c84a6b22ae8ec60ba87615f6782f2ed58e1117184a8e9cdc9aaee44ca2ff94
Instruction ID: 20b93dc07a47b2b5ead177be154b0c5a355cf91e616f5ebb89302d411650f3f2
Opcode Fuzzy Hash: 30c84a6b22ae8ec60ba87615f6782f2ed58e1117184a8e9cdc9aaee44ca2ff94
Instruction Fuzzy Hash: F15120B5A00105AFDB50EFA9C885F9F77F8AF49309F044066B904EB262D778DD88CB19

Function 004086C0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408908,?,?,?,?,00000000,00000000,00000000,?,0040990F,00000000,00409922), ref: 004086DA

Part of subcall function 00408508: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004924C0,00000001,?,004085D3,?,00000000,004086B2), ref: 00408526

Part of subcall function 00408554: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00408756,?,?,?,00000000,00408908), ref: 00408567

Strings

m/d/yy, xrefs: 004087A9
mmmm d, yyyy, xrefs: 004087CB
AMPM, xrefs: 004088A5
:mm, xrefs: 004088BC
:mm:ss, xrefs: 004088D6

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: ff036df80b210b54e2fa160841ffd8a7ad68a192e85da69035cbbac9a23d53b8
Instruction ID: 056ecf6f2f1527b7684b606c263ef1e3982ac19046fe7e290d3a86a54856ae2c
Opcode Fuzzy Hash: ff036df80b210b54e2fa160841ffd8a7ad68a192e85da69035cbbac9a23d53b8
Instruction Fuzzy Hash: 21512C74B001086BDB01FBA6DE91A9E7BA9DB84304F50D47FA181BB3C6CA3CDA05875D

Function 0041169C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,004118A1), ref: 00411734
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 004117F2

Part of subcall function 00411A54: CreatePopupMenu.USER32 ref: 00411A6E

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0041187E

Part of subcall function 00411A54: CreateMenu.USER32 ref: 00411A78

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00411865

Strings

,, xrefs: 00411747
?, xrefs: 0041174E

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: baa12968a9006a52d5e4ef876005b49ebe402715d6320ec9eb47ca094d0fc02d
Instruction ID: 726e600f223273bd08914059578a8101eea6a2d33d3ff692803082349b8399f4
Opcode Fuzzy Hash: baa12968a9006a52d5e4ef876005b49ebe402715d6320ec9eb47ca094d0fc02d
Instruction Fuzzy Hash: 02511574A041419BDB10EF6ADC815DA7BF9AF09304B1185BBFA04E73B2D738D941CB58

Function 00453578 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,D:"G,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00453794,00453794,?,00453794,00000000), ref: 00453720
CloseHandle.KERNEL32(?,?,D:"G,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00453794,00453794,?,00453794), ref: 0045372D

Part of subcall function 004534E4: WaitForInputIdle.USER32(?,00000032), ref: 00453510
Part of subcall function 004534E4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00453532
Part of subcall function 004534E4: GetExitCodeProcess.KERNEL32(?,?), ref: 00453541
Part of subcall function 004534E4: CloseHandle.KERNEL32(?,0045356E,00453567,?,?,?,00000000,?,?,00453741,?,?,?,D:"G,00000000,00000000), ref: 00453561

Strings

.bat, xrefs: 00453608
COMMAND.COM" /C , xrefs: 0045368C
.cmd, xrefs: 00453623
D:"G, xrefs: 004536F8, 004536FB
cmd.exe" /C ", xrefs: 00453655

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D:"G$cmd.exe" /C "
API String ID: 854858120-4270494884
Opcode ID: 68475bbf8ef61ab6d23b9b8fd69e100de0613aec3012e07989d0195ce28e20d8
Instruction ID: e48de0c09470f56e814a1eaeb461330263aa011ed8558adaef5bf8b5374a4d6d
Opcode Fuzzy Hash: 68475bbf8ef61ab6d23b9b8fd69e100de0613aec3012e07989d0195ce28e20d8
Instruction Fuzzy Hash: AD517874A0034DABCB11EF95C881B9DBBB9AF48746F50403BBC04B7382D7789B198B58

Function 0041BE0B Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041BED0
GetObjectA.GDI32(?,00000018,?), ref: 0041BEDF
GetBitmapBits.GDI32(?,?,?), ref: 0041BF30
GetBitmapBits.GDI32(?,?,?), ref: 0041BF3E
DeleteObject.GDI32(?), ref: 0041BF47
DeleteObject.GDI32(?), ref: 0041BF50
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BF6D

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: 1e4853d75d21bc1926ba7cf5224c89ea8ebb7500f7ae85efd10c66dcd062618b
Instruction ID: f0e05dfe27ce23013596edce2c43a20e6d26497d7b74886029f11bde31f0b820
Opcode Fuzzy Hash: 1e4853d75d21bc1926ba7cf5224c89ea8ebb7500f7ae85efd10c66dcd062618b
Instruction Fuzzy Hash: 2A511675E002099FCB14DFA9C8819EEB7F9EF49310B11842AF514E7391D738AD81CB64

Function 0041CE80 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEA6
73A24620.GDI32(00000000,00000026), ref: 0041CEC5
73A18830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF2B
73A122A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CF3A
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFA4
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041CFE2
73A18830.GDI32(?,?,00000001,0041D014,00000000,00000026), ref: 0041D007

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Stretch$A18830$A122A24620BitsMode
String ID:
API String ID: 430401518-0
Opcode ID: aa7efd9841db0397c835a8e493930d486de59a27429b2987e03207e86632ff54
Instruction ID: 716ae2cbf74db7cca6ca85613245d2cbdededc4b908a0ab63d95ef833b57d340
Opcode Fuzzy Hash: aa7efd9841db0397c835a8e493930d486de59a27429b2987e03207e86632ff54
Instruction Fuzzy Hash: 4C511EB0600604AFDB14DFA9C985F9BBBE8EF08304F14455AB545D7792C778ED81CB68

Function 00454F3C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,?,?), ref: 00454F8E

Part of subcall function 00424224: GetWindowTextA.USER32(?,?,00000100), ref: 00424244

Part of subcall function 0041EE4C: GetCurrentThreadId.KERNEL32 ref: 0041EE9B
Part of subcall function 0041EE4C: 73A25940.USER32(00000000,0041EDFC,00000000,00000000,0041EEB8,?,00000000,0041EEEF,?,0042E7E8,?,00000001), ref: 0041EEA1

Part of subcall function 0042426C: SetWindowTextA.USER32(?,00000000), ref: 00424284

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00454FF5
TranslateMessage.USER32(?), ref: 00455013
DispatchMessageA.USER32(?), ref: 0045501C

Strings

[Paused] , xrefs: 00454FC4

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$TextWindow$A25940CurrentDispatchSendThreadTranslate
String ID: [Paused]
API String ID: 3047529653-4230553315
Opcode ID: 141f149095fb27d577fc31764a328687d2f30d229be375c220db36f4bd74699d
Instruction ID: 741a01f18879a345a5b07686917d8e40ce5d5c24a876243dd54feaf600687e8f
Opcode Fuzzy Hash: 141f149095fb27d577fc31764a328687d2f30d229be375c220db36f4bd74699d
Instruction Fuzzy Hash: 3231E331908644AECB11DBB5DC51BEE7BB8EB49704F50447BE800E32D2D67C9909CBA9

Function 00466210 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON

Download Yara Rule

APIs

GetCursor.USER32(00000000,0046634F), ref: 004662CC
LoadCursorA.USER32(00000000,00007F02), ref: 004662DA
SetCursor.USER32(00000000,00000000,00007F02,00000000,0046634F), ref: 004662E0
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046634F), ref: 004662EA
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046634F), ref: 004662F0

Strings

CheckPassword, xrefs: 00466274

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: a2f9e29d2fd47cbe49e50b2b8c9181dc4ebe3878211084bf54e37939886680c3
Instruction ID: e12dea2b5957d6b50ca2ed371003984113864468440f1a681d17ee3b0f813ced
Opcode Fuzzy Hash: a2f9e29d2fd47cbe49e50b2b8c9181dc4ebe3878211084bf54e37939886680c3
Instruction Fuzzy Hash: 2931A774644204AFD701EF69C88AF9E7BE1AF45304F5680B6F904AB3E2D7789E40CB59

Function 0041C0F0 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BFF0: GetObjectA.GDI32(?,00000018), ref: 0041BFFD

GetFocus.USER32 ref: 0041C110
73A1A570.USER32(?), ref: 0041C11C
73A18830.GDI32(?,?,00000000,00000000,0041C19B,?,?), ref: 0041C13D
73A122A0.GDI32(?,?,?,00000000,00000000,0041C19B,?,?), ref: 0041C149
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C160
73A18830.GDI32(?,00000000,00000000,0041C1A2,?,?), ref: 0041C188
73A1A480.USER32(?,?,0041C1A2,?,?), ref: 0041C195

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: A18830$A122A480A570BitsFocusObject
String ID:
API String ID: 2231653193-0
Opcode ID: 4b5817af3930a7da88de8c776c2c87f1b057dc8e6189491f9691f509f6f43723
Instruction ID: e1839615c60f4afd83c90c330261c8dd65eba5fe4d32295df669e4ba5c229ee2
Opcode Fuzzy Hash: 4b5817af3930a7da88de8c776c2c87f1b057dc8e6189491f9691f509f6f43723
Instruction Fuzzy Hash: 24116D71A44608BBDB10DBE9CC85FAFB7FCEF48700F54446AB518E7281D63898008B28

Function 0047C58C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0047C644), ref: 0047C629

Strings

System\CurrentControlSet\Control\ProductOptions, xrefs: 0047C5B0
ProductType, xrefs: 0047C5C8
LanmanNT, xrefs: 0047C5F3
ServerNT, xrefs: 0047C60D
WinNT, xrefs: 0047C5D9

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 47109696-2530820420
Opcode ID: 216c442831188f385001bfb6125c95756f0f6973d9343121dce614720b27fbcb
Instruction ID: ba25b35c1adc0b75f4f324f6cb59f82a98d74cc289aeabc78b4d1a44d03816b4
Opcode Fuzzy Hash: 216c442831188f385001bfb6125c95756f0f6973d9343121dce614720b27fbcb
Instruction Fuzzy Hash: 84118E30B04204AADB10DB659AC2B9A7BA89B56308F61D0BFA408A7285DB789A018758

Function 0041B40A Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 0041B418
SelectObject.GDI32(?,00000000), ref: 0041B427
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B453
SelectObject.GDI32(00000000,00000000), ref: 0041B461
SelectObject.GDI32(?,00000000), ref: 0041B46F
DeleteDC.GDI32(00000000), ref: 0041B478
DeleteDC.GDI32(?), ref: 0041B481

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: d8fcd08cd1e6b3b068bfae977a68b3e89a280d1eb5928260e7975f8e8b8626d0
Instruction ID: 04c6450d5990685007640eea88a29337d1268334102612a79928454e9dde4d04
Opcode Fuzzy Hash: d8fcd08cd1e6b3b068bfae977a68b3e89a280d1eb5928260e7975f8e8b8626d0
Instruction Fuzzy Hash: 3F114CB2E00555ABDF10DAD9D885FEFB3BCEF08704F048556B614FB241C678A9418B54

Function 0048D690 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,?,?,00000000), ref: 0048D6A1

