Edit tour

Windows Analysis Report
EQ5Vcf19u8.exe

Overview

General Information

Sample name:	EQ5Vcf19u8.exe renamed because original name is a hash value
Original sample name:	9fbf70243a3e4aca45a6d0af87749833e506c5a3eacdbc449525bc5f62835ba6
Analysis ID:	1579844
MD5:	849f1e782aef6fc885225f115db43236
SHA1:	2e790be949272e97d9fd71b7a6ea34140f08fb16
SHA256:	9fbf70243a3e4aca45a6d0af87749833e506c5a3eacdbc449525bc5f62835ba6
Infos:

Detection

Socks5Systemz

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Yara detected Socks5Systemz

AI detected suspicious sample

Contains functionality to infect the boot sector

Found API chain indicative of debugger detection

Machine Learning detection for dropped file

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

EQ5Vcf19u8.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\EQ5Vcf19u8.exe" MD5: 849F1E782AEF6FC885225F115DB43236)

EQ5Vcf19u8.tmp (PID: 7620 cmdline: "C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp" /SL5="$20478,3086842,56832,C:\Users\user\Desktop\EQ5Vcf19u8.exe" MD5: BCF2F0322A00DC0DE9B0CAE39438B480)

classichomecinema.exe (PID: 7640 cmdline: "C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe" -i MD5: 765448A33166E70D7C75392D7E8FC161)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-1OQ1J.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.3556027586.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
00000002.00000000.1706052559.0000000000401000.00000020.00000001.01000000.00000009.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000001.00000002.3556080703.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: classichomecinema.exe PID: 7640	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.classichomecinema.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T11:49:10.321846+0100	2028765	3	Unknown Traffic	192.168.2.4	49887	188.119.66.185	443	TCP
2024-12-23T11:49:16.153824+0100	2028765	3	Unknown Traffic	192.168.2.4	49904	188.119.66.185	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T11:49:11.133576+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49887	188.119.66.185	443	TCP
2024-12-23T11:49:16.849386+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49904	188.119.66.185	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0045D188 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,	1_2_0045D188
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0045D254 ArcFourCrypt,	1_2_0045D254
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0045D23C ArcFourCrypt,	1_2_0045D23C
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_10001000 ISCryptGetVersion,	1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_10001130 ArcFourCrypt,	1_2_10001130

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Unpacked PE file: 2.2.classichomecinema.exe.400000.0.unpack

Source: EQ5Vcf19u8.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Classic Home Cinema_is1

Jump to behavior

Source: unknown

HTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.4:49887 version: TLS 1.2

Source:	Binary string: msvcp71.pdbx# source: is-T75LM.tmp.1.dr
Source:	Binary string: msvcr71.pdb< source: is-E3J5R.tmp.1.dr
Source:	Binary string: msvcp71.pdb source: is-T75LM.tmp.1.dr
Source:	Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-RQ64T.tmp.1.dr
Source:	Binary string: msvcr71.pdb source: is-E3J5R.tmp.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00452A60 FindFirstFileA,GetLastError,	1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,	1_2_00474F88
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_004980A4
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464158
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462750
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463CDC

Source: global traffic

TCP traffic: 192.168.2.4:49893 -> 31.214.157.206:2024

Source: Joe Sandbox View	IP Address: 31.214.157.206 31.214.157.206
Source: Joe Sandbox View	IP Address: 188.119.66.185 188.119.66.185

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49887 -> 188.119.66.185:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49904 -> 188.119.66.185:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49904 -> 188.119.66.185:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49887 -> 188.119.66.185:443

Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2119db388a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946e44be43869e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4da9c5b HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185

Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.206
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.206
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.206
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.206
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.206
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.66.185

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: 2_2_00AB2B95 WSASetLastError,WSARecv,WSASetLastError,select,

2_2_00AB2B95

Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2119db388a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946e44be43869e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4da9c5b HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185

Source: EQ5Vcf19u8.tmp, EQ5Vcf19u8.tmp, 00000001.00000000.1694958711.0000000000401000.00000020.00000001.01000000.00000004.sdmp, EQ5Vcf19u8.tmp.0.dr, is-G4VDT.tmp.1.dr	String found in binary or memory: http://www.innosetup.com/
Source: EQ5Vcf19u8.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: EQ5Vcf19u8.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: EQ5Vcf19u8.exe, 00000000.00000003.1694370826.0000000002088000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1694235169.0000000002300000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, EQ5Vcf19u8.tmp, 00000001.00000000.1694958711.0000000000401000.00000020.00000001.01000000.00000004.sdmp, EQ5Vcf19u8.tmp.0.dr, is-G4VDT.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: EQ5Vcf19u8.exe, 00000000.00000003.1694370826.0000000002088000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1694235169.0000000002300000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000000.1694958711.0000000000401000.00000020.00000001.01000000.00000004.sdmp, EQ5Vcf19u8.tmp.0.dr, is-G4VDT.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/psU
Source: classichomecinema.exe, 00000002.00000002.3556348800.00000000033EE000.00000004.00000020.00020000.00000000.sdmp, classichomecinema.exe, 00000002.00000002.3555336843.000000000098F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://188.119.66.185/
Source: classichomecinema.exe, 00000002.00000002.3555336843.000000000098F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://188.119.66.185/a
Source: classichomecinema.exe, 00000002.00000002.3555336843.000000000098F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e3008888325
Source: classichomecinema.exe, 00000002.00000002.3556348800.00000000033EE000.00000004.00000020.00020000.00000000.sdmp, classichomecinema.exe, 00000002.00000002.3555336843.000000000098F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946e44be43869e7c4
Source: classichomecinema.exe, 00000002.00000002.3556348800.00000000033EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://188.119.66.185/allowedCert_OS_1
Source: classichomecinema.exe, 00000002.00000002.3555336843.000000000098F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://188.119.66.185/j
Source: classichomecinema.exe, 00000002.00000002.3555336843.000000000098F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://188.119.66.185/priseCertificates
Source: EQ5Vcf19u8.exe, 00000000.00000002.3555201992.0000000002081000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1693888335.0000000002300000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1693955102.0000000002081000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000003.1695608267.0000000003100000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000002.3555541276.0000000002128000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000002.3555255376.000000000068B000.00000004.00000020.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000003.1695670125.0000000002128000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.easycutstudio.com/support.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443

Source: unknown

HTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.4:49887 version: TLS 1.2

Source: is-RQ64T.tmp.1.dr

Binary or memory string: DirectDrawCreateEx

memstr_9b1d124f-5

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0042F520 NtdllDefWindowProc_A,	1_2_0042F520
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00423B84 NtdllDefWindowProc_A,	1_2_00423B84
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004125D8 NtdllDefWindowProc_A,	1_2_004125D8
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00478AC0 NtdllDefWindowProc_A,	1_2_00478AC0
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_00457594

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Code function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E934

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_004555E4

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Code function: 0_2_0040840C	0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004706A8	1_2_004706A8
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004809F7	1_2_004809F7
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004352C8	1_2_004352C8
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004673A4	1_2_004673A4
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0043DD50	1_2_0043DD50
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0043035C	1_2_0043035C
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004444C8	1_2_004444C8
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004345C4	1_2_004345C4
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00444A70	1_2_00444A70
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00486BD0	1_2_00486BD0
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00430EE8	1_2_00430EE8
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0045F0C4	1_2_0045F0C4
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00445168	1_2_00445168
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0045B174	1_2_0045B174
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00469404	1_2_00469404
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00445574	1_2_00445574
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004519BC	1_2_004519BC
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00487B30	1_2_00487B30
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0048DF54	1_2_0048DF54
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_004067B7	2_2_004067B7
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_609660FA	2_2_609660FA
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6092114F	2_2_6092114F
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6091F2C9	2_2_6091F2C9
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6096923E	2_2_6096923E
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6093323D	2_2_6093323D
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6095C314	2_2_6095C314
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60950312	2_2_60950312
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6094D33B	2_2_6094D33B
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6093B368	2_2_6093B368
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6096748C	2_2_6096748C
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6093F42E	2_2_6093F42E
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60954470	2_2_60954470
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_609615FA	2_2_609615FA
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6096A5EE	2_2_6096A5EE
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6096D6A4	2_2_6096D6A4
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_609606A8	2_2_609606A8
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60932654	2_2_60932654
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60955665	2_2_60955665
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6094B7DB	2_2_6094B7DB
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6092F74D	2_2_6092F74D
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60964807	2_2_60964807
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6094E9BC	2_2_6094E9BC
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60937929	2_2_60937929
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6093FAD6	2_2_6093FAD6
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6096DAE8	2_2_6096DAE8
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6094DA3A	2_2_6094DA3A
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60936B27	2_2_60936B27
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60954CF6	2_2_60954CF6
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60950C6B	2_2_60950C6B
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60966DF1	2_2_60966DF1
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60963D35	2_2_60963D35
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60909E9C	2_2_60909E9C
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60951E86	2_2_60951E86
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60912E0B	2_2_60912E0B
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60954FF8	2_2_60954FF8
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_00AEF21D	2_2_00AEF21D
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_00AF0010	2_2_00AF0010
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_00AE94B3	2_2_00AE94B3
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_00AC70B0	2_2_00AC70B0
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_00ABE079	2_2_00ABE079
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_00ACBAED	2_2_00ACBAED
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_00ACD31F	2_2_00ACD31F
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_00AD0DA4	2_2_00AD0DA4
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_00ACB5F9	2_2_00ACB5F9
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_00AD266D	2_2_00AD266D
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_00AC873A	2_2_00AC873A
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_00ACBF05	2_2_00ACBF05

Source: Joe Sandbox View

Dropped File: C:\ProgramData\ClassicHomeCinema\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: String function: 00408C0C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: String function: 00406AC4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: String function: 0040595C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: String function: 00457F1C appears 73 times
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: String function: 00445DD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: String function: 00457D10 appears 96 times
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: String function: 004344DC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: String function: 004078F4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: String function: 00403494 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: String function: 00403684 appears 225 times
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: String function: 00453344 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: String function: 004460A4 appears 59 times
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: String function: 00AD2A00 appears 135 times
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: String function: 00AC7750 appears 32 times

Source: EQ5Vcf19u8.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: EQ5Vcf19u8.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: EQ5Vcf19u8.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: classichomecinema.exe.1.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: is-G4VDT.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-G4VDT.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-G4VDT.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: ClassicHomeCinema.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)

Source: is-7MGOG.tmp.1.dr	Static PE information: Number of sections : 19 > 10
Source: sqlite3.dll.2.dr	Static PE information: Number of sections : 19 > 10

Source: EQ5Vcf19u8.exe, 00000000.00000003.1694370826.0000000002088000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs EQ5Vcf19u8.exe
Source: EQ5Vcf19u8.exe, 00000000.00000003.1694235169.0000000002300000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs EQ5Vcf19u8.exe

Source: EQ5Vcf19u8.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal80.troj.evad.winEXE@5/26@0/2

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: 2_2_00ABF8C0 FormatMessageA,GetLastError,FormatMessageA,GetLastError,

2_2_00ABF8C0

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_004555E4

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Code function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

1_2_00455E0C

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: CreateServiceA,

2_2_004021BD

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Code function: 1_2_0046E0E4 GetVersion,CoCreateInstance,

1_2_0046E0E4

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe

Code function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409C34

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: 2_2_0040D758 StartServiceCtrlDispatcherA,

2_2_0040D758

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: 2_2_0040D758 StartServiceCtrlDispatcherA,

2_2_0040D758

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe

File created: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp

Jump to behavior

Source: Yara match	File source: 2.0.classichomecinema.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1706052559.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3556080703.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-1OQ1J.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: classichomecinema.exe, classichomecinema.exe, 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7MGOG.tmp.1.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: classichomecinema.exe, 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7MGOG.tmp.1.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: classichomecinema.exe, classichomecinema.exe, 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7MGOG.tmp.1.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: classichomecinema.exe, 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7MGOG.tmp.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: classichomecinema.exe, 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7MGOG.tmp.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: classichomecinema.exe, 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7MGOG.tmp.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: classichomecinema.exe, 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7MGOG.tmp.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: classichomecinema.exe, 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7MGOG.tmp.1.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: classichomecinema.exe, 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7MGOG.tmp.1.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: classichomecinema.exe, 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7MGOG.tmp.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: classichomecinema.exe, 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7MGOG.tmp.1.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: classichomecinema.exe, classichomecinema.exe, 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7MGOG.tmp.1.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: EQ5Vcf19u8.exe	String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: EQ5Vcf19u8.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe

File read: C:\Users\user\Desktop\EQ5Vcf19u8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\EQ5Vcf19u8.exe "C:\Users\user\Desktop\EQ5Vcf19u8.exe"
Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp "C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp" /SL5="$20478,3086842,56832,C:\Users\user\Desktop\EQ5Vcf19u8.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Process created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe "C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe" -i
Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp "C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp" /SL5="$20478,3086842,56832,C:\Users\user\Desktop\EQ5Vcf19u8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Process created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe "C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe" -i	Jump to behavior

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Classic Home Cinema_is1

Jump to behavior

Source: EQ5Vcf19u8.exe

Static file information: File size 3335813 > 1048576

Source:	Binary string: msvcp71.pdbx# source: is-T75LM.tmp.1.dr
Source:	Binary string: msvcr71.pdb< source: is-E3J5R.tmp.1.dr
Source:	Binary string: msvcp71.pdb source: is-T75LM.tmp.1.dr
Source:	Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-RQ64T.tmp.1.dr
Source:	Binary string: msvcr71.pdb source: is-E3J5R.tmp.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Unpacked PE file: 2.2.classichomecinema.exe.400000.0.unpack .amtt4:ER;.antt4:R;.aott4:W;.rsrc:R;.aptt4:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Unpacked PE file: 2.2.classichomecinema.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Code function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_004502C0