Part of subcall function 0041A190: CreateFontIndirectA.GDI32(?), ref: 0041A24F

SelectObject.GDI32(00000000,00000000), ref: 0048D6C3
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,0048DC19), ref: 0048D6D7
GetTextMetricsA.GDI32(00000000,?), ref: 0048D6F9
73A1A480.USER32(00000000,00000000,0048D723,0048D71C,?,00000000,?,?,00000000), ref: 0048D716

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 0048D6CE

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 1435929781-222967699
Opcode ID: 2b902195bd78e3a85a14461ba25cf2a461328febbf25ed1a984847a0c9924e98
Instruction ID: 56f2b7a4074af1b55b95a42d0c90d732b29dffae751eaa68173dd8b8b984e531
Opcode Fuzzy Hash: 2b902195bd78e3a85a14461ba25cf2a461328febbf25ed1a984847a0c9924e98
Instruction Fuzzy Hash: E5012575A05608AFDB01EEA5CC41F5FB7ECDB49704F51447AB504E72C1D678AD008B68

Function 0042333C Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00423357
WindowFromPoint.USER32(?,?), ref: 00423364
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00423372
GetCurrentThreadId.KERNEL32 ref: 00423379
SendMessageA.USER32(00000000,00000084,?,?), ref: 00423392
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 004233A9
SetCursor.USER32(00000000), ref: 004233BB

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 7a1fa5eb43588ed905b36272748367152b50e279982f14557b7e119d831a34ac
Instruction ID: 0b857e85cec8b006a236e34f0c55496e129225b07c91d7ef35ca05f8a9fb34e8
Opcode Fuzzy Hash: 7a1fa5eb43588ed905b36272748367152b50e279982f14557b7e119d831a34ac
Instruction Fuzzy Hash: 5801D42230431026D620BB795C86F2F62A9DFC5B25F50453FBA09AB283DE3D8D1063AD

Function 0048D4B4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 0048D4C4
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0048D4D1
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0048D4DE

Strings

MonitorFromRect, xrefs: 0048D4CB
user32.dll, xrefs: 0048D4BF
GetMonitorInfoA, xrefs: 0048D4D8

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: 39bebf5cdc522e2b788824c1d824eab9c167e0fb480ea12f995934913c9d8500
Instruction ID: 67b51c375aa01bca0c5088982691f1e3d037f3b871651ee40e205a1bc027e1e2
Opcode Fuzzy Hash: 39bebf5cdc522e2b788824c1d824eab9c167e0fb480ea12f995934913c9d8500
Instruction Fuzzy Hash: 19F0C292E42B1476DA1035BA0C82E7F628CCB8A768F140837BD45A72C2E9688D0543AD

Function 0045A67C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,ISCryptGetVersion), ref: 0045A685
GetProcAddress.KERNEL32(00000000,ArcFourInit), ref: 0045A695
GetProcAddress.KERNEL32(00000000,ArcFourCrypt), ref: 0045A6A5

Strings

ArcFourCrypt, xrefs: 0045A69F
ArcFourInit, xrefs: 0045A68F
ISCryptGetVersion, xrefs: 0045A67F

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 190572456-508647305
Opcode ID: 6c44a559e0113ee3e9627393b6d72c696891dddf580004d2a213ddd529ef0017
Instruction ID: 4e0395d972810c9416c3368882ebdde2c5e01ffaaeaf982be760f48a4fca4704
Opcode Fuzzy Hash: 6c44a559e0113ee3e9627393b6d72c696891dddf580004d2a213ddd529ef0017
Instruction Fuzzy Hash: 3DF062B1532700FBDB08DF729EC422736B5B364396F18C13BA804551AAD7BC0458EA0D

Function 0045AB7C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045AB85
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045AB95
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045ABA5

Strings

BZ2_bzDecompress, xrefs: 0045AB8F
BZ2_bzDecompressInit, xrefs: 0045AB7F
BZ2_bzDecompressEnd, xrefs: 0045AB9F

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 190572456-212574377
Opcode ID: 7f769d8cd905983f6cd8b0047f0826717d18397314b06371627eac2a981e6e67
Instruction ID: 78c3aec0c34357df070bc40c46de1e5cd03a4b776be7e77430bdb5cc110f23ad
Opcode Fuzzy Hash: 7f769d8cd905983f6cd8b0047f0826717d18397314b06371627eac2a981e6e67
Instruction Fuzzy Hash: 66F06DB0500742EADB14DF32AE44B3237A6A368306F04913BA909552AAD7FC145EEE5E

Function 0044BEB8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleacc.dll,?,0044E775), ref: 0044BEC7
GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044BED8
GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044BEE8

Strings

oleacc.dll, xrefs: 0044BEC2
CreateStdAccessibleObject, xrefs: 0044BEE2
LresultFromObject, xrefs: 0044BED2

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2238633743-1050967733
Opcode ID: 94c7f55b7858a86dfc8e1d027d5a29c74593de5c18c70a69c9d3636859c232a8
Instruction ID: 119d9ded96c8020385292050e9bd4a1b60054d62b4ab52501d4127c2865211ec
Opcode Fuzzy Hash: 94c7f55b7858a86dfc8e1d027d5a29c74593de5c18c70a69c9d3636859c232a8
Instruction Fuzzy Hash: 62F0FE70545745AAEB10ABE49E86B223294E320709F10157BA005B52E1C7FDC48CCE5D

Function 0042E744 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 20libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0048DD4A,QueryCancelAutoPlay,00490B7B), ref: 0042E75A
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E760
InterlockedExchange.KERNEL32(00492660,00000001), ref: 0042E771
ChangeWindowMessageFilter.USER32(0000C1C1,00000001), ref: 0042E782

Strings

user32.dll, xrefs: 0042E755
ChangeWindowMessageFilter, xrefs: 0042E750

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressChangeExchangeFilterHandleInterlockedMessageModuleProcWindow
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 1365377179-2498399450
Opcode ID: 6a9de858e1701b34b855b8354cc27d5781c45a445a0336004b65701d5bd939bd
Instruction ID: 232ca1bda8f30e1dbeb1e37a17564225c323fdce3e6d3ccf23913f9b659c3ecd
Opcode Fuzzy Hash: 6a9de858e1701b34b855b8354cc27d5781c45a445a0336004b65701d5bd939bd
Instruction Fuzzy Hash: 50E0ECB1742310BAEA247BB26E8AF5A2594A774715F900037F000655E6C6FD0D44D91D

Function 00472434 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00490B71), ref: 0047243A
GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00472447
GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00472457

Strings

VerSetConditionMask, xrefs: 00472441
VerifyVersionInfoW, xrefs: 00472451
kernel32.dll, xrefs: 00472435

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
API String ID: 667068680-222143506
Opcode ID: 7080541768798b3df736431f9a72840aa573f0e58d303b716fe08131e3bd796c
Instruction ID: 2634119a36086f07b4582bff0c6698110bc0db6046ba951e872dfe9231fcc97c
Opcode Fuzzy Hash: 7080541768798b3df736431f9a72840aa573f0e58d303b716fe08131e3bd796c
Instruction Fuzzy Hash: 7AC0C9E0641700AEAA08B7B11E8397A2168D520B29B10813B704869187D6FC08045A2C

Function 0041B614 Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B6ED
73A1A570.USER32(?), ref: 0041B6F9
73A18830.GDI32(00000000,?,00000000,00000000,0041B7C4,?,?), ref: 0041B72E
73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041B7C4,?,?), ref: 0041B73A
73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B7A2,?,00000000,0041B7C4,?,?), ref: 0041B768
73A18830.GDI32(00000000,00000000,00000000,0041B7A9,?,?,00000000,00000000,0041B7A2,?,00000000,0041B7C4,?,?), ref: 0041B79C

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: A18830$A122A26310A570Focus
String ID:
API String ID: 3906783838-0
Opcode ID: 2189f248925abbd8b3ed1d854bd6b727da44b470d0452cebfb9837d533ec30a6
Instruction ID: 8a3990a2e5d6fcee7426173f9b26f44009bdffde0bb17d68edab7397fe7bbe52
Opcode Fuzzy Hash: 2189f248925abbd8b3ed1d854bd6b727da44b470d0452cebfb9837d533ec30a6
Instruction Fuzzy Hash: 8C513D70A00608AFCF11DFA9C895AEEBBF4EF49704F10446AF510A7390D7789D81CBA9

Function 0041B8E4 Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B9BF
73A1A570.USER32(?), ref: 0041B9CB
73A18830.GDI32(00000000,?,00000000,00000000,0041BA91,?,?), ref: 0041BA05
73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041BA91,?,?), ref: 0041BA11
73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BA6F,?,00000000,0041BA91,?,?), ref: 0041BA35
73A18830.GDI32(00000000,00000000,00000000,0041BA76,?,?,00000000,00000000,0041BA6F,?,00000000,0041BA91,?,?), ref: 0041BA69

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: A18830$A122A26310A570Focus
String ID:
API String ID: 3906783838-0
Opcode ID: d8a2f350e31498a5aae0f9e9012618de704534965e1e336577d5547a4b9cf6c8
Instruction ID: 5f2264137962bc3366777cb0a2f232ffee2f3444c58f5864d32a49a15d3a62ac
Opcode Fuzzy Hash: d8a2f350e31498a5aae0f9e9012618de704534965e1e336577d5547a4b9cf6c8
Instruction Fuzzy Hash: FF512A75A002089FCB11DFA9C891AAEBBF9EF48700F118066F904EB751D7389D40CBA4

Function 0041B4B0 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B526
73A1A570.USER32(?,00000000,0041B600,?,?,?,?), ref: 0041B532
73A24620.GDI32(?,00000068,00000000,0041B5D4,?,?,00000000,0041B600,?,?,?,?), ref: 0041B54E
73A4E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B5D4,?,?,00000000,0041B600,?,?,?,?), ref: 0041B56B
73A4E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B5D4,?,?,00000000,0041B600), ref: 0041B582
73A1A480.USER32(?,?,0041B5DB,?,?), ref: 0041B5CE

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: E680$A24620A480A570Focus
String ID:
API String ID: 3709697839-0
Opcode ID: 01c1ab1f7a911bde34d09cc2a342371f0a4accf8ff51a2ca553a34b6587143a8
Instruction ID: 7d01233871e956700e45bbdad6d64e5c71f2ea9c135790645ddd3605e450c40d
Opcode Fuzzy Hash: 01c1ab1f7a911bde34d09cc2a342371f0a4accf8ff51a2ca553a34b6587143a8
Instruction Fuzzy Hash: 75410831A04258AFCB10DFA9C885EAFBBB5EF49704F1484AAF540E7341D3389D10CBA9

Function 004571F4 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 0042C6FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C720

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,02193888,00000FFF,00000000,00457320,?,?,00000000,00000000), ref: 0045725B

Part of subcall function 00456B34: CloseHandle.KERNEL32(?), ref: 00456B6B
Part of subcall function 00456B34: WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00456B95
Part of subcall function 00456B34: GetExitCodeProcess.KERNEL32(?), ref: 00456BA6
Part of subcall function 00456B34: CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456BED
Part of subcall function 00456B34: Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456C09

Part of subcall function 00456B34: TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00456B87

Strings

UnRegisterTypeLib, xrefs: 004572EF
RegisterTypeLib, xrefs: 004572C1
ITypeLib::GetLibAttr, xrefs: 004572D3
LoadTypeLib, xrefs: 004572A4
HelperRegisterTypeLibrary: StatusCode invalid, xrefs: 004572FB

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleProcess$ByteCharCodeExitFullMultiNameObjectPathSingleSleepTerminateWaitWide
String ID: HelperRegisterTypeLibrary: StatusCode invalid$ITypeLib::GetLibAttr$LoadTypeLib$RegisterTypeLib$UnRegisterTypeLib
API String ID: 3965036325-83444288
Opcode ID: 48a304393f9a5fdad174ccbc4c24f8d38665409cf09cad508aa9efef9afbbf6f
Instruction ID: f74eade9246c561d7eda77dee430a1fc41308778ed490b298c47d2a514b049d7
Opcode Fuzzy Hash: 48a304393f9a5fdad174ccbc4c24f8d38665409cf09cad508aa9efef9afbbf6f
Instruction Fuzzy Hash: 1A318F30708604EBD711EB7A9882A5EB7E8EB44316F50847BBC45D7393DB38AE09D61D

Function 0045A540 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,00000000,0045A60C,?,?,?,?,00000000), ref: 0045A5AB
SetLastError.KERNEL32(00000000,00000002,?,?,?,0045A678,?,00000000,0045A60C,?,?,?,?,00000000), ref: 0045A5EA

Strings

CURRENT_USER, xrefs: 0045A57F
USERS, xrefs: 0045A59D
MACHINE, xrefs: 0045A58E
CLASSES_ROOT, xrefs: 0045A570

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: 068a73805bbc91043a3266f77ff4c4ee40905737be1478f272e1aee34357c8d5
Instruction ID: 2c7cc5846e01bfe9336b3e21a4f35d5db95fca715acc3ac4ded287c5e5725028
Opcode Fuzzy Hash: 068a73805bbc91043a3266f77ff4c4ee40905737be1478f272e1aee34357c8d5
Instruction Fuzzy Hash: 3611A53560420CFBDB11DAA5C941F9E7AACDB84306F644137BD0166283E67C5F1E992F

Function 0041BD34 Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BD7D
GetSystemMetrics.USER32(0000000C), ref: 0041BD87
73A1A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD91
73A24620.GDI32(00000000,0000000E,00000000,0041BE04,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDB8
73A24620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE04,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDC5
73A1A480.USER32(00000000,00000000,0041BE0B,0000000E,00000000,0041BE04,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDFE

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: A24620MetricsSystem$A480A570
String ID:
API String ID: 4042297458-0
Opcode ID: c0f607c4832dab40e87e7b844f37412e582122e43c2ccad9e229f5b09a45b98f
Instruction ID: ff93124ca59b6ac00208e06d0df3eb10c0faf638cbb47b26d2833e339793a6eb
Opcode Fuzzy Hash: c0f607c4832dab40e87e7b844f37412e582122e43c2ccad9e229f5b09a45b98f
Instruction Fuzzy Hash: 54213C74E00649AFEB04EFA9C942BEEB7B4EB48714F10802AF514B7780D7785940CFA9

Function 00477494 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EC), ref: 004774A2
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,00467815), ref: 004774C8
GetWindowLongA.USER32(?,000000EC), ref: 004774D8
SetWindowLongA.USER32(?,000000EC,00000000), ref: 004774F9
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047750D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 00477529

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: eb138f1f0dc8c3891b790c124640c211a15ee428b02e70e25eaa3bdc4020e718
Instruction ID: d82ed46f6b466fc3f8bc0bdcacefb2f605830931c017ceeb26b2ec5954116533
Opcode Fuzzy Hash: eb138f1f0dc8c3891b790c124640c211a15ee428b02e70e25eaa3bdc4020e718
Instruction Fuzzy Hash: 46015EB5655310BBD700DBA8CE41F263798AB0D334F090266B558DF7E3C279DC008BA8

Function 0041B218 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041A688: CreateBrushIndirect.GDI32 ref: 0041A6F3

UnrealizeObject.GDI32(00000000), ref: 0041B224
SelectObject.GDI32(?,00000000), ref: 0041B236
SetBkColor.GDI32(?,00000000), ref: 0041B259
SetBkMode.GDI32(?,00000002), ref: 0041B264
SetBkColor.GDI32(?,00000000), ref: 0041B27F
SetBkMode.GDI32(?,00000001), ref: 0041B28A

Part of subcall function 0041A000: GetSysColor.USER32(?), ref: 0041A00A

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: f29873dfcf61593aa75cb2549b6a9cf3e48997b8b5295c1044d98b88f295631e
Instruction ID: 991835cd13d00b1ecf70cab2c5668301369c46a92689b2ced77f157eaba3f874
Opcode Fuzzy Hash: f29873dfcf61593aa75cb2549b6a9cf3e48997b8b5295c1044d98b88f295631e
Instruction Fuzzy Hash: F1F0BFB1151500ABCF00FFAAD9CBE4B27A89F043097148057B944DF197C538D8504B3A

Function 00473910 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 210registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,jPG,?,00000000,00000000,00000001,00000000,00473BAD,?,00000000), ref: 00473B71

Strings

jPG, xrefs: 00473AAB, 00473ACF, 00473B50, 00473AAE
Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 004739E5
Failed to parse "reg" constant, xrefs: 00473B78
yNG, xrefs: 00473B31

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant$jPG$yNG
API String ID: 3535843008-3932832818
Opcode ID: fe45ef2342a58487a09325f3d72e231b2f56a556e2c95cc83f03531c0fc218de
Instruction ID: b7c2468eb7ac37771866f0ed0bbac7860b45a2d6c62ae04d18380af0e8b21fb7
Opcode Fuzzy Hash: fe45ef2342a58487a09325f3d72e231b2f56a556e2c95cc83f03531c0fc218de
Instruction Fuzzy Hash: D6816474E00148AFCB10DFA5C442ADEBBF9AF48315F5085AAE454B7391D738AF05CB98

Function 0047087C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146windowCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 004708D2
73A259E0.USER32(00000000,000000FC,00470830,00000000,00470A62,?,00000000,00470A87), ref: 004708F9
GetACP.KERNEL32(00000000,00470A62,?,00000000,00470A87), ref: 00470936
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0047097C

Strings

COMBOBOX, xrefs: 004708CB

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: A259ClassInfoMessageSend
String ID: COMBOBOX
API String ID: 3217714596-1136563877
Opcode ID: 4db748e39614629576759290719755d4f62f5ff744c25c03a842ef39f5d171c9
Instruction ID: ada8455a1527fb003519a52fc9fb8cd1e3de5cb64bb436e33c8ec601d2d438b3
Opcode Fuzzy Hash: 4db748e39614629576759290719755d4f62f5ff744c25c03a842ef39f5d171c9
Instruction Fuzzy Hash: 63514D74A01205EFDB10DF69D885A9EB7B5EB49304F1481BAE808DB762C778AD41CB98

Function 00453BEC Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00453D83,?,00000000,00453DC3), ref: 00453CC9

Strings

PendingFileRenameOperations, xrefs: 00453C68
WININIT.INI, xrefs: 00453CF8
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00453C4C
PendingFileRenameOperations2, xrefs: 00453C98

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: 5e4138a75d676a6e29719ea14a6ac8f3ccc9f4e4cde26a7556b0de88dae5e1ac
Instruction ID: aa5cd69e504587c061a58de22e540fe2c0eb6883408e267526cdea27caab368f
Opcode Fuzzy Hash: 5e4138a75d676a6e29719ea14a6ac8f3ccc9f4e4cde26a7556b0de88dae5e1ac
Instruction Fuzzy Hash: AF51D730E002489BDB10EF61DC52ADEB7B9EF44745F50857BE804A7292DB3CAF09CA18

Function 0048FDEC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 0042426C: SetWindowTextA.USER32(?,00000000), ref: 00424284

ShowWindow.USER32(?,00000005,00000000,00490051,?,?,00000000), ref: 0048FE22

Part of subcall function 0042D7A8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7BB

Part of subcall function 00407248: SetCurrentDirectoryA.KERNEL32(00000000,?,0048FE4A,00000000,0049001D,?,?,00000005,00000000,00490051,?,?,00000000), ref: 00407253

Part of subcall function 0042D330: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3BE,?,?,00000000,?,?,0048FE54,00000000,0049001D,?,?,00000005), ref: 0042D365

Strings

IMsg, xrefs: 0048FEF6
.dat, xrefs: 0048FE69
Uninstall, xrefs: 0048FE08
.msg, xrefs: 0048FE88

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: 58f822fbd837717f0981da684dc2b383601ea0dfaea9b5e4cf4cd09cf21b3ff0
Instruction ID: 7c6a2e238760992e5c67a20dbafbe681e3287029f6f793f122bf29b0ac37eaf5
Opcode Fuzzy Hash: 58f822fbd837717f0981da684dc2b383601ea0dfaea9b5e4cf4cd09cf21b3ff0
Instruction Fuzzy Hash: 33316134A002049FCB11FF65DC52A5E7BB5EB89308F50847BF900A7751CB39AD05DB58

Function 00404D2A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
ExitProcess.KERNEL32 ref: 00404E0D

Strings

Error, xrefs: 00404DB9
Runtime error at 00000000, xrefs: 00404DBE, 00404DD1
di@, xrefs: 00404D51, 00404D5C

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000$di@
API String ID: 1220098344-180755605
Opcode ID: cb3f50221c7fc4a280dd17ceecd31964af7b7a4f5716c995046d60236483f2a1
Instruction ID: 54305f10cd77fd258ec0cbb2b3b89b3afa079266c0d37f3845e7031a68d66c88
Opcode Fuzzy Hash: cb3f50221c7fc4a280dd17ceecd31964af7b7a4f5716c995046d60236483f2a1
Instruction Fuzzy Hash: 1E21C560A44281AAEB16A775EE817163B9197E5348F048177E700B73F3C6FC8C84C7AE

Function 00455C4C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00455C7C
GetExitCodeProcess.KERNEL32(?,00490736), ref: 00455C9D
CloseHandle.KERNEL32(?,00455CD0,?,?,dE,00000000,00000000), ref: 00455CC3

Strings

GetExitCodeProcess, xrefs: 00455CA6
MsgWaitForMultipleObjects, xrefs: 00455C89

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: 3a4e1d8e3212983b0db30b4301edd67b4f03435f1b712903e7d44db79ec60759
Instruction ID: e42cd4710a2bc55cfeee88e204bbff949c6156d41efd27b396eab6340a6db490
Opcode Fuzzy Hash: 3a4e1d8e3212983b0db30b4301edd67b4f03435f1b712903e7d44db79ec60759
Instruction Fuzzy Hash: 2001DB30644B04AFDB12DB99CD51F3A73A8EB45714F604477F910E73D3D679AD048658

Function 0042DC6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(?,00000000), ref: 0042DC78
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DDFB,00000000,0042DE13,?,?,?,?,00000006,?,00000000,0048F8FB), ref: 0042DC93
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DC99