Source: initial sample

Static PE information: section where entry point is pointing to: .amtt4

Source: classichomecinema.exe.1.dr	Static PE information: section name: .amtt4
Source: classichomecinema.exe.1.dr	Static PE information: section name: .antt4
Source: classichomecinema.exe.1.dr	Static PE information: section name: .aott4
Source: classichomecinema.exe.1.dr	Static PE information: section name: .aptt4
Source: is-RQ64T.tmp.1.dr	Static PE information: section name: Shared
Source: is-7MGOG.tmp.1.dr	Static PE information: section name: /4
Source: is-7MGOG.tmp.1.dr	Static PE information: section name: /19
Source: is-7MGOG.tmp.1.dr	Static PE information: section name: /35
Source: is-7MGOG.tmp.1.dr	Static PE information: section name: /51
Source: is-7MGOG.tmp.1.dr	Static PE information: section name: /63
Source: is-7MGOG.tmp.1.dr	Static PE information: section name: /77
Source: is-7MGOG.tmp.1.dr	Static PE information: section name: /89
Source: is-7MGOG.tmp.1.dr	Static PE information: section name: /102
Source: is-7MGOG.tmp.1.dr	Static PE information: section name: /113
Source: is-7MGOG.tmp.1.dr	Static PE information: section name: /124
Source: ClassicHomeCinema.exe.2.dr	Static PE information: section name: .amtt4
Source: ClassicHomeCinema.exe.2.dr	Static PE information: section name: .antt4
Source: ClassicHomeCinema.exe.2.dr	Static PE information: section name: .aott4
Source: ClassicHomeCinema.exe.2.dr	Static PE information: section name: .aptt4
Source: sqlite3.dll.2.dr	Static PE information: section name: /4
Source: sqlite3.dll.2.dr	Static PE information: section name: /19
Source: sqlite3.dll.2.dr	Static PE information: section name: /35
Source: sqlite3.dll.2.dr	Static PE information: section name: /51
Source: sqlite3.dll.2.dr	Static PE information: section name: /63
Source: sqlite3.dll.2.dr	Static PE information: section name: /77
Source: sqlite3.dll.2.dr	Static PE information: section name: /89
Source: sqlite3.dll.2.dr	Static PE information: section name: /102
Source: sqlite3.dll.2.dr	Static PE information: section name: /113
Source: sqlite3.dll.2.dr	Static PE information: section name: /124

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Code function: 0_2_004065C8 push 00406605h; ret	0_2_004065FD
Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax	0_2_00408109
Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Code function: 0_2_00408F38 push 00408F6Bh; ret	0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0040994C push 00409989h; ret	1_2_00409981
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00483F88 push 00484096h; ret	1_2_0048408E
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax	1_2_004062B5
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx	1_2_004104E5
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00412928 push 0041298Bh; ret	1_2_00412983
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00494CAC push ecx; mov dword ptr [esp], ecx	1_2_00494CB1
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx	1_2_0040CE3A
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004592D0 push 00459314h; ret	1_2_0045930C
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx	1_2_0040F39A
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx	1_2_00443444
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00485678 push ecx; mov dword ptr [esp], ecx	1_2_0048567D
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004517F8 push 0045182Bh; ret	1_2_00451823
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004519BC push ecx; mov dword ptr [esp], eax	1_2_004519C1
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00477B08 push ecx; mov dword ptr [esp], edx	1_2_00477B09
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00419C28 push ecx; mov dword ptr [esp], ecx	1_2_00419C2D
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0045FD1C push ecx; mov dword ptr [esp], ecx	1_2_0045FD20
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00499D30 pushad ; retf	1_2_00499D3F

Source: classichomecinema.exe.1.dr	Static PE information: section name: .amtt4 entropy: 7.750849017599865
Source: ClassicHomeCinema.exe.2.dr	Static PE information: section name: .amtt4 entropy: 7.750849017599865

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0

2_2_00ABE8A2

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	File created: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DJUE0.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-T75LM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-0BQ7F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-RQ64T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcr71.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	File created: C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	File created: C:\ProgramData\ClassicHomeCinema\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DJUE0.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\is-G4VDT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DJUE0.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcp71.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\gdiplus.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-E3J5R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-7MGOG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	File created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.dll (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	File created: C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	File created: C:\ProgramData\ClassicHomeCinema\sqlite3.dll			Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0

2_2_00ABE8A2

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: 2_2_0040D758 StartServiceCtrlDispatcherA,

2_2_0040D758

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus,	1_2_004241DC
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00424194 IsIconic,SetActiveWindow,	1_2_00424194
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00418384
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_0042285C
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00417598 IsIconic,GetCapture,	1_2_00417598
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_0048393C
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00417CCE IsIconic,SetWindowPos,	1_2_00417CCE
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417CD0

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Code function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_0041F118

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: 2_2_60920C91 rdtsc

2_2_60920C91

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,

2_2_00ABE9A6

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DJUE0.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-T75LM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-0BQ7F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-RQ64T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcr71.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DJUE0.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\is-G4VDT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DJUE0.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcp71.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\gdiplus.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-E3J5R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-7MGOG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.dll (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-5972

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_2-61514

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

API coverage: 4.6 %

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe TID: 7644	Thread sleep count: 81 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe TID: 7644	Thread sleep time: -162000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe TID: 7100	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe TID: 7100	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00452A60 FindFirstFileA,GetLastError,	1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,	1_2_00474F88
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_004980A4
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464158
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462750
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463CDC

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe

Code function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B78

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Thread delayed: delay time: 60000			Jump to behavior
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Thread delayed: delay time: 60000			Jump to behavior

Source: classichomecinema.exe, 00000002.00000002.3555336843.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, classichomecinema.exe, 00000002.00000002.3556348800.00000000033E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: classichomecinema.exe, 00000002.00000002.3556348800.00000000033E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWWGLM

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	API call chain: ExitProcess graph end node			graph_0-6769
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	API call chain: ExitProcess graph end node			graph_2-61668

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_2-61410

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: 2_2_60920C91 rdtsc

2_2_60920C91

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: 2_2_00AC80F0 IsDebuggerPresent,

2_2_00AC80F0

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: 2_2_00ACE6AE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

2_2_00ACE6AE

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Code function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_004502C0

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: 2_2_00AB5E59 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,

2_2_00AB5E59

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: 2_2_00AC80DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_00AC80DA

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Code function: 1_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_00478504

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Code function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042E09C

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Code function: 2_2_00ABE85A cpuid

2_2_00ABE85A

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Code function: GetLocaleInfoA,	0_2_0040520C
Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe	Code function: GetLocaleInfoA,	0_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: GetLocaleInfoA,	1_2_00408568
Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	Code function: GetLocaleInfoA,	1_2_004085B4

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Code function: 1_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_004585C8

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Code function: 1_2_0045559C GetUserNameA,

1_2_0045559C

Source: C:\Users\user\Desktop\EQ5Vcf19u8.exe

Code function: 0_2_00405CF4 GetVersionExA,

0_2_00405CF4

Stealing of Sensitive Information

Yara detected Socks5Systemz

Source: Yara match	File source: 00000002.00000002.3556027586.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: classichomecinema.exe PID: 7640, type: MEMORYSTR

Remote Access Functionality

Yara detected Socks5Systemz

Source: Yara match	File source: 00000002.00000002.3556027586.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: classichomecinema.exe PID: 7640, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,	2_2_609660FA
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,	2_2_6090C1D6
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,	2_2_60963143
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	2_2_6096A2BD
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,	2_2_6096923E
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,	2_2_6096A38C
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,	2_2_6096748C
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,	2_2_609254B1
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_6094B407
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6090F435 sqlite3_bind_parameter_index,	2_2_6090F435
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,	2_2_609255D4
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_609255FF sqlite3_bind_text,	2_2_609255FF
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,	2_2_6096A5EE
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,	2_2_6094B54C
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,	2_2_60925686
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,	2_2_6094A6C5
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,	2_2_609256E5
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,	2_2_6094B6ED
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6092562A sqlite3_bind_blob,	2_2_6092562A
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,	2_2_60925655
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	2_2_6094C64A
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,	2_2_609687A7
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_6095F7F7
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,	2_2_6092570B
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	2_2_6095F772
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,	2_2_60925778
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6090577D sqlite3_bind_parameter_name,	2_2_6090577D
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,	2_2_6094B764
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6090576B sqlite3_bind_parameter_count,	2_2_6090576B
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	2_2_6094A894
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	2_2_6095F883
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,	2_2_6094C8C2
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,	2_2_6096281E
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,	2_2_6096583A
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,	2_2_6095F9AD
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	2_2_6094A92B
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6090EAE5 sqlite3_transfer_bindings,	2_2_6090EAE5
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	2_2_6095FB98
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,	2_2_6095ECA6
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	2_2_6095FCCE
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,	2_2_6095FDAE
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,	2_2_60966DF1
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,	2_2_60969D75
Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	Code function: 2_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	2_2_6095FFB2

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	1 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	5 Windows Service	1 DLL Side-Loading	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Input Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Bootkit	1 Access Token Manipulation	21 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	5 Windows Service	1 DLL Side-Loading	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	121 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Bootkit	/etc/passwd and /etc/shadow	3 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe	100%	Joe Sandbox ML
C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe	100%	Joe Sandbox ML
C:\ProgramData\ClassicHomeCinema\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\gdiplus.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-0BQ7F.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-7MGOG.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-E3J5R.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-RQ64T.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-T75LM.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcp71.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcr71.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\sqlite3.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\is-G4VDT.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\unins000.exe (copy)	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-DJUE0.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-DJUE0.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-DJUE0.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp	3%	ReversingLabs

Name	Malicious	Antivirus Detection	Reputation
https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946e44be43869e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4da9c5b	false		unknown
https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2119db388a	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.innosetup.com/	EQ5Vcf19u8.tmp, EQ5Vcf19u8.tmp, 00000001.00000000.1694958711.0000000000401000.00000020.00000001.01000000.00000004.sdmp, EQ5Vcf19u8.tmp.0.dr, is-G4VDT.tmp.1.dr	false	high
https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e3008888325	classichomecinema.exe, 00000002.00000002.3555336843.000000000098F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.remobjects.com/psU	EQ5Vcf19u8.exe, 00000000.00000003.1694370826.0000000002088000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1694235169.0000000002300000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000000.1694958711.0000000000401000.00000020.00000001.01000000.00000004.sdmp, EQ5Vcf19u8.tmp.0.dr, is-G4VDT.tmp.1.dr	false	high
https://188.119.66.185/priseCertificates	classichomecinema.exe, 00000002.00000002.3555336843.000000000098F000.00000004.00000020.00020000.00000000.sdmp	false	high
https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946e44be43869e7c4	classichomecinema.exe, 00000002.00000002.3556348800.00000000033EE000.00000004.00000020.00020000.00000000.sdmp, classichomecinema.exe, 00000002.00000002.3555336843.000000000098F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	EQ5Vcf19u8.exe	false	high
https://188.119.66.185/	classichomecinema.exe, 00000002.00000002.3556348800.00000000033EE000.00000004.00000020.00020000.00000000.sdmp, classichomecinema.exe, 00000002.00000002.3555336843.000000000098F000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	EQ5Vcf19u8.exe	false	high
https://188.119.66.185/a	classichomecinema.exe, 00000002.00000002.3555336843.000000000098F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.remobjects.com/ps	EQ5Vcf19u8.exe, 00000000.00000003.1694370826.0000000002088000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1694235169.0000000002300000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, EQ5Vcf19u8.tmp, 00000001.00000000.1694958711.0000000000401000.00000020.00000001.01000000.00000004.sdmp, EQ5Vcf19u8.tmp.0.dr, is-G4VDT.tmp.1.dr	false	high
https://www.easycutstudio.com/support.html	EQ5Vcf19u8.exe, 00000000.00000002.3555201992.0000000002081000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1693888335.0000000002300000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1693955102.0000000002081000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000003.1695608267.0000000003100000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000002.3555541276.0000000002128000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000002.3555255376.000000000068B000.00000004.00000020.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000003.1695670125.0000000002128000.00000004.00001000.00020000.00000000.sdmp	false	high
https://188.119.66.185/j	classichomecinema.exe, 00000002.00000002.3555336843.000000000098F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://188.119.66.185/allowedCert_OS_1	classichomecinema.exe, 00000002.00000002.3556348800.00000000033EE000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.214.157.206	unknown	Germany		58329	RACKPLACEDE	false
188.119.66.185	unknown	Russian Federation		209499	FLYNETRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579844
Start date and time:	2024-12-23 11:46:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EQ5Vcf19u8.exe renamed because original name is a hash value
Original Sample Name:	9fbf70243a3e4aca45a6d0af87749833e506c5a3eacdbc449525bc5f62835ba6
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@5/26@0/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 194 Number of non-executed functions: 269
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: EQ5Vcf19u8.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
31.214.157.206	Oz2UhFBTHy.exe	Get hash	malicious	Socks5Systemz	Browse	200
188.119.66.185	vwZcJ81cpN.exe	Get hash	malicious	Socks5Systemz	Browse
	vwZcJ81cpN.exe	Get hash	malicious	Socks5Systemz	Browse
	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse
	gjEtERlBSv.exe	Get hash	malicious	Socks5Systemz	Browse
	gjEtERlBSv.exe	Get hash	malicious	Socks5Systemz	Browse
	Hbq580QZAR.exe	Get hash	malicious	Socks5Systemz	Browse
	steel.exe.2.exe	Get hash	malicious	Socks5Systemz	Browse
	stories.exe.2.exe	Get hash	malicious	Socks5Systemz	Browse
	basx.exe	Get hash	malicious	Socks5Systemz	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RACKPLACEDE	gjEtERlBSv.exe	Get hash	malicious	Socks5Systemz	Browse	31.214.157.206
	Hbq580QZAR.exe	Get hash	malicious	Socks5Systemz	Browse	31.214.157.206
	Oz2UhFBTHy.exe	Get hash	malicious	Socks5Systemz	Browse	31.214.157.226
	GEm3o8pION.exe	Get hash	malicious	Socks5Systemz	Browse	31.214.157.206
	bzX2pV3Ybw.exe	Get hash	malicious	Socks5Systemz	Browse	31.214.157.206
	Ni2ghr9eUJ.exe	Get hash	malicious	Socks5Systemz	Browse	31.214.157.206
	Ni2ghr9eUJ.exe	Get hash	malicious	Socks5Systemz	Browse	31.214.157.206
	2mtt3zE6Vh.exe	Get hash	malicious	Socks5Systemz	Browse	31.214.157.206
	7i6bUvYZ4L.exe	Get hash	malicious	Socks5Systemz	Browse	31.214.157.206
FLYNETRU	vwZcJ81cpN.exe	Get hash	malicious	Socks5Systemz	Browse	188.119.66.185
	vwZcJ81cpN.exe	Get hash	malicious	Socks5Systemz	Browse	188.119.66.185
	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	188.119.66.185
	gjEtERlBSv.exe	Get hash	malicious	Socks5Systemz	Browse	188.119.66.185
	gjEtERlBSv.exe	Get hash	malicious	Socks5Systemz	Browse	188.119.66.185
	https://drive.google.com/file/d/1zySfUjQ3GqIVAlBHIX3CXdgIcWIqrMkO/view?usp=sharing_eip&ts=67645d30	Get hash	malicious	Unknown	Browse	188.119.66.154
	https://drive.google.com/file/d/1zySfUjQ3GqIVAlBHIX3CXdgIcWIqrMkO/view?usp=sharing_eil&ts=67645d30	Get hash	malicious	Unknown	Browse	188.119.66.154
	Hbq580QZAR.exe	Get hash	malicious	Socks5Systemz	Browse	188.119.66.185
	steel.exe.2.exe	Get hash	malicious	Socks5Systemz	Browse	188.119.66.185