Strings

RegDeleteKeyExA, xrefs: 0042DC89
advapi32.dll, xrefs: 0042DC8E

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 588496660-1846899949
Opcode ID: 4d879dacb439db73e44281dd357f43295a9124d1e96faca6c59bbbcf227e751d
Instruction ID: f6d26141eb233d03b94b2ed72026fa1db25b9960d6d40d8c32de7d906beb62d4
Opcode Fuzzy Hash: 4d879dacb439db73e44281dd357f43295a9124d1e96faca6c59bbbcf227e751d
Instruction Fuzzy Hash: AAE06DF0B41230BAD62067ABBE4AF9326289F64725F544537F145A62D182FC4C41DE5C

Function 00471674 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0047167C
GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00471773,\/I,00000000), ref: 0047168F
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00471695

Strings

user32.dll, xrefs: 0047168A
AllowSetForegroundWindow, xrefs: 00471685

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProcProcessThreadWindow
String ID: AllowSetForegroundWindow$user32.dll
API String ID: 1782028327-3855017861
Opcode ID: aa661ddeab3caf5f101db6b0e0b7614fbf7376c7e63f4f7fd5c65f3a9d368f71
Instruction ID: a3f3d1e0e2b6813b030e7eba76e2e5281102dca64866dc994b1bbab78c7268d3
Opcode Fuzzy Hash: aa661ddeab3caf5f101db6b0e0b7614fbf7376c7e63f4f7fd5c65f3a9d368f71
Instruction Fuzzy Hash: ACD05EA0A017016BDE20B2B98D46D9B229C8D9471571C842B3404E21A6CA7CE800593C

Function 00416BD4 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 00416BFA
SaveDC.GDI32(?), ref: 00416C2B
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416CED), ref: 00416C8C
RestoreDC.GDI32(?,?), ref: 00416CB3
EndPaint.USER32(00000000,?,00416CF4,00000000,00416CED), ref: 00416CE7

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 05b91c705dead32c22d601d06aaaaefc09bf00903a581cfd1e69d9044e53cd27
Instruction ID: 511e07c03593910ab38166e7e8fb99fbe2c7a584a9aae09983b44cf3f48c28fc
Opcode Fuzzy Hash: 05b91c705dead32c22d601d06aaaaefc09bf00903a581cfd1e69d9044e53cd27
Instruction Fuzzy Hash: E3414F70A04204AFCB14DFA9C985FAEB7F8EF48304F1640AAE84497362D778ED41CB58

Function 004147A8 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 004147DE
MulDiv.KERNEL32(?,?,?), ref: 004147F8
MulDiv.KERNEL32(?,?,?), ref: 00414821
MulDiv.KERNEL32(?,?,?), ref: 0041484C
MulDiv.KERNEL32(00000000,?,00000000), ref: 00414894

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db4e5bd5f3073e3ba55cd164d497178988a2e4975f87a427fd18fb625363a14
Instruction ID: 16203bcbef39f9c243701adad7e95064df465d958f07c31b5226583d855f1c1b
Opcode Fuzzy Hash: 1db4e5bd5f3073e3ba55cd164d497178988a2e4975f87a427fd18fb625363a14
Instruction Fuzzy Hash: 26311F746047409FC320EB69C985BABB7E8AF89714F04891EF9D5C7791C678EC818B19

Function 00429774 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004297B0
SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004297DF
SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 004297FB
SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 00429826
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00429844

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4dd9bf55c7c84a0b3396b3554a59a90620238bc04d6e8efcc95ab0f776c5b98c
Instruction ID: 5d1141d17212aa5e1ef3752c12f2028c23e494b9df8dcdef2cd4cdfe20676ed7
Opcode Fuzzy Hash: 4dd9bf55c7c84a0b3396b3554a59a90620238bc04d6e8efcc95ab0f776c5b98c
Instruction Fuzzy Hash: 3D21A1707507047AD710AB67DC82F9B76ACEB42B04F95443E7502BB2D2DA79DD428258

Function 0041BB60 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BB72
GetSystemMetrics.USER32(0000000C), ref: 0041BB7C
73A1A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BBBA
73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD25,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC01
DeleteObject.GDI32(00000000), ref: 0041BC42

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem$A26310A570DeleteObject
String ID:
API String ID: 4277397052-0
Opcode ID: 9adb9e8c89caf01d0a638f348740fc7edbd2731d44c2c24643151140fb28a82b
Instruction ID: 7d0d535dbebdf4f070bae8ba3fc8fcac1153e0bddf000454aa628fb6ab968105
Opcode Fuzzy Hash: 9adb9e8c89caf01d0a638f348740fc7edbd2731d44c2c24643151140fb28a82b
Instruction Fuzzy Hash: 0D317174E00209EFDB04DFA5C941AAEF7F5EB48700F10846AF514AB385D7389E80DB94

Function 0046D898 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0045A540: SetLastError.KERNEL32(00000057,00000000,0045A60C,?,?,?,?,00000000), ref: 0045A5AB

GetLastError.KERNEL32(00000000,00000000,00000000,0046D96C,?,?,00000001,0049307C), ref: 0046D925
GetLastError.KERNEL32(00000000,00000000,00000000,0046D96C,?,?,00000001,0049307C), ref: 0046D93B

Strings

Could not set permissions on the registry key because it currently does not exist., xrefs: 0046D92F
Setting permissions on registry key: %s\%s, xrefs: 0046D8EA
Failed to set permissions on registry key (%d)., xrefs: 0046D94C

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
API String ID: 1452528299-4018462623
Opcode ID: 18f77fade0994c6fc899b5d9ef85e329e14ba50152d782af13df1c5d82336a90
Instruction ID: 2fb07483fd0a7251048a58d7dedf702ee348f7c8dbf283d8b9408d2b96eb0a9e
Opcode Fuzzy Hash: 18f77fade0994c6fc899b5d9ef85e329e14ba50152d782af13df1c5d82336a90
Instruction Fuzzy Hash: CB21A4B0F046445FCB00DBA9C8826AEBAE4DB49314F50417BA414E7392E6785D09CBAE

Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: ec9330e6fa7a8659c1beb9ec543e50d139d4e0e8a78981a79d0ac640ed5c34b8
Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
Opcode Fuzzy Hash: ec9330e6fa7a8659c1beb9ec543e50d139d4e0e8a78981a79d0ac640ed5c34b8
Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D

Function 00414388 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

73A18830.GDI32(00000000,00000000,00000000), ref: 004143C1
73A122A0.GDI32(00000000,00000000,00000000,00000000), ref: 004143C9
73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143DD
73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143E3
73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143EE

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: A122A18830$A480
String ID:
API String ID: 3325508737-0
Opcode ID: a82122af31a8aec246995b2a86ca6dd819a62577bbe41f01694e2b233259fffd
Instruction ID: 075c4eaa6eababf39ef1bcc04ba03af1ed36323413641ea814e4f99408aec64f
Opcode Fuzzy Hash: a82122af31a8aec246995b2a86ca6dd819a62577bbe41f01694e2b233259fffd
Instruction Fuzzy Hash: E501DF3131C3806AD200B63E8C85A9F6BED8FCA314F05546EF498DB382CA7ACC018766

Function 0047BB48 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 213COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,00000000,0047BE5D,?,?,00000001,?), ref: 0047BC59
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 0047BCCE

Strings

Need to restart Windows? %s, xrefs: 0047BD0B
, xrefs: 0047BD8B

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: f71dca2b3cdd1a9f974c47fd04c85dafb3fc8e5a441d9339a4d45334759f384d
Instruction ID: f4c1e1fff3503470ea18fdaabc6d14c851de77ee15ab21044676623dc6a244ae
Opcode Fuzzy Hash: f71dca2b3cdd1a9f974c47fd04c85dafb3fc8e5a441d9339a4d45334759f384d
Instruction Fuzzy Hash: 0F9170346042449FCB01EF69D886B9A77F5EF56308F1080BBE8049B366DB78AD45CB99

Function 00469F80 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 0042C6FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C720

Part of subcall function 0042CAA4: CharPrevA.USER32(?,00000000,?,00000001,?,?,0042CBD2,00000000,0042CBF8,?,00000001,?,?,00000000,?,0042CC4A), ref: 0042CACC

GetLastError.KERNEL32(00000000,0046A17D,?,?,00000001,0049307C), ref: 0046A05A
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046A0D4
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046A0F9

Strings

Creating directory: %s, xrefs: 0046A042

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ChangeNotify$CharErrorFullLastNamePathPrev
String ID: Creating directory: %s
API String ID: 2168629741-483064649
Opcode ID: eaa5e955b4a82374fedd4bb1d7a028e07cef00fa7cb12a1e86328300a5bb0db0
Instruction ID: 39b67aeb1d7855c22aabfe2f82cf891ef9e94af442bcdac43ae26702b455444b
Opcode Fuzzy Hash: eaa5e955b4a82374fedd4bb1d7a028e07cef00fa7cb12a1e86328300a5bb0db0
Instruction Fuzzy Hash: 8A512374E00248ABDB01DFA9C982BDEB7F5AF49304F50846AE851B7382D7785E04CF5A

Function 00406F44 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON

Download Yara Rule

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00406FA3
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040701D
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 00407075

Strings

Z, xrefs: 00406FDC

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: b45eb0edb20795645dcbd4fc4cc9de1517ba2fb8e3a3a1bdfe5558624a41bfc2
Instruction ID: bd8e5ae94ca74df4e9131491a9bde93b7ed2ce1d7e59c57d2d509c2ab305fdf4
Opcode Fuzzy Hash: b45eb0edb20795645dcbd4fc4cc9de1517ba2fb8e3a3a1bdfe5558624a41bfc2
Instruction Fuzzy Hash: C3516370E04248AFDB11DF65C981A9FB7B9EF09304F1041BAE500BB3D1D778AE458B5A

Function 0044C69C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0044C72A
DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044C755
DrawTextA.USER32(00000000,00000000), ref: 0044C7EE

Strings

, xrefs: 0044C70F

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: f37fe9e577420607298c9583aacd29a253469b4ecb6affd38da19aac1ff88878
Instruction ID: 4bcae54fe600c87244e68b3e4b857699d32a5b02b35774ead0fedabfa34a998c
Opcode Fuzzy Hash: f37fe9e577420607298c9583aacd29a253469b4ecb6affd38da19aac1ff88878
Instruction Fuzzy Hash: 14514C70A00249AFDB51DFA5C885BDEBBF4EF49304F18807AE845EB252D738A945CF64

Function 0042E8AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,00000000,0042E9FF,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042E8D6

Part of subcall function 0041A190: CreateFontIndirectA.GDI32(?), ref: 0041A24F

SelectObject.GDI32(?,00000000), ref: 0042E8F9
73A1A480.USER32(00000000,?,0042E9E4,00000000,0042E9DD,?,00000000,00000000,0042E9FF,?,?,?,?,00000000,00000000,00000000), ref: 0042E9D7

Strings

...\, xrefs: 0042E989

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: A480A570CreateFontIndirectObjectSelect
String ID: ...\
API String ID: 2998766281-983595016
Opcode ID: 0abe42e3825d138716532803585986b19ef8b1cd23e6fed3d9a5b7748e7d04e5
Instruction ID: 807027aef349940e21883cde7310681b589974d129d52fe5cab9b03fce9682ec
Opcode Fuzzy Hash: 0abe42e3825d138716532803585986b19ef8b1cd23e6fed3d9a5b7748e7d04e5
Instruction Fuzzy Hash: E43163B0B00228AFDF11EB9AD841BAEB7F8EF49304F90447BF400A7291D7785D41CA59

Function 0045333C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 004533EA
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,004534B0), ref: 00453454

Strings

sfc.dll, xrefs: 004533AC
SfcIsFileProtected, xrefs: 004533E4

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID: SfcIsFileProtected$sfc.dll
API String ID: 2508298434-591603554
Opcode ID: 85079f74e90700b6d1b366bf6e001016943dfb8dc77e17398e66bb02010dc287
Instruction ID: 1adb4bde248a8b19f2f304064bd770535e454300abe4aaf5ea9dda1ac3de6c9a
Opcode Fuzzy Hash: 85079f74e90700b6d1b366bf6e001016943dfb8dc77e17398e66bb02010dc287
Instruction Fuzzy Hash: C741B470A00218ABEB21DF55DD85B9DB7B8AB0534AF5040BBF808A3292D7785F48DA5C

Function 00452038 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048EF85,_iu,?,00000000,00452172), ref: 00452127
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048EF85,_iu,?,00000000,00452172), ref: 00452137

Strings

.tmp, xrefs: 004520DB
_iu, xrefs: 004520C9

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$_iu
API String ID: 3498533004-10593223
Opcode ID: cbc7b6296da48d79ffcb0f48c517e04f3662845ca18ee5cfcd3d2c16b97ed60b
Instruction ID: 8b1672352a1cca793e1e6cdfbdd22016e493eddba5fdcbb921eb9ed9b7b44ad0
Opcode Fuzzy Hash: cbc7b6296da48d79ffcb0f48c517e04f3662845ca18ee5cfcd3d2c16b97ed60b
Instruction Fuzzy Hash: 0A31B470A00219ABCB11EBA5C982B9FBBB5AF55305F60452BF900B73C2D6785F05C769

Function 0048B200 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 92registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60

RegCloseKey.ADVAPI32(?,0048B2FE,?,?,00000001,00000000,00000000,0048B319), ref: 0048B2E7

Strings

%s\%s_is1, xrefs: 0048B278
Inno Setup CodeFile: , xrefs: 0048B2AA
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0048B25A

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Inno Setup CodeFile: $Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1837835967
Opcode ID: 14285ca2f0b5050eeb10927837999f101f9ee02a017fb9b220db0c994c14a3e0
Instruction ID: 0bbfca5d8e67a63f19b98566c4155a9780f55c0bd593ce93c1bd7f852685ee81
Opcode Fuzzy Hash: 14285ca2f0b5050eeb10927837999f101f9ee02a017fb9b220db0c994c14a3e0
Instruction Fuzzy Hash: 6C319970A042485FDB11EF96CC5169EBBF8EB48304F904477E814E7391D7789D058B98

Function 004163B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,?,?), ref: 00416427
UnregisterClassA.USER32(?,00400000), ref: 00416453
RegisterClassA.USER32(?), ref: 00416476

Strings

@, xrefs: 004163D1

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: a20fcd8b4000eae86e158a7cf10cda7c64d6fb475a14681c470eb96fef312757
Instruction ID: 74af36b6803d41f6853cd3ce3d24e6ffc0c269dd3492e9de927f187c4c73ed65
Opcode Fuzzy Hash: a20fcd8b4000eae86e158a7cf10cda7c64d6fb475a14681c470eb96fef312757
Instruction Fuzzy Hash: AA315C702042409BDB10EF69C981B9A77E5AB88308F04457FFA45DB392DB39D985CB6A

Function 0044F630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000000E,00000000,00000000), ref: 0044F694
SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044F6D6
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044F707

Strings

open, xrefs: 0044F6FA

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$ExecuteShell
String ID: open
API String ID: 2179883421-2758837156
Opcode ID: 5d65bdf1a68a50360177b59e1b17de20557ee183efcfcb1c09acd8af14c107c4
Instruction ID: 27722ccdd30e14b9079027b813231ec9417c8d596d109131258b3d0fa24c6570
Opcode Fuzzy Hash: 5d65bdf1a68a50360177b59e1b17de20557ee183efcfcb1c09acd8af14c107c4
Instruction Fuzzy Hash: 1C215070E40204BFEB10DFA9DC82B9EBBB8EF44714F11857AB501A7292D67C9A458A48

Function 00490200 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00490ACD,00000000,004902F6,?,?,00000000,00492628), ref: 00490270
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00490ACD,00000000,004902F6,?,?,00000000,00492628), ref: 00490299
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004902B2

Strings

isRS-%.3u.tmp, xrefs: 0049024F

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: 8d501dbe8754779fbbc4551a6ef16c6ba155ba939730555f28b22adbbd9d1952
Instruction ID: 84ec0ba2a7a86931400e9934c1aa84bf5b308f9588d1f16149e0ac51d8a7354a
Opcode Fuzzy Hash: 8d501dbe8754779fbbc4551a6ef16c6ba155ba939730555f28b22adbbd9d1952
Instruction Fuzzy Hash: CE216271E01219AFCF11EFA9C885AAFBBB8EF44314F10457BB814B72D1D6389E018A59

Function 00454A08 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C6FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C720

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00454A5C
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00454A89

Strings

LoadTypeLib, xrefs: 00454A67
RegisterTypeLib, xrefs: 00454A94

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: 61cb2b2391c203defd257abac4021e1b6939228e1dc124a340144f06dba41211
Instruction ID: 783231ea94435fc0087f34711460946af1774244c06649ca950b936fb7940314
Opcode Fuzzy Hash: 61cb2b2391c203defd257abac4021e1b6939228e1dc124a340144f06dba41211
Instruction Fuzzy Hash: 8911A230B40604AFDB51DBA6DD51A5EB7B9DB89309B104476B800D7652DA389D44C618

Function 00471F00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0042426C: SetWindowTextA.USER32(?,00000000), ref: 00424284

GetFocus.USER32 ref: 00471F6B
GetKeyState.USER32(0000007A), ref: 00471F7D
WaitMessage.USER32(?,00000000,00471FA4,?,00000000,00471FCB,?,?,00000001,00000000,?,?,?,?,004791FF,00000000), ref: 00471F87

Strings

Wnd=$%x, xrefs: 00471F4F

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: 904e366136cff3dcaea322836a94cc964bf7325938357fb60853c8530aeb4b31
Instruction ID: c5684f2cadfa6479c06ce6299043275e4b927561dd953dc9e3c22c30dc13880d
Opcode Fuzzy Hash: 904e366136cff3dcaea322836a94cc964bf7325938357fb60853c8530aeb4b31
Instruction Fuzzy Hash: 51115434A04144AFC701EFA9DC51A9E77B8EB49714B5184B7F408E3661D73C6E00CA69

Function 0042EB68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042EB9F
MessageBoxA.USER32(?,00000000,00000000,00000001), ref: 0042EBCB
SetActiveWindow.USER32(?,0042EBF9,00000000,0042EC47,?,?,00000000,?), ref: 0042EBEC

Strings

t}G, xrefs: 0042EB86

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ActiveWindow$Message
String ID: t}G
API String ID: 2113736151-3734030870
Opcode ID: 29a5b97e5e16aea11bd18ac248af5cdc38bd738e31227901ecfe22b68a917f0a
Instruction ID: 93637352c78226270701b452ebd95810c2fea060df2177fc870e4549b641cd3b
Opcode Fuzzy Hash: 29a5b97e5e16aea11bd18ac248af5cdc38bd738e31227901ecfe22b68a917f0a
Instruction Fuzzy Hash: 1B010030A00218AFD701EBB6DC02D5BBBACEB09714B42487AB400D3261D6789C10CA68

Function 00468DA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?), ref: 00468DAC
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00468DBB

Strings

%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 00468E30
(invalid), xrefs: 00468E3E

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: 7e5271fab70280bf4b606e1d52b7b41780ffbf2908240b8135230958cc2b66a9
Instruction ID: af565f08344929a1575728fac9f51d9e1992ec61425725bc294c4af9dfcd658b
Opcode Fuzzy Hash: 7e5271fab70280bf4b606e1d52b7b41780ffbf2908240b8135230958cc2b66a9
Instruction Fuzzy Hash: 4D11F8A140C3919ED340DF6AC44432FBBE4AB89704F44496EF9D8D6381E77AC948DB67

Function 004525CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004525DB

Part of subcall function 00406EF0: DeleteFileA.KERNEL32(00000000,00492628,004906E1,00000000,00490736,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EFB

MoveFileA.KERNEL32(00000000,00000000), ref: 00452600

Part of subcall function 00451C18: GetLastError.KERNEL32(00000000,00452689,00000005,00000000,004526BE,?,?,00000000,00492628,00000004,00000000,00000000,00000000,?,00490395,00000000), ref: 00451C1B

Strings

DeleteFile, xrefs: 004525EC
MoveFile, xrefs: 00452609

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: DeleteFile$MoveFile
API String ID: 3024442154-139070271
Opcode ID: a50aafd5b99c9cbf6c6a1f16007cc2786bef0d47e124eeb0cd35235b1fbc0f60
Instruction ID: 4e1aed58776595ab6c7b67b54cba174f3ed66ee01ab59955a5ec3a7bb6030dfd
Opcode Fuzzy Hash: a50aafd5b99c9cbf6c6a1f16007cc2786bef0d47e124eeb0cd35235b1fbc0f60
Instruction Fuzzy Hash: 5AF086706441045BEB01FBA5DA5266F63ECEB4930AFA0443BB800B76C3DA7C9D094939

Function 00453F24 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60

RegCloseKey.ADVAPI32(?,00453F8F,?,00000001,00000000), ref: 00453F82

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00453F30
PendingFileRenameOperations2, xrefs: 00453F63
PendingFileRenameOperations, xrefs: 00453F54

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: 21250b3f59e8a1b3ab45e49100b6a533c2958c5d03e63bbb63f4184d55fa8918
Instruction ID: 2fe5d9dd412f96f0258c427e8e9e7532a7d77a38f3856869fbc3dabfb8f5c388
Opcode Fuzzy Hash: 21250b3f59e8a1b3ab45e49100b6a533c2958c5d03e63bbb63f4184d55fa8918
Instruction Fuzzy Hash: 1DF0C233B443087FDB09DA62AC07A1AB3ECD744B56FA0446BF80086582DA79AE04922C

Function 0047C4E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047C525
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047C548

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0047C4F2
CSDVersion, xrefs: 0047C51C

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3677997916-1910633163
Opcode ID: 32f9c9d33b3d4a1cec81c858ea2cc638cd0cfa3a42bb1ff432fda8eb6f705346
Instruction ID: 2b22ae4652a4094afc35098fa0d5140fa3c6298d341fdca8ef5f3daa64d39871
Opcode Fuzzy Hash: 32f9c9d33b3d4a1cec81c858ea2cc638cd0cfa3a42bb1ff432fda8eb6f705346
Instruction Fuzzy Hash: 9EF03175A40218B6DF10DBD58C85BDFB3BCAB04704F20856BE518E7280E779EB04CB99

Function 0042D7D4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004522D6,00000000,00452379,?,?,00000000,00000000,00000000,00000000,00000000,?,00452645,00000000), ref: 0042D7EE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D7F4