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	vwZcJ81cpN.exe	Get hash	malicious	Socks5Systemz	Browse	188.119.66.185
	vwZcJ81cpN.exe	Get hash	malicious	Socks5Systemz	Browse	188.119.66.185
	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	188.119.66.185
	gjEtERlBSv.exe	Get hash	malicious	Socks5Systemz	Browse	188.119.66.185
	gjEtERlBSv.exe	Get hash	malicious	Socks5Systemz	Browse	188.119.66.185
	WindowsUpdate.exe	Get hash	malicious	Unknown	Browse	188.119.66.185
	Hbq580QZAR.exe	Get hash	malicious	Socks5Systemz	Browse	188.119.66.185
	steel.exe.2.exe	Get hash	malicious	Socks5Systemz	Browse	188.119.66.185
	stories.exe.2.exe	Get hash	malicious	Socks5Systemz	Browse	188.119.66.185

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\ClassicHomeCinema\sqlite3.dll	vwZcJ81cpN.exe	Get hash	malicious	Socks5Systemz	Browse
	vwZcJ81cpN.exe	Get hash	malicious	Socks5Systemz	Browse
	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse
	gjEtERlBSv.exe	Get hash	malicious	Socks5Systemz	Browse
	gjEtERlBSv.exe	Get hash	malicious	Socks5Systemz	Browse
	Hbq580QZAR.exe	Get hash	malicious	Socks5Systemz	Browse
	steel.exe.2.exe	Get hash	malicious	Socks5Systemz	Browse
	stories.exe.2.exe	Get hash	malicious	Socks5Systemz	Browse
	basx.exe	Get hash	malicious	Socks5Systemz	Browse

Created / dropped Files

C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe

Download File

Process:	C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2776237
Entropy (8bit):	6.89792615350219
Encrypted:	false
SSDEEP:	49152:eyMXRWKguE94xBxa9412CZNTPpvyin/ciJQQdR:hlBu04v09412CbTxZ/cXg
MD5:	765448A33166E70D7C75392D7E8FC161
SHA1:	6EFD4DCAC1045792CBC34AC0DF7B71DDD887468C
SHA-256:	B10B4798571466E062ED070548787DC205D774041D593197183BD68544420739
SHA-512:	F71113152642359675CDBB0A6FEF08F0922CC978A2909DEBAE0C689145DBFCD2079673E91CDCF32F9B581AF175F08068559D6D284F838D71FE1D3035963B8C96
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....5ig.....................J.......V............@................................................................................`..................................................................................H............................amtt4..:........................... ..`.antt4...4.......6..................@..@.aott4...e.......2..................@....rsrc........`......................@..@.aptt4..............................`.0.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ClassicHomeCinema\sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	645592
Entropy (8bit):	6.50414583238337
Encrypted:	false
SSDEEP:	12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
MD5:	E477A96C8F2B18D6B5C27BDE49C990BF
SHA1:	E980C9BF41330D1E5BD04556DB4646A0210F7409
SHA-256:	16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
SHA-512:	335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: vwZcJ81cpN.exe, Detection: malicious, Browse Filename: vwZcJ81cpN.exe, Detection: malicious, Browse Filename: r4xiHKy8aM.exe, Detection: malicious, Browse Filename: gjEtERlBSv.exe, Detection: malicious, Browse Filename: gjEtERlBSv.exe, Detection: malicious, Browse Filename: Hbq580QZAR.exe, Detection: malicious, Browse Filename: steel.exe.2.exe, Detection: malicious, Browse Filename: stories.exe.2.exe, Detection: malicious, Browse Filename: basx.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

C:\ProgramData\eu1223it56.dat

Download File

Process:	C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:bm/l:G
MD5:	53117268CBF15BE379F35C66B2C51E77
SHA1:	ED6585067D4F1126B61B2AA138FEFD6F057D388D
SHA-256:	63B281F09325232AC56F02A5646718E71908D21025B4176E8A33915445C072BA
SHA-512:	B6AC9682FB74DF00ECC5F7E44C0D48548DB3CD35985AA033DE60A4E58B39B7E3838AC23AE993A221DC7B3946001AFA437927B664C7FBFAC91557D44DB0C50969
Malicious:	false
Reputation:	low
Preview:	.?ig....

C:\ProgramData\eu1223rc56.dat

Download File

Process:	C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:M:M
MD5:	4352D88A78AA39750BF70CD6F27BCAA5
SHA1:	3C585604E87F855973731FEA83E21FAB9392D2FC
SHA-256:	67ABDD721024F0FF4E0B3F4C2FC13BC5BAD42D0B7851D456D88D203D15AAA450
SHA-512:	EDF92E3D4F80FC47D948EA2F17B9BFC742D34E2E785A7A4927F3E261E8BD9D400B648BFF2123B8396D24FB28F5869979E08D58B4B5D156E640344A2C0A54675D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....

C:\ProgramData\eu1223resa.dat

Download File

Process:	C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	2.9012093522336393
Encrypted:	false
SSDEEP:	3:ObXXXd0AbDBdUBWetxt:Or9Lb3UFx
MD5:	679DD163372163CD8FFC24E3C9E758B3
SHA1:	F307C14CA65810C8D0238B89B49B2ACD7C5B233B
SHA-256:	510EA89D00FA427C33BD67AEEA60D21066976F085959C2AFE1F69411A8CA722D
SHA-512:	46C464F15BCE39E28DCD48AF36C424845631D2B48D7E37D7FBBBEE0BC4DF32445A2810E397BF29FCA76C0364B1AA30CC05DCF4D9E799C6C697B49A174560969C
Malicious:	false
Preview:	12b48997735ce8b4537cf99be74bb62f518d3799011c89eb7c719048e83fac56................................................................

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.chm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	78183
Entropy (8bit):	7.692742945771669
Encrypted:	false
SSDEEP:	1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
MD5:	B1B9E6D43319F6D4E52ED858C5726A97
SHA1:	5033047A30CCCF57783C600FD76A6D220021B19D
SHA-256:	8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
SHA-512:	E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
Malicious:	false
Preview:	ITSF....`..........E.......\|.{.......".....\|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...\|.{./Auto-SmartPatchCosmet

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	176128
Entropy (8bit):	6.204917493416147
Encrypted:	false
SSDEEP:	3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
MD5:	FEC4FF0C2967A05543747E8D552CF9DF
SHA1:	B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
SHA-256:	5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
SHA-512:	93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2776237
Entropy (8bit):	6.89792615350219
Encrypted:	false
SSDEEP:	49152:eyMXRWKguE94xBxa9412CZNTPpvyin/ciJQQdR:hlBu04v09412CbTxZ/cXg
MD5:	765448A33166E70D7C75392D7E8FC161
SHA1:	6EFD4DCAC1045792CBC34AC0DF7B71DDD887468C
SHA-256:	B10B4798571466E062ED070548787DC205D774041D593197183BD68544420739
SHA-512:	F71113152642359675CDBB0A6FEF08F0922CC978A2909DEBAE0C689145DBFCD2079673E91CDCF32F9B581AF175F08068559D6D284F838D71FE1D3035963B8C96
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....5ig.....................J.......V............@................................................................................`..................................................................................H............................amtt4..:........................... ..`.antt4...4.......6..................@..@.aott4...e.......2..................@....rsrc........`......................@..@.aptt4..............................`.0.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\gdiplus.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1645320
Entropy (8bit):	6.787752063353702
Encrypted:	false
SSDEEP:	24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
MD5:	871C903A90C45CA08A9D42803916C3F7
SHA1:	D962A12BC15BFB4C505BB63F603CA211588958DB
SHA-256:	F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
SHA-512:	985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..\|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-0BQ7F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	176128
Entropy (8bit):	6.204917493416147
Encrypted:	false
SSDEEP:	3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
MD5:	FEC4FF0C2967A05543747E8D552CF9DF
SHA1:	B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
SHA-256:	5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
SHA-512:	93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-1OQ1J.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	data
Category:	dropped
Size (bytes):	2776237
Entropy (8bit):	6.897925946158875
Encrypted:	false
SSDEEP:	49152:xyMXRWKguE94xBxa9412CZNTPpvyin/ciJQQdR:4lBu04v09412CbTxZ/cXg
MD5:	14488CA0E9ECB480700491BA236B41D3
SHA1:	CAA9554DF651D5CB054CC4CB19505620A217DBD9
SHA-256:	277FB3E35678D323C87099C7625A4695E8BD558493430C1751F6E826EAE7B908
SHA-512:	0049D19A2CD38E05AAE9E2F74D98494F3431D3155F0BABA388480F7EE8D26452057FCFD778C0EAAF37109FD0BA98FF95DB2817640B5A357D83A95D32409B0E5C
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-1OQ1J.tmp, Author: Joe Security
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....5ig.....................J.......V............@................................................................................`..................................................................................H............................amtt4..:........................... ..`.antt4...4.......6..................@..@.aott4...e.......2..................@....rsrc........`......................@..@.aptt4..............................`.0.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-7MGOG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	645592
Entropy (8bit):	6.50414583238337
Encrypted:	false
SSDEEP:	12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
MD5:	E477A96C8F2B18D6B5C27BDE49C990BF
SHA1:	E980C9BF41330D1E5BD04556DB4646A0210F7409
SHA-256:	16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
SHA-512:	335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-E3J5R.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	348160
Entropy (8bit):	6.542655141037356
Encrypted:	false
SSDEEP:	6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
MD5:	86F1895AE8C5E8B17D99ECE768A70732
SHA1:	D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
SHA-256:	8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
SHA-512:	3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4\|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-PL42V.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	78183
Entropy (8bit):	7.692742945771669
Encrypted:	false
SSDEEP:	1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
MD5:	B1B9E6D43319F6D4E52ED858C5726A97
SHA1:	5033047A30CCCF57783C600FD76A6D220021B19D
SHA-256:	8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
SHA-512:	E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
Malicious:	false
Preview:	ITSF....`..........E.......\|.{.......".....\|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...\|.{./Auto-SmartPatchCosmet

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-RQ64T.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1645320
Entropy (8bit):	6.787752063353702
Encrypted:	false
SSDEEP:	24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
MD5:	871C903A90C45CA08A9D42803916C3F7
SHA1:	D962A12BC15BFB4C505BB63F603CA211588958DB
SHA-256:	F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
SHA-512:	985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..\|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-T75LM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	499712
Entropy (8bit):	6.414789978441117
Encrypted:	false
SSDEEP:	12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
MD5:	561FA2ABB31DFA8FAB762145F81667C2
SHA1:	C8CCB04EEDAC821A13FAE314A2435192860C72B8
SHA-256:	DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
SHA-512:	7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:\|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcp71.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	499712
Entropy (8bit):	6.414789978441117
Encrypted:	false
SSDEEP:	12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
MD5:	561FA2ABB31DFA8FAB762145F81667C2
SHA1:	C8CCB04EEDAC821A13FAE314A2435192860C72B8
SHA-256:	DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
SHA-512:	7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:\|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcr71.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	348160
Entropy (8bit):	6.542655141037356
Encrypted:	false
SSDEEP:	6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
MD5:	86F1895AE8C5E8B17D99ECE768A70732
SHA1:	D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
SHA-256:	8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
SHA-512:	3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4\|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\sqlite3.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	645592
Entropy (8bit):	6.50414583238337
Encrypted:	false
SSDEEP:	12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
MD5:	E477A96C8F2B18D6B5C27BDE49C990BF
SHA1:	E980C9BF41330D1E5BD04556DB4646A0210F7409
SHA-256:	16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
SHA-512:	335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\is-G4VDT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	717985
Entropy (8bit):	6.514903669143629
Encrypted:	false
SSDEEP:	12288:+TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+pIq5MRxyFj:+PcYn5c/rPx37/zHBA6pFptZ1CEoqMRG
MD5:	A170DF3B154D2DE2AAAE594B2421E4C7
SHA1:	5302C579870D83176682BB41A9D516D7224CA8A6
SHA-256:	3484726C89963BBAE4821B645FD582622524F189E10FDC7AF92094D627011D44
SHA-512:	1705A73535EE3D73288C29E7C444C9F9106CD1812765800E79ABC5B55DAB68279244DD5502986D45B42E89DAE26D45256F3F6C14CD014E5E1D9C84F767725645
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	InnoSetup Log Classic Home Cinema, version 0x30, 4757 bytes, 621365\user, "C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12"
Category:	dropped
Size (bytes):	4757
Entropy (8bit):	4.733776293847443
Encrypted:	false
SSDEEP:	96:PFdWr38cpA4cBd9S+eOIhyAa7ICSss/Ln3vX/uwuau8HrubHk37o:NdWr33pA42HIh6ICSsAnXRTfu
MD5:	7226E6265D57668BED13743BDE77B165
SHA1:	0BC9AF83A61F168BD021E5840602E6251A96B779
SHA-256:	F7247E7EE06D9A12F6E5DBD1F9CA5EF01F61ADB9F295E7214CBC33A493FCCD01
SHA-512:	D987F97AD391B05C0D2519199A11C92707300BFE1BE94911EE2824B3DC963F6A152369B430E4C0077C892AC8D92057DD604F8B204A62017EA78F4AEB071A287F
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................Classic Home Cinema.............................................................................................................Classic Home Cinema.............................................................................................................0...........%...........................................................................................................................i........W....621365.user7C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12.........../...;.. ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	717985
Entropy (8bit):	6.514903669143629
Encrypted:	false
SSDEEP:	12288:+TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+pIq5MRxyFj:+PcYn5c/rPx37/zHBA6pFptZ1CEoqMRG
MD5:	A170DF3B154D2DE2AAAE594B2421E4C7
SHA1:	5302C579870D83176682BB41A9D516D7224CA8A6
SHA-256:	3484726C89963BBAE4821B645FD582622524F189E10FDC7AF92094D627011D44
SHA-512:	1705A73535EE3D73288C29E7C444C9F9106CD1812765800E79ABC5B55DAB68279244DD5502986D45B42E89DAE26D45256F3F6C14CD014E5E1D9C84F767725645
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-DJUE0.tmp\_isetup\_iscrypt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-DJUE0.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.289297026665552
Encrypted:	false
SSDEEP:	48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
MD5:	C8871EFD8AF2CF4D9D42D1FF8FADBF89
SHA1:	D0EACD5322C036554D509C7566F0BCC7607209BD
SHA-256:	E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
SHA-512:	2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-DJUE0.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp

Download File

Process:	C:\Users\user\Desktop\EQ5Vcf19u8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	706560
Entropy (8bit):	6.506375340710484
Encrypted:	false
SSDEEP:	12288:GTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+pIq5MRxyF:WPcYn5c/rPx37/zHBA6pFptZ1CEoqMRU
MD5:	BCF2F0322A00DC0DE9B0CAE39438B480
SHA1:	81D7CB7F7F83A6CADAABC4D407C94B9C01C6BF7B
SHA-256:	D450B34EFA2D2E162CD0C79C8B6BE88D035B84F0E25EC28C52B2A2068DA3C701
SHA-512:	B0CD6513B174AED0049206F490A9D15F9C7814C79960041EC2BA8A9EA6C171D6138F33BD544E917FB38E653731D57D57058DCC2C29D22D18198299F901E3DF7F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.997628924855278
TrID:	Win32 Executable (generic) a (10002005/4) 98.32% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	EQ5Vcf19u8.exe
File size:	3'335'813 bytes
MD5:	849f1e782aef6fc885225f115db43236
SHA1:	2e790be949272e97d9fd71b7a6ea34140f08fb16
SHA256:	9fbf70243a3e4aca45a6d0af87749833e506c5a3eacdbc449525bc5f62835ba6
SHA512:	5424569f06069f8051516acb203f3e4eb889c0417b0a2552ea9aa992c4467e684f6b09ad78812b1a76de6f6a8722cad5427cef4a860799ac449b6a62d8c82b87
SSDEEP:	98304:M4TCwmZJtRTroyMXl2ZT3nt+kRDVBAGhYhbuXBQTu2:Mrria3t+sD8GhObuxz2
TLSH:	A2F533D7A2A9D27DD4F7A0F0852F971E9633392A1E755038268D2ACE8FF3619484C7C4
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x40a5f8
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	884310b1928934402ea6fec1dbd3cf5e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007F35604E3D33h
call 00007F35604E4F3Ah
call 00007F35604E51C9h
call 00007F35604E526Ch
call 00007F35604E720Bh
call 00007F35604E9B76h
call 00007F35604E9CDDh
xor eax, eax
push ebp
push 0040ACC9h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040AC92h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040C014h]
call 00007F35604EA78Bh
call 00007F35604EA376h
cmp byte ptr [0040B234h], 00000000h
je 00007F35604EB26Eh
call 00007F35604EA888h
xor eax, eax
call 00007F35604E4A29h
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007F35604E781Bh
mov edx, dword ptr [ebp-10h]
mov eax, 0040CE28h
call 00007F35604E3DCAh
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040CE28h]
mov dl, 01h
mov eax, 0040738Ch
call 00007F35604E80AAh
mov dword ptr [0040CE2Ch], eax
xor edx, edx
push ebp
push 0040AC4Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F35604EA7E6h
mov dword ptr [0040CE34h], eax
mov eax, dword ptr [0040CE34h]
cmp dword ptr [eax+0Ch], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd000	0x950	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x2c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x9d30	0x9e00	c3bd95c4b1a8e5199981e0d9b45fd18c	False	0.6052709651898734	data	6.631765876950794	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xb000	0x250	0x400	1ee71d84f1c77af85f1f5c278f880572	False	0.306640625	data	2.751820662285145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xc000	0xe8c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xd000	0x950	0xa00	bb5485bf968b970e5ea81292af2acdba	False	0.414453125	data	4.430733069799036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xe000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xf000	0x18	0x200	9ba824905bf9c7922b6fc87a38b74366	False	0.052734375	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x10000	0x8c4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x2c00	0x2c00	83e09258de55f10b9aaa4a81ee5fc40a	False	0.3259055397727273	data	4.495073399157993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x11354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0x1147c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0x119e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0x11ccc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0x12574	0x2f2	data			0.35543766578249336
RT_STRING	0x12868	0x30c	data			0.3871794871794872
RT_STRING	0x12b74	0x2ce	data			0.42618384401114207
RT_STRING	0x12e44	0x68	data			0.75
RT_STRING	0x12eac	0xb4	data			0.6277777777777778
RT_STRING	0x12f60	0xae	data			0.5344827586206896
RT_RCDATA	0x13010	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x1303c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x1307c	0x4f4	data	English	United States	0.2634069400630915
RT_MANIFEST	0x13570	0x5a4	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.42590027700831024

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
Dutch	Netherlands
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-23T11:49:10.321846+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49887	188.119.66.185	443	TCP
2024-12-23T11:49:11.133576+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49887	188.119.66.185	443	TCP
2024-12-23T11:49:16.153824+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49904	188.119.66.185	443	TCP
2024-12-23T11:49:16.849386+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49904	188.119.66.185	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 11:49:08.657114983 CET	49887	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:08.657170057 CET	443	49887	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:08.657253027 CET	49887	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:08.672348976 CET	49887	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:08.672379971 CET	443	49887	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:10.321713924 CET	443	49887	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:10.321846008 CET	49887	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:10.371169090 CET	49887	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:10.371207952 CET	443	49887	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:10.371640921 CET	443	49887	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:10.371704102 CET	49887	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:10.375396013 CET	49887	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:10.419352055 CET	443	49887	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:11.133641958 CET	443	49887	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:11.133698940 CET	49887	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:11.133713007 CET	443	49887	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:11.133831024 CET	49887	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:11.142443895 CET	49887	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:11.142492056 CET	443	49887	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:11.149705887 CET	49893	2024	192.168.2.4	31.214.157.206
Dec 23, 2024 11:49:11.269265890 CET	2024	49893	31.214.157.206	192.168.2.4
Dec 23, 2024 11:49:11.269330025 CET	49893	2024	192.168.2.4	31.214.157.206
Dec 23, 2024 11:49:11.269378901 CET	49893	2024	192.168.2.4	31.214.157.206
Dec 23, 2024 11:49:11.388827085 CET	2024	49893	31.214.157.206	192.168.2.4
Dec 23, 2024 11:49:11.388874054 CET	49893	2024	192.168.2.4	31.214.157.206
Dec 23, 2024 11:49:11.508384943 CET	2024	49893	31.214.157.206	192.168.2.4
Dec 23, 2024 11:49:12.509660959 CET	2024	49893	31.214.157.206	192.168.2.4
Dec 23, 2024 11:49:12.557320118 CET	49893	2024	192.168.2.4	31.214.157.206
Dec 23, 2024 11:49:14.511818886 CET	49904	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:14.511936903 CET	443	49904	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:14.512053967 CET	49904	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:14.512304068 CET	49904	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:14.512326002 CET	443	49904	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:16.153764009 CET	443	49904	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:16.153824091 CET	49904	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:16.154299021 CET	49904	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:16.154309034 CET	443	49904	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:16.154578924 CET	49904	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:16.154586077 CET	443	49904	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:16.849389076 CET	443	49904	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:16.849457026 CET	443	49904	188.119.66.185	192.168.2.4
Dec 23, 2024 11:49:16.849539995 CET	49904	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:16.849694967 CET	49904	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:16.849694967 CET	49904	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:17.151098013 CET	49904	443	192.168.2.4	188.119.66.185
Dec 23, 2024 11:49:17.151160955 CET	443	49904	188.119.66.185	192.168.2.4

HTTP Request Dependency Graph

188.119.66.185

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49887	188.119.66.185	443	7640	C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 10:49:10 UTC	283	OUT	GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2119db388a HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 188.119.66.185
2024-12-23 10:49:11 UTC	200	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 23 Dec 2024 10:49:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.33
2024-12-23 10:49:11 UTC	686	IN	Data Raw: 32 61 32 0d 0a 38 62 37 32 33 63 36 38 65 65 31 38 34 30 33 63 36 36 30 66 62 66 65 30 33 38 34 63 32 37 62 36 62 63 38 66 38 30 32 32 34 63 62 64 33 62 63 31 39 30 32 34 39 66 37 65 31 36 66 65 30 34 64 64 65 37 36 37 34 62 62 33 35 63 38 64 31 65 33 66 37 38 37 61 61 30 61 66 30 64 39 62 66 35 30 31 64 32 39 39 62 32 63 61 32 39 37 37 64 33 65 61 35 33 63 36 38 38 66 65 34 66 64 64 64 33 39 66 35 35 61 63 62 64 66 35 63 35 30 61 31 64 63 36 64 35 30 37 30 30 64 63 33 32 32 36 30 37 64 32 33 32 38 39 64 65 64 33 39 34 35 64 34 38 63 32 37 37 33 63 65 37 64 63 30 32 35 34 37 31 31 32 37 30 63 66 65 64 31 37 37 36 62 33 66 30 35 66 61 65 65 65 65 30 35 33 61 64 37 63 64 38 63 63 32 32 65 62 66 37 63 37 66 32 34 62 31 36 38 38 35 32 39 62 33 65 61 66 33 34 Data Ascii: 2a28b723c68ee18403c660fbfe0384c27b6bc8f80224cbd3bc190249f7e16fe04dde7674bb35c8d1e3f787aa0af0d9bf501d299b2ca2977d3ea53c688fe4fddd39f55acbdf5c50a1dc6d50700dc322607d23289ded3945d48c2773ce7dc0254711270cfed1776b3f05faeeee053ad7cd8cc22ebf7c7f24b1688529b3eaf34

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49904	188.119.66.185	443	7640	C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 10:49:16 UTC	291	OUT	GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946e44be43869e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4da9c5b HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 188.119.66.185
2024-12-23 10:49:16 UTC	200	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 23 Dec 2024 10:49:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.33
2024-12-23 10:49:16 UTC	24	IN	Data Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a Data Ascii: e8b723663ec13250

Target ID:	0
Start time:	05:47:04
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\EQ5Vcf19u8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EQ5Vcf19u8.exe"
Imagebase:	0x400000
File size:	3'335'813 bytes
MD5 hash:	849F1E782AEF6FC885225F115DB43236
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	05:47:04
Start date:	23/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-HVAF2.tmp\EQ5Vcf19u8.tmp" /SL5="$20478,3086842,56832,C:\Users\user\Desktop\EQ5Vcf19u8.exe"
Imagebase:	0x400000
File size:	706'560 bytes
MD5 hash:	BCF2F0322A00DC0DE9B0CAE39438B480
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.3556080703.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	05:47:05
Start date:	23/12/2024
Path:	C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe" -i
Imagebase:	0x400000
File size:	2'776'237 bytes
MD5 hash:	765448A33166E70D7C75392D7E8FC161
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000002.00000002.3556027586.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000002.00000000.1706052559.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	1520
Total number of Limit Nodes:	22

Executed Functions

Function 00409B78 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 00409B8A
VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669

Function 0040520C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED

Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6

Strings

SetSearchPathMode, xrefs: 0040459F
kernel32.dll, xrefs: 0040457D
SetProcessDEPPolicy, xrefs: 004045B5
SetDllDirectoryW, xrefs: 00404589

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcess
String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
API String ID: 3256987805-3653653586
Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

Function 0040AAB4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32 ref: 0040AAC1

Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,020724B0), ref: 0040966C

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
SetWindowLongA.USER32(00020478,000000FC,00409960), ref: 0040AB15
RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
DestroyWindow.USER32(00020478,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15

Strings

InnoSetupLdrWindow, xrefs: 0040AAF2
STATIC, xrefs: 0040AAF7
/SL5="$%x,%d,%d,, xrefs: 0040AB55

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3757039580-3001827809
Opcode ID: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
Instruction ID: 81987b3bab642c92fe87a7372e0454594c4b8fe140ce311e0f93b1eeebf6ab37
Opcode Fuzzy Hash: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
Instruction Fuzzy Hash: 25412E70604204DBDB10EBA9EE89B9E37A5EB44304F10467FF510B72E2D7B89855CB9D

Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4

Strings

Wow64RevertWow64FsRedirection, xrefs: 004090D4
Wow64DisableWow64FsRedirection, xrefs: 004090BA
kernel32.dll, xrefs: 004090BF, 004090D9
shell32.dll, xrefs: 00409110

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E

Function 0040AAA2 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
SetWindowLongA.USER32(00020478,000000FC,00409960), ref: 0040AB15

Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94

Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020724B0,00409AD8,00000000,00409ABF), ref: 00409A5C
Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020724B0,00409AD8,00000000), ref: 00409A70
Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020724B0,00409AD8), ref: 00409AA4

RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
DestroyWindow.USER32(00020478,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15

Strings

InnoSetupLdrWindow, xrefs: 0040AAF2
STATIC, xrefs: 0040AAF7
/SL5="$%x,%d,%d,, xrefs: 0040AB55

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3001827809
Opcode ID: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
Instruction ID: d3376fcde1141b4290a3dca450fc2844fa47922897975e075ebf06e3b6db64eb
Opcode Fuzzy Hash: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
Instruction Fuzzy Hash: 77411A71604204DFD714EBA9EE85B5A37B5EB48304F20427BF500BB2E1D7B8A855CB9D

Function 004099EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020724B0,00409AD8,00000000,00409ABF), ref: 00409A5C
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020724B0,00409AD8,00000000), ref: 00409A70
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020724B0,00409AD8), ref: 00409AA4

Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,020724B0), ref: 0040966C

Strings

D, xrefs: 00409A36

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69

Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

Function 0040A814 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878

Strings

y@, xrefs: 0040A981
.tmp, xrefs: 0040A8BE

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Message
String ID: .tmp$y@
API String ID: 2030045667-2396523267
Opcode ID: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
Instruction ID: 5e9257013af3d55ef2b6e359c41f87f67318ae2a4e6dbf07461b5d8c6de74657
Opcode Fuzzy Hash: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
Instruction Fuzzy Hash: 3B41C030704200CFD311EF25DED1A1A77A5EB49304B214A3AF804B73E1CAB9AC11CBAD

Function 0040A82F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878

Strings

y@, xrefs: 0040A981
.tmp, xrefs: 0040A8BE

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Message
String ID: .tmp$y@
API String ID: 2030045667-2396523267
Opcode ID: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
Instruction ID: 95bba075cf9db07042691c1556ef0613dbe482a65a3614fff4d0ead14828e6f7
Opcode Fuzzy Hash: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
Instruction Fuzzy Hash: E341BE30700200DFC711EF65DED2A1A77A5EB49304B104A3AF804B73E2CAB9AC01CBAD

Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F

Strings

.tmp, xrefs: 0040935F

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65

Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B

Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017

Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID:
API String ID: 296031713-0
Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48

Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008000), ref: 00406FAA
LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568

Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB

Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766

Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9

Function 00405280 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F

Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9

Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98

Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8

Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8

Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428

Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676

Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F

Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,02088000,0040AA59,00000000), ref: 004076B3

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666

Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407019), ref: 0040700C

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519

Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407019), ref: 0040700C

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B

Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
Instruction Fuzzy Hash:

Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA

Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8

Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00407558

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D

Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

Non-executed Functions

Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00409457
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3

Strings

SeShutdownPrivilege, xrefs: 0040946F

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F

Function 00409C34 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E

Function 00405258 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76

Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748

Function 00405CF4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E

Function 0040840C Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55

Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1

Strings

.DEFAULT\Control Panel\International, xrefs: 00407078
kernel32.dll, xrefs: 00407048
Control Panel\Desktop\ResourceLocale, xrefs: 004070B0
GetUserDefaultUILanguage, xrefs: 00407043
Locale, xrefs: 00407090

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E

Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
GetLastError.KERNEL32(000000F5), ref: 00403C1E

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D

Function 004053C4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE

Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A

Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B

Strings

:mm:ss, xrefs: 004055DA
mmmm d, yyyy, xrefs: 004054CF
:mm, xrefs: 004055C0
m/d/yy, xrefs: 004054AD
AMPM, xrefs: 004055A9

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C

Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
LocalFree.KERNEL32(004CAB80,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(?,00000000,00008000,004CAB80,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(004CBB80,?,00000000,00008000,004CAB80,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D

Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
ExitProcess.KERNEL32 ref: 00403DE5

Strings

9@, xrefs: 00403D29, 00403D34
Runtime error at 00000000, xrefs: 00403D96, 00403DA9
Error, xrefs: 00403D91

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000$9@
API String ID: 1220098344-1503883590
Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E

Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD

Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE

Strings

%K, xrefs: 004030F3
U1hd.@, xrefs: 00403103

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: U1hd.@$%K
API String ID: 2123368496-2600722078
Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD

Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC

Strings

)q@, xrefs: 00406F3F, 00406E98, 00406EA8, 00406F04, 00406F28, 00406F18, 00406EEF

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: QueryValue
String ID: )q@
API String ID: 3660427363-2284170586
Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99

Function 00409C88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD

Strings

The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
Setup, xrefs: 00409CAD

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Message
String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
API String ID: 2030045667-3271211647
Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068

Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524

Memory Dump Source

Source File: 00000000.00000002.3555008849.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3554980956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555039165.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3555056014.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

Analysis Process: EQ5Vcf19u8.tmpPID: 7620, Parent PID: 7604COMMON

Execution Graph

Execution Coverage:	16%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	85

Executed Functions

Function 004706A8 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 965COMMON

Download Yara Rule

Strings

User opted not to overwrite the existing file. Skipping., xrefs: 00470E4D
Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470CC4
Uninstaller requires administrator: %s, xrefs: 0047118F
Failed to strip read-only attribute., xrefs: 00470ED3
Will register the file (a type library) later., xrefs: 00471513
Incrementing shared file count (32-bit)., xrefs: 004715A5
Installing the file., xrefs: 00470F09
Couldn't read time stamp. Skipping., xrefs: 00470D35
Same time stamp. Skipping., xrefs: 00470D55
Time stamp of our file: %s, xrefs: 0047099B
Version of existing file: (none), xrefs: 00470CFA
, xrefs: 00470BCF, 00470DA0, 00470E1E
InUn, xrefs: 0047115F
Version of existing file: %u.%u.%u.%u, xrefs: 00470B7C
Version of our file: (none), xrefs: 00470AFC
Non-default bitness: 64-bit, xrefs: 004708AF
Existing file has a later time stamp. Skipping., xrefs: 00470DCF
Skipping due to "onlyifdestfileexists" flag., xrefs: 00470EFA
Dest filename: %s, xrefs: 00470894
Existing file is protected by Windows File Protection. Skipping., xrefs: 00470DEC
.tmp, xrefs: 00470FB7
Version of our file: %u.%u.%u.%u, xrefs: 00470AF0
Incrementing shared file count (64-bit)., xrefs: 0047158C
Stripped read-only attribute., xrefs: 00470EC7
Installing into GAC, xrefs: 00471714
User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470E96
Time stamp of existing file: %s, xrefs: 00470A2B
-- File entry --, xrefs: 004706FB
Time stamp of existing file: (failed to read), xrefs: 00470A37
Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470CB5
Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470CD0
Time stamp of our file: (failed to read), xrefs: 004709A7
Will register the file (a DLL/OCX) later., xrefs: 0047151F
Dest file is protected by Windows File Protection., xrefs: 004708ED
Existing file is a newer version. Skipping., xrefs: 00470C02
Dest file exists., xrefs: 004709BB
@, xrefs: 004707B0
Non-default bitness: 32-bit, xrefs: 004708BB
Skipping due to "onlyifdoesntexist" flag., xrefs: 004709CE
Same version. Skipping., xrefs: 00470CE5

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID:
String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
API String ID: 0-4021121268
Opcode ID: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
Instruction ID: 04e5041402f80353ef90c659d92e8d378e84d4fed116f8838aecbbc27e5febe3
Opcode Fuzzy Hash: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
Instruction Fuzzy Hash: 31927574A0424CDFDB21DFA9C445BDDBBB5AF05304F1480ABE848A7392D7789E49CB19

Function 0042E09C Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A

Strings

advapi32.dll, xrefs: 0042E107
CheckTokenMembership, xrefs: 0042E102

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2252812187-1888249752
Opcode ID: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
Opcode Fuzzy Hash: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79

Function 004502C0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00480B52), ref: 004502D3
LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480B52), ref: 004502EB
GetProcAddress.KERNEL32(6E540000,RmStartSession), ref: 00450309
GetProcAddress.KERNEL32(6E540000,RmRegisterResources), ref: 0045031E
GetProcAddress.KERNEL32(6E540000,RmGetList), ref: 00450333
GetProcAddress.KERNEL32(6E540000,RmShutdown), ref: 00450348
GetProcAddress.KERNEL32(6E540000,RmRestart), ref: 0045035D
GetProcAddress.KERNEL32(6E540000,RmEndSession), ref: 00450372

Strings

RmStartSession, xrefs: 004502FE
Rstrtmgr.dll, xrefs: 004502E6
RmGetList, xrefs: 00450328
RmShutdown, xrefs: 0045033D
RmRestart, xrefs: 00450352
RmRegisterResources, xrefs: 00450313
RmEndSession, xrefs: 00450367

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc$LibraryLoadVersion
String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
API String ID: 1968650500-3419246398
Opcode ID: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
Opcode Fuzzy Hash: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C

Function 00423C0C Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
Opcode Fuzzy Hash: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09

Function 004673A4 Relevance: 15.6, APIs: 4, Strings: 4, Instructions: 1649
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004958CC: GetWindowRect.USER32(00000000), ref: 004958E2

LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467773

Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,0046778D), ref: 0041D6DB

Part of subcall function 00467180: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0

Part of subcall function 00466B40: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58

Part of subcall function 00495B50: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495B5A

Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5

Part of subcall function 0049581C: GetDC.USER32(00000000), ref: 0049583E
Part of subcall function 0049581C: SelectObject.GDI32(?,00000000), ref: 00495864
Part of subcall function 0049581C: ReleaseDC.USER32(00000000,?), ref: 004958B5

Part of subcall function 00495B40: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495B4A

GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0212FBF4,02131954,?,?,02131984,?,?,021319D4,?), ref: 004683FD
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046840E
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468426

Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072

Strings

STOPIMAGE, xrefs: 00467768
, xrefs: 00467835
%H, xrefs: 0046766D, 00467681
(Default), xrefs: 00468A0F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
String ID: $(Default)$STOPIMAGE$%H
API String ID: 3231140908-2624782221
Opcode ID: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
Instruction ID: 1a3196d4b4984e68f3522cc8585b165e0004af585c118fa25862355e2bbb38c0
Opcode Fuzzy Hash: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
Instruction Fuzzy Hash: 95F2C6346005248FCB00EF69D9D9F9973F1BF49304F1582BAE5049B36ADB74AC46CB9A

Function 00474F88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 00474FE1
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750BE
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750CC

Strings

unins, xrefs: 00475034
unins???.*, xrefs: 00474FCB

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
Instruction ID: 191fa049ef1442540897bd6b232d6b1da598bf4afdbbee48782243349675ce5a
Opcode Fuzzy Hash: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
Instruction Fuzzy Hash: 95315074A00548ABCB10EB65CD81BDEB7A9DF45304F50C0B6E40CAB3A2DB789F418B59

Function 0046E0E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28comCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,0046E17A), ref: 0046E0EE
CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,?,0046E17A), ref: 0046E10A

Strings

h{n, xrefs: 0046E123, 0046E12F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CreateInstanceVersion
String ID: h{n
API String ID: 1462612201-3745820648
Opcode ID: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
Instruction ID: e32462cabb755f907f5de1887460af807d545ab7c9798ff14e002636b2035e3f
Opcode Fuzzy Hash: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
Instruction Fuzzy Hash: 90F0A7352812009FEB10975ADC86B8937C47B22315F50007BE04497292D2BD94C0471F

Function 00452A60 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
Opcode Fuzzy Hash: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8

Function 00408568 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8

Function 00423B84 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
Opcode Fuzzy Hash: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90

Function 0045559C Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 004555B2

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
Opcode Fuzzy Hash: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756

Function 0042F520 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
Opcode Fuzzy Hash: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5

Function 0046F058 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0046EE44: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67

Part of subcall function 0046EEB4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7

RegCloseKey.ADVAPI32(?,0046F6FD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F748,?,?,0049C1E0,00000000), ref: 0046F6F0

Strings

InstallLocation, xrefs: 0046F19E
EstimatedSize, xrefs: 0046F66D
Contact, xrefs: 0046F4CF
Inno Setup: User Info: Name, xrefs: 0046F2A6
ModifyPath, xrefs: 0046F50C
_is1, xrefs: 0046F0B4
Inno Setup: Selected Components, xrefs: 0046F228
DisplayIcon, xrefs: 0046F373
Inno Setup: User, xrefs: 0046F1EA
NoRepair, xrefs: 0046F534
Inno Setup: Language, xrefs: 0046F2F7
MajorVersion, xrefs: 0046F57F
Comments, xrefs: 0046F4EC
HelpTelephone, xrefs: 0046F45B
Inno Setup: App Path, xrefs: 0046F17E
MinorVersion, xrefs: 0046F591
Inno Setup: Setup Type, xrefs: 0046F209
5.5.3 (a), xrefs: 0046F14E
Publisher, xrefs: 0046F421
Inno Setup: Deselected Tasks, xrefs: 0046F28E
UninstallString, xrefs: 0046F3AD
Inno Setup: User Info: Organization, xrefs: 0046F2BB
Readme, xrefs: 0046F4B2
NoModify, xrefs: 0046F520
QuietUninstallString, xrefs: 0046F3E7
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0046F0AE
InstallDate, xrefs: 0046F553
Inno Setup: Icon Group, xrefs: 0046F1AD
Inno Setup: User Info: Serial, xrefs: 0046F2D0
URLInfoAbout, xrefs: 0046F43E
Inno Setup: No Icons, xrefs: 0046F1CB
DisplayName, xrefs: 0046F356
Inno Setup: Deselected Components, xrefs: 0046F247
HelpLink, xrefs: 0046F478
RegisterPreviousData, xrefs: 0046F6A6
" /SILENT, xrefs: 0046F3DA
DisplayVersion, xrefs: 0046F404
Inno Setup: Setup Version, xrefs: 0046F149
Inno Setup: Selected Tasks, xrefs: 0046F26F
URLUpdateInfo, xrefs: 0046F495

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Value$Close
String ID: " /SILENT$5.5.3 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
API String ID: 3391052094-3342197833
Opcode ID: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
Instruction ID: 0d1426ff9ce9a688a4d167ea33859b9e50b28094dc6fe7db73e07d6bdcf854ec
Opcode Fuzzy Hash: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
Instruction Fuzzy Hash: D1125935A001089BDB04EF95E881ADE73F5EB48304F24817BE8506B366EB79AD45CF5E

Function 00492848 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000000,00492D3D,?,?,?,?,00000000,00000000,00000000), ref: 00492888
FindWindowA.USER32(00000000,00000000), ref: 004928B9

Strings

CALLDLLPROC, xrefs: 00492BAD
CREATEMUTEX, xrefs: 00492C69
FINDWINDOWBYWINDOWNAME, xrefs: 004928D1
FINDWINDOWBYCLASSNAME, xrefs: 00492895
SENDNOTIFYMESSAGE, xrefs: 004929BF
CHARTOOEMBUFF, xrefs: 00492CDE
FREEDLL, xrefs: 00492C34
POSTMESSAGE, xrefs: 00492963
REGISTERWINDOWMESSAGE, xrefs: 00492A1B
SENDMESSAGE, xrefs: 0049290D
SENDBROADCASTNOTIFYMESSAGE, xrefs: 00492AF7
LOADDLL, xrefs: 00492B4B
SENDBROADCASTMESSAGE, xrefs: 00492A55
POSTBROADCASTMESSAGE, xrefs: 00492AA3
SLEEP, xrefs: 00492872
OEMTOCHARBUFF, xrefs: 00492C9B

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
Instruction ID: 092cd3663c6e49ee7eb77a287a3c2ed341282e51176ce6ebc4a466309821376d
Opcode Fuzzy Hash: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
Instruction Fuzzy Hash: D9C182A0B042003BDB14BF3E9D4551F59A99F95708B119A3FB446EB78BCE7CEC0A4359

Function 00483A7C Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483B0D

Strings

GetNativeSystemInfo, xrefs: 00483A94
RegDeleteKeyExA, xrefs: 00483AE6
IsWow64Process, xrefs: 00483AAA
kernel32.dll, xrefs: 00483A88
advapi32.dll, xrefs: 00483AEB
GetSystemWow64DirectoryA, xrefs: 00483AD7

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 2230631259-2623177817
Opcode ID: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
Instruction ID: d1db678d6bd555fecb25ccca0b477ef677e73c145b16f55f8d8b06b946339d0c
Opcode Fuzzy Hash: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
Instruction Fuzzy Hash: 7F1181C0204741A4DA00BFB94D45B6F65889B11F2AF040C7B6840AA287EABCEF44A76E

Function 00468D88 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(?,00468FA2,?,?,00000001,00000000,00000000,00468FBD,?,00000000,00000000,?), ref: 00468F8B

Strings

Inno Setup: User Info: Name, xrefs: 00468F47
Inno Setup: User Info: Serial, xrefs: 00468F6D
Inno Setup: App Path, xrefs: 00468E4A
Inno Setup: Selected Tasks, xrefs: 00468EF7
Inno Setup: Icon Group, xrefs: 00468E66
Inno Setup: Deselected Components, xrefs: 00468ECC
%s\%s_is1, xrefs: 00468E05
Inno Setup: No Icons, xrefs: 00468E73
Inno Setup: Setup Type, xrefs: 00468E9A
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468DE7
Inno Setup: Selected Components, xrefs: 00468EAA
Inno Setup: Deselected Tasks, xrefs: 00468F19
Inno Setup: User Info: Organization, xrefs: 00468F5A

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1093091907
Opcode ID: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
Instruction ID: 069c4cdb4b1287edb5c1b702bebeb6c44c7684ad2aa17a57d1fdfe9a2539746b
Opcode Fuzzy Hash: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
Instruction Fuzzy Hash: 6B51A330A006449BCB15DB65D881BDEB7F5EB48304F50857EE840AB391EB79AF01CB59

Function 0047C66C Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5), ref: 0042D8AB

Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7

Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910

SHGetKnownFolderPath.SHELL32(00499D30,00008000,00000000,?,00000000,0047C942), ref: 0047C846
CoTaskMemFree.OLE32(?,0047C88B), ref: 0047C87E

Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233

Strings

Common Files, xrefs: 0047C7A5
SystemDrive, xrefs: 0047C6D3
Failed to get path of 64-bit Program Files directory, xrefs: 0047C7DD
CommonFilesDir, xrefs: 0047C76E, 0047C7EA
Failed to get path of 64-bit Common Files directory, xrefs: 0047C80C
ProgramFilesDir, xrefs: 0047C734, 0047C7BB
\Program Files, xrefs: 0047C75B
COMMAND.COM, xrefs: 0047C91D
cmd.exe, xrefs: 0047C8FC

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 3771764029-544719455
Opcode ID: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
Instruction ID: 88e29a10730232d74bbdb0c5b7d00c3ea12cf2700f44d19641833b453bfd909d
Opcode Fuzzy Hash: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
Instruction Fuzzy Hash: 1461CF74A00204AFDB10EBA5D8C2A9E7B69EB44319F90C47FE404A7392DB3C9A44CF5D

Function 00423874 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2

GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
RegisterClassA.USER32(00499630), ref: 004238B7
GetSystemMetrics.USER32(00000000), ref: 004238D9
GetSystemMetrics.USER32(00000001), ref: 004238E8
SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2

Strings

|6B, xrefs: 00423893, 00423914

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID: |6B
API String ID: 183575631-3009739247
Opcode ID: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
Opcode Fuzzy Hash: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D

Function 0047CE78 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(73AF0000,SHGetFolderPathA), ref: 0047CF7A

Strings

_isetup\_shfoldr.dll, xrefs: 0047CEAA
Failed to load DLL "%s", xrefs: 0047CF5D
Failed to get version numbers of _shfoldr.dll, xrefs: 0047CED0
]xI, xrefs: 0047CF58
SHFOLDERDLL, xrefs: 0047CEB7
SHGetFolderPathA, xrefs: 0047CF6F
Failed to get address of SHGetFolderPath function, xrefs: 0047CF8B
shell32.dll, xrefs: 0047CF25
shfolder.dll, xrefs: 0047CEDD, 0047CF16

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$]xI$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
API String ID: 190572456-256906917
Opcode ID: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
Instruction ID: ec9c61b31d03a4d18d2fa5da2167344019e511a33ceb5cf80618cf604467b355
Opcode Fuzzy Hash: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
Instruction Fuzzy Hash: 20311D30E001499BCB10EFA5D5D1ADEB7B5EF44308F50847BE504E7281D778AE458B6D

Function 0040631C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366

Strings

SetSearchPathMode, xrefs: 0040633F
kernel32.dll, xrefs: 0040631D
SetDllDirectoryW, xrefs: 00406329
SetProcessDEPPolicy, xrefs: 00406355

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcess
String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
API String ID: 3256987805-3653653586
Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD

Function 0041321B Relevance: 14.6, APIs: 6, Strings: 2, Instructions: 633COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
GetWindowLongA.USER32(?,000000F0), ref: 0041366F
GetWindowLongA.USER32(?,000000F4), ref: 00413681
SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
SetPropA.USER32(?,00000000,00000000), ref: 004136AB
SetPropA.USER32(?,00000000,00000000), ref: 004136C2

Strings

yA, xrefs: 004132DE
3A, xrefs: 0041343D

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: LongWindow$Prop
String ID: 3A$yA
API String ID: 3887896539-3278460822
Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A

Function 00467180 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 141
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249

Part of subcall function 004670C0: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467158
Part of subcall function 004670C0: DestroyCursor.USER32(00000000), ref: 0046716E

ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467301
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467327

Strings

shell32.dll, xrefs: 00467284
%H, xrefs: 0046718B
c:\directory, xrefs: 0046721E

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Icon$Extract$FileInfo$CursorDestroyDraw
String ID: c:\directory$shell32.dll$%H
API String ID: 3376378930-166502273
Opcode ID: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
Instruction ID: 732e1a1751fb8a235258c93266195bfa595ebd68417bad8a6af0601d960a2915
Opcode Fuzzy Hash: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
Instruction Fuzzy Hash: 8A516070604244AFD710DF65CD8AFDFB7A8EB48308F1081A6F80897351D6789E81DA59

Function 0042F560 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042F58F
GetFocus.USER32 ref: 0042F597
RegisterClassA.USER32(004997AC), ref: 0042F5B8
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,00458352,00000000,0049B628), ref: 0042F654

Strings

TWindowDisabler-Window, xrefs: 0042F5EF, 0042F635

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$CreateFocus$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 3167913817-1824977358
Opcode ID: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
Opcode Fuzzy Hash: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD

Function 004531F0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230

Strings

Wow64RevertWow64FsRedirection, xrefs: 00453220
Wow64DisableWow64FsRedirection, xrefs: 00453206
kernel32.dll, xrefs: 0045320B, 00453225
shell32.dll, xrefs: 0045325C

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
Instruction ID: a781b9bdaab79611976bfea65fa4e072d6e85bd62b4b6e26dfe65079d72397a7
Opcode Fuzzy Hash: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
Instruction Fuzzy Hash: EA01D470240B00FED301AF63AD12F663A58D7557ABF6044BBFC14965C2C77C4A088E6D

Function 00430940 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
GetCurrentThreadId.KERNEL32 ref: 00430971
GlobalAddAtomA.KERNEL32(00000000), ref: 00430992

Strings

commdlg_help, xrefs: 00430943
commdlg_FindReplace, xrefs: 00430952
WndProcPtr%.8X%.8X, xrefs: 00430983

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F

Function 00455010 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7

Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9

Strings

.cmd, xrefs: 004550BB
COMMAND.COM" /C , xrefs: 00455124
.bat, xrefs: 004550A0
D, xrefs: 00455158
cmd.exe" /C ", xrefs: 004550ED

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 854858120-615399546
Opcode ID: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
Opcode Fuzzy Hash: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59

Function 0042368C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
OemToCharA.USER32(?,?), ref: 0042375C
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C

Strings

MAINICON, xrefs: 00423711
2, xrefs: 004236EA

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
Opcode Fuzzy Hash: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59

Function 00418F38 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
GetCurrentThreadId.KERNEL32 ref: 00418F79
GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A

Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144

Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C

Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D

Strings

Delphi%.8X, xrefs: 00418F4F
ControlOfs%.8X%.8X, xrefs: 00418F8B

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 316262546-2767913252
Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F

Function 0041363C Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
GetWindowLongA.USER32(?,000000F0), ref: 0041366F
GetWindowLongA.USER32(?,000000F4), ref: 00413681
SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
SetPropA.USER32(?,00000000,00000000), ref: 004136AB
SetPropA.USER32(?,00000000,00000000), ref: 004136C2

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68

Function 004556D8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5

Strings

PendingFileRenameOperations2, xrefs: 00455784
PendingFileRenameOperations, xrefs: 00455754
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
WININIT.INI, xrefs: 004557E4

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
Opcode Fuzzy Hash: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58

Function 0047CB94 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC27
GetLastError.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC30

Strings

\_setup64.tmp, xrefs: 0047CCA2
Created temporary directory: , xrefs: 0047CBC9
_isetup, xrefs: 0047CC12

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup
API String ID: 1375471231-2952887711
Opcode ID: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
Instruction ID: e6577b7b61f0e0a35e690824fc442bae28cfcbc8f9cba78cd8161ab2dbd6b5d1
Opcode Fuzzy Hash: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
Instruction Fuzzy Hash: E6412834A001099BDB11EFA5D882ADEB7B5EF45309F50843BE81577392DA38AE05CF68

Function 00423A84 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00423A1C), ref: 00423AA8
GetWindow.USER32(?,00000003), ref: 00423ABD
GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02

Strings

\AB, xrefs: 00423AF2, 00423AF6

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID: \AB
API String ID: 4191631535-3948367934
Opcode ID: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
Opcode Fuzzy Hash: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59

Function 0042DE44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE50
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003,?,?,?,?,00000006,?,00000000,0049785D), ref: 0042DE6B
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71

Strings

advapi32.dll, xrefs: 0042DE66
RegDeleteKeyExA, xrefs: 0042DE61

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 588496660-1846899949
Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D

Function 0046BB10 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON

Download Yara Rule

Strings

Need to restart Windows? %s, xrefs: 0046BE95
PrepareToInstall failed: %s, xrefs: 0046BE6E
NextButtonClick, xrefs: 0046BC4C

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID:
String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
API String ID: 0-2329492092
Opcode ID: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
Instruction ID: 9de4db1b3e70fdebeced0fe060001c857bcfdee1b2562a0b259a97201065334e
Opcode Fuzzy Hash: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
Instruction Fuzzy Hash: 46D12F34A00108DFCB14EB99D985AED77F5EF49304F5440BAE404EB362D778AE85CB9A

Function 00483084 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,00000000,004833D5), ref: 004831A8
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00483246

Strings

, xrefs: 00483303
Need to restart Windows? %s, xrefs: 00483283

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
Instruction ID: 855c298393525188f16043e43c8caa20abfdb27870bda8f6eb76b0fac02994d3
Opcode Fuzzy Hash: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
Instruction Fuzzy Hash: 7E918F34A042449FDB10EF69D8C6BAD77E0AF55708F5484BBE8009B362DB78AE05CB5D