Strings

GetSystemWow64DirectoryA, xrefs: 0042D7E4
kernel32.dll, xrefs: 0042D7E9

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 1646373207-4063490227
Opcode ID: 3ed141b827fa145380e35482eff6ef17b39d2e2a6c7c0a7d94d3e4db73219d37
Instruction ID: 72f845c82f3cbe693efe641176354b007bcea55f3b4776dcd007fff52ee4f80f
Opcode Fuzzy Hash: 3ed141b827fa145380e35482eff6ef17b39d2e2a6c7c0a7d94d3e4db73219d37
Instruction Fuzzy Hash: CEE04F61F40B9012D71079BA6C87B6B158D8B88724F94843B39A4E62C3DEBCD9441A9E

Function 0044EE30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00490B49), ref: 0044EE6B
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EE71

Strings

user32.dll, xrefs: 0044EE66
NotifyWinEvent, xrefs: 0044EE61

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NotifyWinEvent$user32.dll
API String ID: 1646373207-597752486
Opcode ID: 70ab6ca44c1c58fc54deb4365d547e37731eaf459d85ae999571f99ff6fdd204
Instruction ID: 3299c0b031c0e1fe2281b99bd24a528ff0331131e662fdb77b0e16fc83453d47
Opcode Fuzzy Hash: 70ab6ca44c1c58fc54deb4365d547e37731eaf459d85ae999571f99ff6fdd204
Instruction Fuzzy Hash: B0E012E0E42741AAEB01BBF79A46B0A3AD1B73471DF1004BBF10467192CBBC0458CB1E

Function 00490914 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00490B95,00000001,00000000,00490BB9), ref: 0049091E
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00490924

Strings

user32.dll, xrefs: 00490919
DisableProcessWindowsGhosting, xrefs: 00490914

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: c967897bb093205d4fedeed5c30c4f40c75fdd424a4095d0a0f0bad314443b32
Instruction ID: 838b278ec98e31f4c73fd57d7bfbee2b42f08c5e91e18395c18da76804b5d864
Opcode Fuzzy Hash: c967897bb093205d4fedeed5c30c4f40c75fdd424a4095d0a0f0bad314443b32
Instruction Fuzzy Hash: EEB092C064170168EC1033F60D12B1F0C084881724B1400373810B10C3CD6CD800582D

Function 0045FCBC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044AD34: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EE61,00490B49), ref: 0044AD5B
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AD73
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AD85
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AD97
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044ADA9
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044ADBB
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044ADCD
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044ADDF
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044ADF1
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AE03
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AE15
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AE27
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AE39
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AE4B
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AE5D
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AE6F
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AE81
Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044AE93

LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00490B67), ref: 0045FCCB
GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 0045FCD1

Strings

SHPathPrepareForWriteA, xrefs: 0045FCC1
shell32.dll, xrefs: 0045FCC6

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2238633743-2683653824
Opcode ID: dceba0c1e70a86ae6835c65f47c615907b02d718ce7920ac66bf667d9a7d3384
Instruction ID: 337f9dc4bf1040498e6f486c22bc5dde57220a7dd07e65f04bb4b60c7b67ef44
Opcode Fuzzy Hash: dceba0c1e70a86ae6835c65f47c615907b02d718ce7920ac66bf667d9a7d3384
Instruction Fuzzy Hash: 83B092D0A81785B88E01B7B2998391A2514A650B0F720047B7C04B94C7CEBC008D6A6F

Function 0046C624 Relevance: 6.3, APIs: 4, Instructions: 263fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0046C7F5,?,00000000,?,00000001,00000000,0046C9C3,?,00000000,?,00000000,?,0046CB7E), ref: 0046C7D1
FindClose.KERNEL32(000000FF,0046C7FC,0046C7F5,?,00000000,?,00000001,00000000,0046C9C3,?,00000000,?,00000000,?,0046CB7E,?), ref: 0046C7EF
FindNextFileA.KERNEL32(000000FF,?,00000000,0046C917,?,00000000,?,00000001,00000000,0046C9C3,?,00000000,?,00000000,?,0046CB7E), ref: 0046C8F3
FindClose.KERNEL32(000000FF,0046C91E,0046C917,?,00000000,?,00000001,00000000,0046C9C3,?,00000000,?,00000000,?,0046CB7E,?), ref: 0046C911

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 1eb9b9d3c023d84a09ef91d182cf047f3dac9a2ab61e2e2cb0095298d4bd912f
Instruction ID: 1dd2fae92c3a96226fdad02eb244197cfc035410fb76892232ec07de3388933a
Opcode Fuzzy Hash: 1eb9b9d3c023d84a09ef91d182cf047f3dac9a2ab61e2e2cb0095298d4bd912f
Instruction Fuzzy Hash: 21B12D7490424D9FCF11DFA5C881ADEBBB9BF4C304F5081AAE848B3251E7389A45CF59

Function 00413CA0 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00413CEE
GetDesktopWindow.USER32 ref: 00413DA6

Part of subcall function 00418E68: 6F5BC6F0.COMCTL32(?,00000000,00413F6B,00000000,0041407B,?,?,00492628), ref: 00418E84
Part of subcall function 00418E68: ShowCursor.USER32(00000001,?,00000000,00413F6B,00000000,0041407B,?,?,00492628), ref: 00418EA1

SetCursor.USER32(00000000,?,?,?,?,00413A9B,00000000,00413AAE), ref: 00413DE4

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: c0a5a9a3f23ddf0fdb38005436cf92fc6adf24d58530c29053f60a471aec8e15
Instruction ID: c44ea819ba4037f48297b9dda5801cfcbd8121a3a152854b6b02c08412c937c2
Opcode Fuzzy Hash: c0a5a9a3f23ddf0fdb38005436cf92fc6adf24d58530c29053f60a471aec8e15
Instruction Fuzzy Hash: 90414C75600110BFCB10EF29FAD9B9637E5AB64325F16807BE404CB365DAB8EC81DB58

Function 004089F4 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A15
LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408A84
LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B1F
MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408B5E

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: e08be93b19a1cddc4bd5487b5509b10aac953965d6ff4287a83413ce4527f0a1
Instruction ID: 4e3ae3d55980ca36df37c0f6f31f55762440d7de19fd646938f5a693a080efc6
Opcode Fuzzy Hash: e08be93b19a1cddc4bd5487b5509b10aac953965d6ff4287a83413ce4527f0a1
Instruction Fuzzy Hash: 0F3143706083849AD330EB65C945F9B77E89B86704F40483FB6C8E72D1DB795908876B

Function 0044DFB0 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044DFF9

Part of subcall function 0044C62C: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044C65E

InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E07D

Part of subcall function 0042BB5C: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BB70

IsRectEmpty.USER32(?), ref: 0044E03F
ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E062

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
String ID:
API String ID: 855768636-0
Opcode ID: a016e4b893d0b61d6fc16ea788ceac071314e27b0018c062adb4e940fa0ff4d7
Instruction ID: 7aee670bcfb8eb3b6de293677f7b28f2d941b2dfee79f0c9038e744660d2ac79
Opcode Fuzzy Hash: a016e4b893d0b61d6fc16ea788ceac071314e27b0018c062adb4e940fa0ff4d7
Instruction Fuzzy Hash: BD11907174031027E610BA3E9C86B5F76899B88748F05493FB545EB383DDBDDC094399

Function 0048DAAC Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,00000000), ref: 0048DB10
OffsetRect.USER32(?,00000000,?), ref: 0048DB2B
OffsetRect.USER32(?,?,00000000), ref: 0048DB45
OffsetRect.USER32(?,00000000,?), ref: 0048DB60

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: fc16b123eb7b5af0d1f41d7d74d95bc65ca2d2300f8b1348e127f489464c5e53
Instruction ID: 20aeee4d2b07ae62cc9dc5e78f47db44159e8b2d0969b42eb6e8c3539826bbe7
Opcode Fuzzy Hash: fc16b123eb7b5af0d1f41d7d74d95bc65ca2d2300f8b1348e127f489464c5e53
Instruction Fuzzy Hash: DA218EB6B04201ABD700DE69CD85E5BB7EEEBD4304F14CA2AF544C7389D634F84487A6

Function 004171C3 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00417208
SetCursor.USER32(00000000), ref: 0041724B
GetLastActivePopup.USER32(?), ref: 00417275
GetForegroundWindow.USER32(?), ref: 0041727C

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: 31a9e7ed65d1c6a10f15c6d0b6e52d74fbafc79933164b7f4b16210c0427c26c
Instruction ID: c6d496dfd2e179b176722755b72bbf9acc304802cb498c635dadf3855441ee16
Opcode Fuzzy Hash: 31a9e7ed65d1c6a10f15c6d0b6e52d74fbafc79933164b7f4b16210c0427c26c
Instruction Fuzzy Hash: AF21B0302042108ACB10EB6AD9446D733B1AB58724B5649BFF8449B392D77CCCC2CB89

Function 0048D764 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(8B500000,00000008,?), ref: 0048D779
MulDiv.KERNEL32(50142444,00000008,?), ref: 0048D78D
MulDiv.KERNEL32(F77DE7E8,00000008,?), ref: 0048D7A1
MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 0048D7BF

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7c6c338261a481ad8b7901dc756b9c3c7a5dc3a5f053bd0898b94715f12a61
Instruction ID: 600d8a0932f196341a5d2119bb187cb8608b3b3d374fe33bc178acc1610e68b6
Opcode Fuzzy Hash: 1c7c6c338261a481ad8b7901dc756b9c3c7a5dc3a5f053bd0898b94715f12a61
Instruction Fuzzy Hash: 7D113376A04204AFCB40EFA9D8C4D9B77ECEF4D370B14456AF918DB286D634ED408BA4

Function 0041F428 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,0041F418,?), ref: 0041F449
UnregisterClassA.USER32(0041F418,00400000), ref: 0041F472
RegisterClassA.USER32(00491598), ref: 0041F47C
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F4B7

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 761ca2ece1ab3754932666086e5ff0fe31a56c3d7f92931e99de52f18d346379
Instruction ID: 0e76fd6e7c714867a95bae8c9fe2d4343c59fb837708c2c10e589f0ce1237785
Opcode Fuzzy Hash: 761ca2ece1ab3754932666086e5ff0fe31a56c3d7f92931e99de52f18d346379
Instruction Fuzzy Hash: 380192712401057BCB10EBA8DD81E9B3798A759324B11423BBA16E72E2C6359D198BAC

Function 004534E4 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,00000032), ref: 00453510
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00453532
GetExitCodeProcess.KERNEL32(?,?), ref: 00453541
CloseHandle.KERNEL32(?,0045356E,00453567,?,?,?,00000000,?,?,00453741,?,?,?,D:"G,00000000,00000000), ref: 00453561

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: 3a38fcc9bb95e77e0da836e4e5a18b4c9ab16e283b4f9bbdb0fce61a35c68c2f
Instruction ID: 976b375f78923eada3d8d1f25cef2af6e5c381faa9b0e8b7c45c7f6a29b52fc4
Opcode Fuzzy Hash: 3a38fcc9bb95e77e0da836e4e5a18b4c9ab16e283b4f9bbdb0fce61a35c68c2f
Instruction Fuzzy Hash: 48019670A4060C7AEB209BA98C06E6B7AACDB057A1F610167B904D72C2E5789E008A68

Function 0040D1A8 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D1BF
LoadResource.KERNEL32(00400000,72756F73,0040A960,00400000,00000001,00000000,?,0040D11C,00000000,?,00000000,?,?,00475D88,0000000A,REGDLL_EXE), ref: 0040D1D9
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A960,00400000,00000001,00000000,?,0040D11C,00000000,?,00000000,?,?,00475D88), ref: 0040D1F3
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A960,00400000,00000001,00000000,?,0040D11C,00000000,?,00000000,?), ref: 0040D1FD

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 06d5a2224ff0889236480c5d79a412c4b439f6556495b070d29e0fa02e81d982
Instruction ID: bdc6fd998ef4e88b0830a639bb7e725ca803f690ad01cf79ba3c1cf188caca31
Opcode Fuzzy Hash: 06d5a2224ff0889236480c5d79a412c4b439f6556495b070d29e0fa02e81d982
Instruction Fuzzy Hash: 9FF0FBB2A056046F9744EE9EA881D6B76DCDE88364320016FF908EB246DA38DD118B78

Function 00401548 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,t;Z,?,?,?,004018B4), ref: 00401566
VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,t;Z,?,?,?,004018B4), ref: 0040158B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,t;Z,?,?,?,004018B4), ref: 004015B1

Strings

t;Z, xrefs: 0040154B

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$Alloc$Free
String ID: t;Z
API String ID: 3668210933-464866892
Opcode ID: fce1606467af8550c5b018af38dd943930b60dea47268f49170f1643513630e1
Instruction ID: 87006be24bad80dd1cc56b86a6ffae3645cf31722f94d2f4d5d5d4de76e86b34
Opcode Fuzzy Hash: fce1606467af8550c5b018af38dd943930b60dea47268f49170f1643513630e1
Instruction Fuzzy Hash: 48F0C2B1640320BAEB315A294C85F133AD8DBC5794F1040B6BE09FF3DAD6B8980082AC

Function 0046A298 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 0046A2E9

Strings

Unsetting NTFS compression on directory: %s, xrefs: 0046A2CF
Failed to set NTFS compression state (%d)., xrefs: 0046A2FA
Setting NTFS compression on directory: %s, xrefs: 0046A2B7

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
API String ID: 1452528299-1392080489
Opcode ID: 4d3942e9cc61f02bf791f275095a639e0222dadc5439085e038e50f3473c57ee
Instruction ID: fae52b56698cbef2ef65a100aaaf1ff6f22f0878e20b839bb13b77e1b18f05a4
Opcode Fuzzy Hash: 4d3942e9cc61f02bf791f275095a639e0222dadc5439085e038e50f3473c57ee
Instruction Fuzzy Hash: 62018430D18648A6CB0097ED50512DDBBE49F09304F4481EBA855EB382EB791A184F9B

Function 004542B0 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60

RegDeleteValueA.ADVAPI32(?,00000000,?,00000002,00000000,?,?,00000000,00458EC3,?,?,?,?,?,00000000,00458ED6), ref: 004542EC
RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000002,00000000,?,?,00000000,00458EC3,?,?,?,?,?,00000000), ref: 004542F5
RemoveFontResourceA.GDI32(00000000), ref: 00454302
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00454316

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: 2877f501dee16d655d75d116cfb29e793393d1176e080bde7ec29140c7e78512
Instruction ID: 6bcd884f58daa4cf242193067a8401f82c1379502e7cf10432dee752efbb2f93
Opcode Fuzzy Hash: 2877f501dee16d655d75d116cfb29e793393d1176e080bde7ec29140c7e78512
Instruction Fuzzy Hash: 9CF05EB574535136EA10B6B65C87F5B228C8F94749F10883BBA00EF2D3D97CDC05962D

Function 0046AB88 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000), ref: 0046ABD9

Strings

Unsetting NTFS compression on file: %s, xrefs: 0046ABBF
Setting NTFS compression on file: %s, xrefs: 0046ABA7
Failed to set NTFS compression state (%d)., xrefs: 0046ABEA

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
API String ID: 1452528299-3038984924
Opcode ID: 1e8bcf552af8bc3392dbf0996a1f185d8ced690d2f94648fef7693de0000dbcf
Instruction ID: e77f6018277675d8139a31bc4823810fa5650a54dc532de9f13faf9e2e869009
Opcode Fuzzy Hash: 1e8bcf552af8bc3392dbf0996a1f185d8ced690d2f94648fef7693de0000dbcf
Instruction Fuzzy Hash: 4F016230E186486ACB04D7AD90512EEBBE49F09304F4481EFA455E7382EA791A188F9B

Function 00475FC4 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00475FE5
GetLastError.KERNEL32 ref: 00475FEF
GetTickCount.KERNEL32 ref: 00475FF9
Sleep.KERNEL32(00000032), ref: 00476009

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: f718e6b50ed350133e41aa23a99476cb64688864381fa2aa0eea5d6d0af79086
Instruction ID: ac2bc92c64288a8ae8ad87d3879801b84766de851918f2f303a3950bd66c2a85
Opcode Fuzzy Hash: f718e6b50ed350133e41aa23a99476cb64688864381fa2aa0eea5d6d0af79086
Instruction Fuzzy Hash: E8E02B31309D8045CE2879BE18827FF458AEB85324B35493FF0CED6282CC1C4C05A92E

Function 00471CE4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,00479787,?,?,00000001,00000000,00000002,00000000,0047A008,?,?,?,?,?,00490C38), ref: 00471CED
OpenProcessToken.ADVAPI32(00000000,00000008,?,00479787,?,?,00000001,00000000,00000002,00000000,0047A008), ref: 00471CF3
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,00479787,?,?,00000001,00000000,00000002,00000000,0047A008), ref: 00471D15
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,00479787,?,?,00000001,00000000,00000002,00000000), ref: 00471D26

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: b8dd8522978c37078a23bae837822d7669e7a9385b1b3912b8ae2519caf80a33
Instruction ID: c12eef84649cb6e2f6a6854870b7cf4ad062ba222e75244fe963afc4875e72bb
Opcode Fuzzy Hash: b8dd8522978c37078a23bae837822d7669e7a9385b1b3912b8ae2519caf80a33
Instruction Fuzzy Hash: 2DF037616443056BD610E6B5CD81E5B77DCEB44354F04493A7E98C71D1D678DC089B26

Function 004241E8 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32(?), ref: 004241F4
IsWindowVisible.USER32(?), ref: 00424205
IsWindowEnabled.USER32(?), ref: 0042420F
SetForegroundWindow.USER32(?), ref: 00424219

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: d9228b7f269806e4fe8e97f345a82837c2af6ea24a9e24666224f8ff684892d2
Instruction ID: e71b939943bb08068cd538cfbf2adeec964b373e7692791c6f26669312c8020f
Opcode Fuzzy Hash: d9228b7f269806e4fe8e97f345a82837c2af6ea24a9e24666224f8ff684892d2
Instruction Fuzzy Hash: 23E08CA178253593AE22B6A72D81A9B018CCD453C434A01A7BC08FB283DBACCC0082BC

Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 00406287
GlobalUnWire.KERNEL32(00000000), ref: 0040628E
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
GlobalFix.KERNEL32(00000000), ref: 00406299

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D

Function 00465C24 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 00465E11
EnableMenuItem.USER32(00000000,00000000,00000000), ref: 00465E17

Strings

CurPageChanged, xrefs: 00465F9F

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$EnableItemSystem
String ID: CurPageChanged
API String ID: 3692539535-2490978513
Opcode ID: 4c78da4d24218412021c3909a6acb726144e1dbd0d30da321cddcfbbb7aea40b
Instruction ID: ab7830cd034902a018f3633d5f7e813821d05f3ecf729ff0a8a04420c7cd6334
Opcode Fuzzy Hash: 4c78da4d24218412021c3909a6acb726144e1dbd0d30da321cddcfbbb7aea40b
Instruction Fuzzy Hash: 7CA10734604604EFC741DB69D989EAA73F5EF89304F2541F6F8049B362EB38AE41DB49

Function 004598F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 0044FC44: SetEndOfFile.KERNEL32(?,?,004599C5,00000000,00459B68,?,00000000,00000002,00000002), ref: 0044FC4B

FlushFileBuffers.KERNEL32(?), ref: 00459B34

Strings

EndOffset range exceeded, xrefs: 00459A56
NumRecs range exceeded, xrefs: 00459A1F

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: 8ae3be6554068dfdb21ba64c754101badf157809c3998e251981b1590163acf1
Instruction ID: 995539901c97ad68f5746cda8c194ef6f3d3db8d93705507f5965892a0295e18
Opcode Fuzzy Hash: 8ae3be6554068dfdb21ba64c754101badf157809c3998e251981b1590163acf1
Instruction Fuzzy Hash: D2613E34A00258CBDB25DF15C881ADAB3B5EB49305F0081EAED49AB352D778AEC9CF54

Function 00402088 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(00492420,00000000,004021FC), ref: 004020CB

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(00492420,00000000,00401A82,?,?,0040222E,00492460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(00492420,00492420,00000000,00401A82,?,?,0040222E,00492460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,00492420,00000000,00401A82,?,?,0040222E,00492460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(00492420,00401A89,00000000,00401A82,?,?,0040222E,00492460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

P%Z, xrefs: 004020F8, 00402122, 0040213C

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID: P%Z
API String ID: 296031713-4038107055
Opcode ID: e1edfae6cf2c17bbd4669533da60f2e7d0b1b7a9f33573fe9cb1b0bdb675c80a
Instruction ID: 58254c69d885ef9708e875f84cb8bea788a13d4415adb82183e1d41e883b2ff5
Opcode Fuzzy Hash: e1edfae6cf2c17bbd4669533da60f2e7d0b1b7a9f33573fe9cb1b0bdb675c80a
Instruction Fuzzy Hash: 6041D4B2E01301AFDB10CF69DE8521A77A4F7A8324B15417BD854A77E1D3B89841CB88

Function 00467704 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON

Download Yara Rule

Strings

Failed to proceed to next wizard page; showing wizard., xrefs: 00467804
Failed to proceed to next wizard page; aborting., xrefs: 004677F0

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: ca7d52e32b1f50b24c16d12faf74625e74990e5f2a97b77bfd751917ec34c771
Instruction ID: 54b8d4b4028f273aede26eca5f3620dfaa6aeb886877892ecf599f8e019bb906
Opcode Fuzzy Hash: ca7d52e32b1f50b24c16d12faf74625e74990e5f2a97b77bfd751917ec34c771
Instruction Fuzzy Hash: BF31E034A08204EFDB01EB65C985E9D77F5EB49718F6140BBF80497352EB78AE00CA59

Function 004537F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 0045388C
GetLastError.KERNEL32(0000003C,00000000,004538D5,?,?,?), ref: 0045389D

Part of subcall function 004534E4: WaitForInputIdle.USER32(?,00000032), ref: 00453510
Part of subcall function 004534E4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00453532
Part of subcall function 004534E4: GetExitCodeProcess.KERNEL32(?,?), ref: 00453541
Part of subcall function 004534E4: CloseHandle.KERNEL32(?,0045356E,00453567,?,?,?,00000000,?,?,00453741,?,?,?,D:"G,00000000,00000000), ref: 00453561