Function 0046FADC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828

GetLastError.KERNEL32(00000000,0046FCD9,?,?,0049C1E0,00000000), ref: 0046FBB6
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FC30
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FC55

Strings

Creating directory: %s, xrefs: 0046FB9E

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ChangeNotify$ErrorFullLastNamePath
String ID: Creating directory: %s
API String ID: 2451617938-483064649
Opcode ID: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
Instruction ID: a145aa70eb484b5d007d33f2831cd5d1f219efd535f83afbcf26a903565c5eea
Opcode Fuzzy Hash: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
Instruction Fuzzy Hash: 7D512F74E00248ABDB01DBA5D982ADEBBF4AF49304F50847AEC50B7382D7795E08CB59

Function 00454DD4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC

Strings

SfcIsFileProtected, xrefs: 00454E7C
sfc.dll, xrefs: 00454E44

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID: SfcIsFileProtected$sfc.dll
API String ID: 2508298434-591603554
Opcode ID: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
Instruction ID: 709c5f55a6f5f8285c9c61fd8393730e8027effee09c5548c71846991cac34f0
Opcode Fuzzy Hash: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
Instruction Fuzzy Hash: E8419671A04318DBEB20EF59DC85B9DB7B8AB4430DF5041B7A908A7293D7785F88CA1C

Function 00452510 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

74D41520.VERSION(00000000,?,?,?,00497900), ref: 00452530
74D41500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 0045255D
74D41540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 00452577

Strings

%E, xrefs: 004525BB, 00452583

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: D41500D41520D41540
String ID: %E
API String ID: 2153611984-175436132
Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765

Function 0044B38C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0044B401
SelectObject.GDI32(?,00000000), ref: 0044B424
ReleaseDC.USER32(00000000,?), ref: 0044B457

Strings

%H, xrefs: 0044B394

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ObjectReleaseSelect
String ID: %H
API String ID: 1831053106-1959103961
Opcode ID: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
Opcode Fuzzy Hash: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59

Function 0044B0C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,%H,?,?), ref: 0044B11E
DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165

Strings

%H, xrefs: 0044B0C8

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: DrawText$ByteCharMultiWide
String ID: %H
API String ID: 65125430-1959103961
Opcode ID: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
Opcode Fuzzy Hash: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669

Function 0042ED38 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON

Download Yara Rule

APIs

SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5

Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7

Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD

GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8

Strings

SHAutoComplete, xrefs: 0042EDA2
shlwapi.dll, xrefs: 0042ED73

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
String ID: SHAutoComplete$shlwapi.dll
API String ID: 395431579-1506664499
Opcode ID: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
Opcode Fuzzy Hash: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D

Function 00455A10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E

Strings

PendingFileRenameOperations, xrefs: 00455A40
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
PendingFileRenameOperations2, xrefs: 00455A4F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
Opcode Fuzzy Hash: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C

Function 00472154 Relevance: 6.3, APIs: 4, Instructions: 272fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472301
FindClose.KERNEL32(000000FF,0047232C,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 0047231F
FindNextFileA.KERNEL32(000000FF,?,00000000,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472423
FindClose.KERNEL32(000000FF,0047244E,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 00472441

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
Instruction ID: ff38abb04fb96460afd2c3532f2e87b2ffc4f25b99c166b2ff4046d92e8ebf4f
Opcode Fuzzy Hash: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
Instruction Fuzzy Hash: 3EC14C3490424D9FCF11DFA5C981ADEBBB8FF49304F5080AAE808B3251D7789A46CF58

Function 0047FCF8 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?,00000000), ref: 0047FD9E
FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?), ref: 0047FDAB
FindNextFileA.KERNEL32(000000FF,?,00000000,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147), ref: 0047FEA0
FindClose.KERNEL32(000000FF,0047FECB,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?), ref: 0047FEBE

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
Instruction ID: 5570db9595827249690d4c596f970be035a6cb65fb6c4bc3b070d2a6e7e06d26
Opcode Fuzzy Hash: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
Instruction Fuzzy Hash: 34512D71A006499FCB21DF65CC45ADEB7B8EB88319F1084BAA818A7351D7389F89CF54

Function 00421274 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 00421361
SetMenu.USER32(00000000,00000000), ref: 0042137E
SetMenu.USER32(00000000,00000000), ref: 004213B3
SetMenu.USER32(00000000,00000000), ref: 004213CF

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D

Function 00416B42 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 00416B84
SetTextColor.GDI32(?,00000000), ref: 00416B9E
SetBkColor.GDI32(?,00000000), ref: 00416BB8
CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69

Function 004230C8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042311E
EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
ReleaseDC.USER32(00000000,00000000), ref: 00423144

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CapsDeviceEnumFontsRelease
String ID:
API String ID: 2698912916-0
Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE

Function 0045C264 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933

FlushFileBuffers.KERNEL32(?), ref: 0045C499

Strings

NumRecs range exceeded, xrefs: 0045C396
EndOffset range exceeded, xrefs: 0045C3CD

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
Instruction ID: 69b4fe9c868b7cadc716880164946defc5db249b4b2908964217ac1dcc813941
Opcode Fuzzy Hash: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
Instruction Fuzzy Hash: 4F617334A002588FDB25DF25C891AD9B7B5AF49305F0084DAED88AB353D674AEC8CF54

Function 00498BA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356

Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366

Part of subcall function 004063C4: 6F551CD0.COMCTL32(00498BC5), ref: 004063C4

Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2

Part of subcall function 00419040: GetVersion.KERNEL32(00498BDE), ref: 00419040

Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785

Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,00498BF7), ref: 0044FC1F

Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230

Part of subcall function 004570B4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8

Part of subcall function 004645F4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
Part of subcall function 004645F4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609

Part of subcall function 0046CDF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05

Part of subcall function 00478C20: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43

Part of subcall function 00483F88: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077

Part of subcall function 00495BB4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00495BCD

SetErrorMode.KERNEL32(00000001,00000000,00498C6C), ref: 00498C3E

Part of subcall function 00498968: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
Part of subcall function 00498968: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978

Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3

Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC

ShowWindow.USER32(?,00000005,00000000,00498C6C), ref: 00498C9F

Part of subcall function 004825C8: SetActiveWindow.USER32(?), ref: 00482676

Strings

Setup, xrefs: 00498C85

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF551FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
String ID: Setup
API String ID: 3870281231-3839654196
Opcode ID: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
Instruction ID: b535e719d7157e93998cc10f536158ae488692691c8c4e2dacdcbf5c7207fd3e
Opcode Fuzzy Hash: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
Instruction Fuzzy Hash: 873104312446409FD601BBBBFD5392D3B94EF8A728B91447FF80496693DE3C68508A7E

Function 0042DC00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC

Strings

$=H, xrefs: 0042DD2F, 0042DC88, 0042DC98, 0042DCF4, 0042DD18, 0042DD08, 0042DCDF

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: QueryValue
String ID: $=H
API String ID: 3660427363-3538597426
Opcode ID: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
Opcode Fuzzy Hash: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5

Function 00453A24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73

Strings

.tmp, xrefs: 00453A53

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
Instruction ID: 2c169793aa1d4e8b0ae54453200dd0eeecd34c8d921a2c5b894f13e1de3ec917
Opcode Fuzzy Hash: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
Instruction Fuzzy Hash: BD213575A002089BDB01EFA5C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69

Function 00483F88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
Part of subcall function 00483A7C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
Part of subcall function 00483A7C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6

Part of subcall function 00483DA8: GetVersionExA.KERNEL32(?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483DB6
Part of subcall function 00483DA8: GetVersionExA.KERNEL32(0000009C,?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483E08

Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD

GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077

Strings

shell32.dll, xrefs: 0048406C
SHGetKnownFolderPath, xrefs: 00484062

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
String ID: SHGetKnownFolderPath$shell32.dll
API String ID: 3869789854-2936008475
Opcode ID: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
Instruction ID: 8066e8dcbdf9c94243579ba2519058cd674f052446347c20ec70bbddfecd8a90
Opcode Fuzzy Hash: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
Instruction Fuzzy Hash: 1021F1B06103116AC700BFBE599611B3BA5EB9570C380893FF904DB391D77E68149B6E

Function 0047C5D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C92C,00000000,0047C942), ref: 0047C63A

Strings

RegisteredOwner, xrefs: 0047C617
RegisteredOrganization, xrefs: 0047C629

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
Instruction ID: 97ba07fcc0924f8d698b93a4c32f8f7a3ceb81663af41ec066a5e596666b9838
Opcode Fuzzy Hash: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
Instruction Fuzzy Hash: F5F09060700204ABEB00D6A8ACD2BAA3769D750304F60907FA1058F382C679EE019B5C

Function 0047524C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475271
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475288

Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F

Strings

CreateFile, xrefs: 0047527D

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: CreateFile
API String ID: 2528220319-823142352
Opcode ID: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
Instruction ID: b0794b45f16520e4762b2717541816a935241bfc2e667b83be7f23d95be3de9d
Opcode Fuzzy Hash: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
Instruction Fuzzy Hash: 99E06D702403447FEA10FA69CCC6F4A77989B04728F10C152BA48AF3E3C5B9FC808A58

Function 0042DE1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0042DE36
;H, xrefs: 0042DE32, 0042DE35

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Open
String ID: System\CurrentControlSet\Control\Windows$;H
API String ID: 71445658-2565060666
Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4

Function 004570B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00457044: CoInitialize.OLE32(00000000), ref: 0045704A

Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD

GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8

Strings

SHCreateItemFromParsingName, xrefs: 004570C3
shell32.dll, xrefs: 004570CD

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressErrorInitializeLibraryLoadModeProc
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 2906209438-2320870614
Opcode ID: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
Instruction ID: 7fba65882f7194314ab185764ebfac318737a269d5660949bdaf7135ffc1064c
Opcode Fuzzy Hash: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
Instruction Fuzzy Hash: ECC08CA074860093CB40B3FA344320E1841AB8071FB10C07F7A04A66C7DE3C88088B2E

Function 0046CDF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD

GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05

Strings

SHPathPrepareForWriteA, xrefs: 0046CDF0
shell32.dll, xrefs: 0046CDFA

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressErrorLibraryLoadModeProc
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2492108670-2683653824
Opcode ID: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
Instruction ID: c0603f0a452a360a01ce82207306765f02b8a986224f2e77b24b084cc810d505
Opcode Fuzzy Hash: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
Instruction Fuzzy Hash: 44B092A060074086DB40B7A298D262B28269740319B20843BB0CC9BA95EB3E88240B9F

Function 0044852C Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448709), ref: 0044864C
GetProcAddress.KERNEL32(00000000,00000000), ref: 004486CD

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
Instruction ID: 2eaa58f6359003fef9dee836e3db1fa56ae38c906bc4f4c4d93ca6671f7cd4fb
Opcode Fuzzy Hash: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
Instruction Fuzzy Hash: 14515470E00105AFDB40EF95C491AAEBBF9EB45319F11817FE414BB391DA389E05CB99

Function 00481C7C Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,00000000,00481DB4), ref: 00481D4C
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481D5D
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481D75

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Menu$Append$System
String ID:
API String ID: 1489644407-0
Opcode ID: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
Instruction ID: 44f8b16540ed1c6eecf525242fd074403e334eda66194076213ef08da8c10300
Opcode Fuzzy Hash: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
Instruction Fuzzy Hash: 3431D4307043441AD721FB769C82BAE3A989F15318F54483FF901AB2E3CA7CAD09879D

Function 004243FC Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
TranslateMessage.USER32(?), ref: 0042448F
DispatchMessageA.USER32(?), ref: 00424499

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A

Function 00416644 Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

SetPropA.USER32(00000000,00000000), ref: 0041666A
SetPropA.USER32(00000000,00000000), ref: 0041667F
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Prop$Window
String ID:
API String ID: 3363284559-0
Opcode ID: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
Opcode Fuzzy Hash: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8

Function 00401340 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,|0e,004013A3,?,?,00401443,?,?,?,?,?,00401983), ref: 00401353

Strings

X*e, xrefs: 00401363, 0040136A
|0e, xrefs: 00401340

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AllocLocal
String ID: X*e$|0e
API String ID: 3494564517-3935743162
Opcode ID: 833cffc3d4ae6fddf196a7017a3fa962a39b4640526386715143ff6d9bbaf8a6
Instruction ID: 71c91fbc4c3ed8fd369fb1531a6952d3d9178ec9d6227f0a2e7a8dd8dab45303
Opcode Fuzzy Hash: 833cffc3d4ae6fddf196a7017a3fa962a39b4640526386715143ff6d9bbaf8a6
Instruction Fuzzy Hash: 0CF05E717013018FE724CF29D980656B7E1EBA9365F24807EE5C5D7761D3358C419B94

Function 0041EE54 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0041EE64
IsWindowEnabled.USER32(?), ref: 0041EE6E
EnableWindow.USER32(?,00000000), ref: 0041EE94

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$EnableEnabledVisible
String ID:
API String ID: 3234591441-0
Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C

Function 00469F1C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 0046A02D

Strings

PrepareToInstall, xrefs: 00469FD7, 0046A07E

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ActiveWindow
String ID: PrepareToInstall
API String ID: 2558294473-1101760603
Opcode ID: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
Instruction ID: c614f106b7f0b4f176116dff63491c2ec041d81708a05a15fd0d1780f22877a3
Opcode Fuzzy Hash: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
Instruction Fuzzy Hash: 97A14934A00109DFCB00EF99D986EDEB7F5AF48304F5540B6E404AB362D738AE45CB9A

Function 0046C4BC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

/:*?"<>|, xrefs: 0046C658, 0046C66F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID:
String ID: /:*?"<>|
API String ID: 0-4078764451
Opcode ID: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
Instruction ID: 6c3526c54916fe71946563460b5bd12015a165326d65a32731909bc5939f884d
Opcode Fuzzy Hash: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
Instruction Fuzzy Hash: CF71C370A40215BADB10E766DCD2FEE7BA19F05308F148067F580BB292E779AD458B4E

Function 004825C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00482676

Strings

InitializeWizard, xrefs: 0048260F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ActiveWindow
String ID: InitializeWizard
API String ID: 2558294473-2356795471
Opcode ID: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
Instruction ID: 0fabbc08dbff6a0894d12042e1c617afa12541eacf44f0b659f2bb150b55c2ae
Opcode Fuzzy Hash: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
Instruction Fuzzy Hash: 8311C130204200AFD700EB69EED6B1A37E4E764328F60057BE404D72A1EA796C41CB5E

Function 0047C4F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C740,00000000,0047C942), ref: 0047C539

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C509

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
Instruction ID: acdf9366f140fa0c09696ff4b806567a5b27613a006b44f2785fa8682630d216
Opcode Fuzzy Hash: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
Instruction Fuzzy Hash: 6CF0823170052477DA00A65E6C82B9FA79D8B84758F60403FF508DB242EABAEE0243EC

Function 0046EE44 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67

Strings

Inno Setup: Setup Version, xrefs: 0046EE65

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Value
String ID: Inno Setup: Setup Version
API String ID: 3702945584-4166306022
Opcode ID: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
Instruction ID: 37dbbd71146fd60ed96ba35b84ff74d599aeccd68d0f9eb37ee109455dfe34ad
Opcode Fuzzy Hash: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
Instruction Fuzzy Hash: B1E06D753012043FE710AA2B9C85F5BBADCDF88365F10403AB908DB392D578DD0181A9

Function 0046EEB4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7

Strings

NoModify, xrefs: 0046EEC5

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Value
String ID: NoModify
API String ID: 3702945584-1699962838
Opcode ID: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
Instruction ID: 84621f748531697c6bb4a8e0450a59e651a2caf9945441e4ffcb8bd5fa838dfd
Opcode Fuzzy Hash: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
Instruction Fuzzy Hash: F6E04FB4640308BFEB04DB55CD4AF6B77ECDB48714F10405ABA049B281E674FE00C669

Function 0047E474 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,?,00000001,00000000,0047E753,?,-0000001A,00480609,-00000010,?,00000004,0000001B,00000000,00480956,?,0045DB68), ref: 0047E4EA

Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,004809BD,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E

SendNotifyMessageA.USER32(00020478,00000496,00002711,-00000001), ref: 0047E6BA

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: EnumFontsMessageNotifyReleaseSend
String ID:
API String ID: 2649214853-0
Opcode ID: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
Instruction ID: a62c935d52da393e7312112ce75ddb0898731394ffd2a16b1d4fc3e518f8127d
Opcode Fuzzy Hash: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
Instruction Fuzzy Hash: 5B5195746001049BC710FF67E98169A37E5EB58308B90C67BA8049B3A6DB3CED45CB9D

Function 0047DD98 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DF83,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DF3D

Part of subcall function 0042CA00: GetSystemMetrics.USER32(0000002A), ref: 0042CA12

Strings

/G, xrefs: 0047DF6D, 0047DEE0, 0047DEF1, 0047DDD7, 0047DDE2, 0047DE01, 0047DE10

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ByteCharMetricsMultiSystemWide
String ID: /G
API String ID: 224039744-2088674125
Opcode ID: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
Instruction ID: 84c81a41a939c89cd5cf89585cf0d961f9543ff151f38a86aad590f5673b43e0
Opcode Fuzzy Hash: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
Instruction Fuzzy Hash: 53518070A04215AFDB21DF55D8C4FAA7BB8EF64318F118077E404AB3A1C778AE45CB99

Function 0042DEC0 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseEnum
String ID:
API String ID: 2818636725-0
Opcode ID: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
Opcode Fuzzy Hash: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D

Function 004527E8 Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
GetLastError.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID:
API String ID: 2919029540-0
Opcode ID: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
Opcode Fuzzy Hash: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68

Function 0040ADD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Resource$FindFree
String ID:
API String ID: 4097029671-0
Opcode ID: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
Opcode Fuzzy Hash: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A

Function 0041EEA4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041EEF3
EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18

Function 00452C80 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorFileLastMove
String ID:
API String ID: 55378915-0
Opcode ID: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
Opcode Fuzzy Hash: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558

Function 00452770 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
Opcode Fuzzy Hash: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C

Function 0042323C Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00423249
LoadCursorA.USER32(00000000,00000000), ref: 00423273

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569

Function 0042E394 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042E39E
LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
Opcode Fuzzy Hash: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928

Function 0047C88B Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32(00499D40,00008000,00000000,?), ref: 0047C89B
CoTaskMemFree.OLE32(?,0047C8DE), ref: 0047C8D1

Strings

Common Files, xrefs: 0047C7A5
SystemDrive, xrefs: 0047C6D3
Failed to get path of 64-bit Program Files directory, xrefs: 0047C7DD
CommonFilesDir, xrefs: 0047C76E, 0047C7EA
Failed to get path of 64-bit Common Files directory, xrefs: 0047C80C
ProgramFilesDir, xrefs: 0047C734, 0047C7BB
\Program Files, xrefs: 0047C75B
COMMAND.COM, xrefs: 0047C91D
cmd.exe, xrefs: 0047C8FC

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
Instruction ID: f48ec61de784b6bea0373c7a91bc006da4a0813e938d35ae17fa89473a65de5f
Opcode Fuzzy Hash: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
Instruction Fuzzy Hash: 22E09230340604BFEB15EB61DC92F6977A8EB48B01B72847BF504E2680D67CAD00DB1C

Function 004508F8 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 0045090E
GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 00450916

Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
Instruction ID: 32d43412562f4d6ab64aa8be608e77008e370c57458e4df53f7444e76f76d0cb
Opcode Fuzzy Hash: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
Instruction Fuzzy Hash: 0EE012E93042015BF700EA6599C1B2F22DCDB44315F00446ABD44CA28BE678CC048B29

Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9

Function 004085DC Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB

Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09

Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98

Function 0041FB9C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: InfoScroll
String ID:
API String ID: 629608716-0
Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6

Function 0046C450 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9

SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C4AE,?,00000000,?,?,0046C6C0,?,00000000,0046C734), ref: 0046C492

Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
String ID:
API String ID: 3319771486-0
Opcode ID: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
Instruction ID: eef1953176fed27c4f60a3b97998f4e8fb1447464a393d6256780c84e8a913cd
Opcode Fuzzy Hash: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
Instruction Fuzzy Hash: 5AF0B471248300BFE705DF62ECA6B35B6E8D748714F61047BF40886590E97D5844D51E

Function 00441394 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 004413AB

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction ID: 51b66c86ab1fb2ed9abdb0db83839a26410808368eb32e0cb4295e2ee82716ff
Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction Fuzzy Hash: 09F04970608109EBBB1CCF58D0618AF7BA0EB48300F2080AFE907C7BA0D634AA80D658

Function 00416550 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0

Function 004149B4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91

Function 004507C4 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8

Function 0042CCCC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
Opcode Fuzzy Hash: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468

Function 0042E8C8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E

Function 0041AF70 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AF9B

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ExtentPointText
String ID:
API String ID: 566491939-0
Opcode ID: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
Instruction ID: 6b43be1268843882f9474f888990ee0a0f71ddbfb678ee1088bae751a0726d8f
Opcode Fuzzy Hash: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
Instruction Fuzzy Hash: E3E086F13097102BD600E67E1DC19DB77DC8A483697148177F458E7392D62DDE1A43AE

Function 004062E8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71

Function 0042DDE4 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4

Function 00454BF8 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,000000FF,0047096C,00000000,00471782,?,00000000,004717CB,?,00000000,00471904,?,00000000,?,00000000), ref: 00454C0E

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
Opcode Fuzzy Hash: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617

Function 0041467C Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(004959E6,?,00495A08,?,?,00000000,004959E6,?,?), ref: 0041469B

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0

Function 00406F10 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675

Function 0042364C Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D

ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667

Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
Opcode Fuzzy Hash: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C

Function 004242C4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 004242DC

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398

Function 00466B40 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0

Function 0042CD24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
Opcode Fuzzy Hash: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818

Function 00406EC0 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C

Function 0045092C Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933

Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18

Function 004072A8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824

Function 0042E3EF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18

Function 004165EC Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004165F3

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55

Function 00448728 Relevance: 1.4, APIs: 1, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
Instruction ID: 41a6872630840156d23f43a697f0b10540748f54e9aa1b8241e7bbe25a2b1888
Opcode Fuzzy Hash: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
Instruction Fuzzy Hash: 73517574E002099FDB00EFA9C892AAFBBF5EB49314F50817AE500E7351DB389D41CB98

Function 0041F3C4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9

Function 00452FC4 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
Opcode Fuzzy Hash: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664

Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,00401973), ref: 00401766

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8

Function 00406F48 Relevance: 1.3, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00406F49

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
Opcode Fuzzy Hash: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
Instruction Fuzzy Hash:

Non-executed Functions

Function 0041F118 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F

Strings

Ctl3dUnregister, xrefs: 0041F1AA
Ctl3DColorChange, xrefs: 0041F23D
BtnWndProc3d, xrefs: 0041F252
Ctl3dSubclassDlgEx, xrefs: 0041F1D4
CTL3D32.DLL, xrefs: 0041F149
Ctl3dUnAutoSubclass, xrefs: 0041F228
Ctl3dDlgFramePaint, xrefs: 0041F1E9
Ctl3dRegister, xrefs: 0041F181
Ctl3dSubclassCtl, xrefs: 0041F1BF
Ctl3dAutoSubclass, xrefs: 0041F213
Ctl3dCtlColorEx, xrefs: 0041F1FE

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 2323315520-3614243559
Opcode ID: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
Opcode Fuzzy Hash: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C

Function 004585C8 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0045862F
QueryPerformanceCounter.KERNEL32(02113858,00000000,004588C2,?,?,02113858,00000000,?,00458FBE,?,02113858,00000000), ref: 00458638
GetSystemTimeAsFileTime.KERNEL32(02113858,02113858), ref: 00458642
GetCurrentProcessId.KERNEL32(?,02113858,00000000,004588C2,?,?,02113858,00000000,?,00458FBE,?,02113858,00000000), ref: 0045864B
CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004586C1
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02113858,02113858), ref: 004586CF
CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458717
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045886D,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458750

Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7

CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004587F9
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045882F
CloseHandle.KERNEL32(000000FF,00458874,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458867

Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F

Strings

D, xrefs: 00458772
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00458697
i, xrefs: 004587AC
CreateNamedPipe, xrefs: 004586DF
Helper process PID: %u, xrefs: 0045884C
Cannot utilize 64-bit features on this version of Windows, xrefs: 00458610
64-bit helper EXE wasn't extracted, xrefs: 00458623
CreateProcess, xrefs: 00458802
Starting 64-bit helper process., xrefs: 004585FD
SetNamedPipeHandleState, xrefs: 00458759
helper %d 0x%x, xrefs: 004587D8
CreateFile, xrefs: 00458725

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
Instruction ID: 54c9584e853abf465b9d0f30fdd509929e5717807e8393d963d4681616065440
Opcode Fuzzy Hash: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
Instruction Fuzzy Hash: 19710470A003449EDB11EB65CC45B9E77F4EB05705F1085BAF904FB282DB7899488F69

Function 00478504 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00478370: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
Part of subcall function 00478370: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
Part of subcall function 00478370: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
Part of subcall function 00478370: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8), ref: 004783CC
Part of subcall function 00478370: CloseHandle.KERNEL32(00000000,?,?,?,02112BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA

Part of subcall function 00478448: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004784DA,?,?,?,02112BD8,?,0047853C,00000000,00478652,?,?,-00000010,?), ref: 00478478

ShellExecuteEx.SHELL32(0000003C), ref: 0047858C
GetLastError.KERNEL32(00000000,00478652,?,?,-00000010,?), ref: 00478595
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004785E2
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478606
CloseHandle.KERNEL32(00000000,00478637,00000000,00000000,000000FF,000000FF,00000000,00478630,?,00000000,00478652,?,?,-00000010,?), ref: 0047862A

Strings

GetExitCodeProcess, xrefs: 0047860F
<, xrefs: 0047854B
ShellExecuteEx, xrefs: 004785A6
ShellExecuteEx returned hProcess=0, xrefs: 004785B6
MsgWaitForMultipleObjects, xrefs: 004785EF
runas, xrefs: 00478559

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 883996979-221126205
Opcode ID: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
Instruction ID: b05a94d88e1d9ee0fbafe330a65326fe691daae9ca7e583bddfe233bc85c86e1
Opcode Fuzzy Hash: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
Instruction Fuzzy Hash: 0E314470A40208BEDB11EFE6C859ADEB7B8EB45718F50843FF508E7281DA7C99058B5D

Function 0042285C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
Opcode Fuzzy Hash: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58

Function 00418384 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00418393
GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
GetWindowRect.USER32(?), ref: 004183CC
GetWindowLongA.USER32(?,000000F0), ref: 004183DA
GetWindowLongA.USER32(?,000000F8), ref: 004183EF
ScreenToClient.USER32(00000000), ref: 004183F8
ScreenToClient.USER32(00000000,?), ref: 00418403

Strings

,, xrefs: 0041839C

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65

Function 004555E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F

Strings

SeShutdownPrivilege, xrefs: 0045560B

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
Opcode Fuzzy Hash: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E

Function 0045D188 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D191
GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D1A1
GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D1B1
ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F96F,00000000,0047F998), ref: 0045D1D6

Strings

ArcFourInit, xrefs: 0045D19B
ISCryptGetVersion, xrefs: 0045D18B
ArcFourCrypt, xrefs: 0045D1AB

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc$CryptVersion
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 1951258720-508647305
Opcode ID: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
Instruction ID: d394b6b565b4a55a8c16e24b867b534ad65140704dc94b035c