Strings

<, xrefs: 00453840

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Wait$CloseCodeErrorExecuteExitHandleIdleInputLastMultipleObjectsProcessShell
String ID: <
API String ID: 35504260-4251816714
Opcode ID: 0ccb10dcf298b0fc8a039a98a305e9a75669da3d8a4312c41de7e15a11d174fd
Instruction ID: a48743936d6917b30e90ea1336603dc98d5f36d007a8bf71f63bee0ab98bf73b
Opcode Fuzzy Hash: 0ccb10dcf298b0fc8a039a98a305e9a75669da3d8a4312c41de7e15a11d174fd
Instruction Fuzzy Hash: 95218670A00209AFDB14EF65D88269E7BF8EF04356F50443AF844E7381D7789E49CB98

Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(00492420,00000000,)), ref: 004025C7
RtlLeaveCriticalSection.KERNEL32(00492420,0040263D), ref: 00402630

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(00492420,00000000,00401A82,?,?,0040222E,00492460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(00492420,00492420,00000000,00401A82,?,?,0040222E,00492460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,00492420,00000000,00401A82,?,?,0040222E,00492460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(00492420,00401A89,00000000,00401A82,?,?,0040222E,00492460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

), xrefs: 004025AE

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: )
API String ID: 2227675388-1084416617
Opcode ID: 4485ac256982a062d4fa7b498a16ced20a2b64ccb8ee85a4042039cc97c61c73
Instruction ID: 5ca06efdeebc3fba4ee02943ae555fbbec684c5e6e5b72b014691e2301117c59
Opcode Fuzzy Hash: 4485ac256982a062d4fa7b498a16ced20a2b64ccb8ee85a4042039cc97c61c73
Instruction Fuzzy Hash: 9B1101317052047FEB25AB7A9F1A62B6AD4D795758B24087FF404F32D2D9FD8C02826C

Function 0048EC92 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0048ECCB

Strings

/INITPROCWND=$%x , xrefs: 0048ECF6
@, xrefs: 0048EC98

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: 9fceb97f9dee9116b4f9cd4460141dcdd6850024def755ee183cc3526b898cc5
Instruction ID: f0e425cee1880468264a3bcbee4eb035e6200ab2a1fbac31d2564d6a1bb1e37f
Opcode Fuzzy Hash: 9fceb97f9dee9116b4f9cd4460141dcdd6850024def755ee183cc3526b898cc5
Instruction Fuzzy Hash: 9B11D371A042499FDB01EBA5D841BEE7BF8EB49314F50487BE404E7292D77CA909CB9C

Function 00446AF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

SysFreeString.OLEAUT32(?), ref: 00446BA2

Strings

NIL Interface Exception, xrefs: 00446B44
Unknown Method, xrefs: 00446B7B

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: 6cfdb488caeb7d7681ac0af27f1ef08cc2626e2ae4e3480024423c9f119b8ea1
Instruction ID: 34182cf724be706de40d5a6da2d3ea217801cbd4a50a487fa4911f02854a4a1d
Opcode Fuzzy Hash: 6cfdb488caeb7d7681ac0af27f1ef08cc2626e2ae4e3480024423c9f119b8ea1
Instruction Fuzzy Hash: F211B9706003489FDB10DFA5CC52AAEBBBCEB49704F52407AF500E7681D679AD04C76A

Function 0048E504 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,0048E5CC,?,0048E5C0,00000000,0048E5A7), ref: 0048E572
CloseHandle.KERNEL32(0048E60C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,0048E5CC,?,0048E5C0,00000000), ref: 0048E589

Part of subcall function 0048E45C: GetLastError.KERNEL32(00000000,0048E4F4,?,?,?,?), ref: 0048E480

Strings

D, xrefs: 0048E54C

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: D
API String ID: 3798668922-2746444292
Opcode ID: fa7bdcc11f5ef5bee1e69b8ec904ff8917b0f561a8a38e53a969cabdf9631441
Instruction ID: 6a615ac2cff9bf009bed2b39286a60f6aa18dfcc8d35b7c44523146efba21c0d
Opcode Fuzzy Hash: fa7bdcc11f5ef5bee1e69b8ec904ff8917b0f561a8a38e53a969cabdf9631441
Instruction Fuzzy Hash: 060165B1604248BFDB04EBD2CC52E9F7BECDF08718F51043AB504E7291E6785E05C658

Function 0042DB8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DBA0
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DBE0

Strings

Inno Setup: No Icons, xrefs: 0042DB9E

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: d1a5a528ef564f2780d65b419a62ed7265ab650cf9fb354477a1f950a26e9855
Instruction ID: 963321e0e52aed92ccfb8a2f54d21a93e2c319f999d6bed2d0c39c2fe313cf58
Opcode Fuzzy Hash: d1a5a528ef564f2780d65b419a62ed7265ab650cf9fb354477a1f950a26e9855
Instruction Fuzzy Hash: 7201F731B4536069F73085166D11B7BA9889B41B64F65003BF940EA3C0D2D9AC04E36E

Function 00454DEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00454E01
SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00454E93

Strings

Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00454E2D

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)
API String ID: 3850602802-809544686
Opcode ID: a1adc5262f18ccc09dab35f6281ca63863273ffb2e92d3f90e9b3158a6a75f82
Instruction ID: c0f4a4cb65a707f69109a7cbf24843c611ca21f6354bed41214754854ac40189
Opcode Fuzzy Hash: a1adc5262f18ccc09dab35f6281ca63863273ffb2e92d3f90e9b3158a6a75f82
Instruction Fuzzy Hash: 2F11C8716443506BD300EB699C82B5F7BA89B95308F04847FFA81DF3D2C3B95844D76A

Function 0046F8A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EF0: DeleteFileA.KERNEL32(00000000,00492628,004906E1,00000000,00490736,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EFB

MoveFileA.KERNEL32(00000000,00000000), ref: 0046F906

Part of subcall function 0046F758: GetLastError.KERNEL32(00000000,0046F844,?,?,?,00493060,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0046F8CB,00000001), ref: 0046F779

Strings

MoveFile, xrefs: 0046F8E1
DeleteFile, xrefs: 0046F8BF

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$DeleteErrorLastMove
String ID: DeleteFile$MoveFile
API String ID: 3195829115-139070271
Opcode ID: 5c8c727110c0e0b4565a3325b8e4452370312bb855e0c18274313c129a62c069
Instruction ID: f1cebc0cb96c5cf1ed8be3b38952e05ad97f7cd0b069703ba66f8283a9432f3b
Opcode Fuzzy Hash: 5c8c727110c0e0b4565a3325b8e4452370312bb855e0c18274313c129a62c069
Instruction Fuzzy Hash: 35F062A12051446BDE10BB69B54275B23889F0239DB1041BBBCC06B387EB3D9C0E87AF

Function 0048F902 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00453AF8: GetCurrentProcess.KERNEL32(00000028), ref: 00453B07
Part of subcall function 00453AF8: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00453B0D

SetForegroundWindow.USER32(?), ref: 0048F934

Strings

Not restarting Windows because Uninstall is being run from the debugger., xrefs: 0048F95F
Restarting Windows., xrefs: 0048F911

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Process$CurrentForegroundOpenTokenWindow
String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
API String ID: 3179053593-4147564754
Opcode ID: af8013956ed1e441d462507a332d2bb0e9ba5b4fab94b57e1f2de3ed3b9a88cc
Instruction ID: 6d3c2020791d7036b49287d64f904da8ce72110519df1e124044460b8ab960db
Opcode Fuzzy Hash: af8013956ed1e441d462507a332d2bb0e9ba5b4fab94b57e1f2de3ed3b9a88cc
Instruction Fuzzy Hash: 1001F2B0204240BBE701FB75E942B9C27D89748309F50847BF440AB2D3CABCAD4C8B2D

Function 0046F3F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0046F62F), ref: 0046F41D
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0046F62F), ref: 0046F434

Part of subcall function 00451C18: GetLastError.KERNEL32(00000000,00452689,00000005,00000000,004526BE,?,?,00000000,00492628,00000004,00000000,00000000,00000000,?,00490395,00000000), ref: 00451C1B

Strings

CreateFile, xrefs: 0046F429

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: CreateFile
API String ID: 2528220319-823142352
Opcode ID: 83a25d90d7310315855ab5c96ce9738bc8fdc91c694f0aa79d336ebee5981cdc
Instruction ID: 8566c0baceda2c5727a8425b1213297a8e6c3c46ac1f7708f5e95aedaf673be2
Opcode Fuzzy Hash: 83a25d90d7310315855ab5c96ce9738bc8fdc91c694f0aa79d336ebee5981cdc
Instruction Fuzzy Hash: EDE065342843047FDA10E669DCC6F0677989B14728F108161F6446F3E2C5B5EC448659

Function 0046961C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,|0I,00000004,00000001,?,00469B43,?,?,00000000,00469BEA,?,_is1,?), ref: 0046962F

Strings

NoModify, xrefs: 0046962D
|0I, xrefs: 00469625, 00469628

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Value
String ID: NoModify$|0I
API String ID: 3702945584-1260956942
Opcode ID: 8b91cc6152b2179ce9e637dcb014ffca10acbe7234aaced8902c34e3e8e2fc59
Instruction ID: 2bef48f429356fc4da1bc079aaf13935e8d13ae686911c9cef0d84ca04fc1d48
Opcode Fuzzy Hash: 8b91cc6152b2179ce9e637dcb014ffca10acbe7234aaced8902c34e3e8e2fc59
Instruction Fuzzy Hash: 59E04FB0604304BFEB04DB95CD4AF6B77ACDB48714F108059BA049B381EAB4EE00C668

Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00490B12), ref: 0040334B
GetCommandLineA.KERNEL32(00000000,00490B12), ref: 00403356

Strings

x7X, xrefs: 0040335B

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: x7X
API String ID: 2123368496-1343527176
Opcode ID: d737cc7b9cd13b528ce14af1aacc88c8ddd298868fec6d91f7c233b30a1e07fe
Instruction ID: 15d18a38a4fda6e83645f6d70f9b704c6f366be4de143aedaa8863cd8992b112
Opcode Fuzzy Hash: d737cc7b9cd13b528ce14af1aacc88c8ddd298868fec6d91f7c233b30a1e07fe
Instruction Fuzzy Hash: EAC002609012059AE750AF7559467152A949751349F80447FB204B61E3D6BC82059BDE

Function 00453B88 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 00453BA7
Sleep.KERNEL32(?), ref: 00453BB7
GetLastError.KERNEL32 ref: 00453BCA
GetLastError.KERNEL32 ref: 00453BD4

Memory Dump Source

Source File: 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2922031669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922130951.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2922151772.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 1c3ac95de8c21fbfebb9eb49584ea609f7c2c977139e8f984cbd0286e03cbb55
Instruction ID: 70cd491ee1c602b8227b57ee529d2398dd08f77e1846977ffbd05afa78f388ef
Opcode Fuzzy Hash: 1c3ac95de8c21fbfebb9eb49584ea609f7c2c977139e8f984cbd0286e03cbb55
Instruction Fuzzy Hash: 2CF0B432B04514679F20BD9F9985A6F628CDA943E7720016FFD05DF303C43AEE4956A9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_RegDLL.tmp

C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_shfoldr.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Function 00409948 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Function 00408EFC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Function 00409EE4 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Function 00409F08 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 102
COMMON

Function 004097BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Function 00409EF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93
COMMON

Function 00409188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Function 00409C56 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117
windowCOMMON

Function 00409C71 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113
windowCOMMON

Function 00406EC4 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Function 00407544 Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Function 00407584 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Function 004074DC Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON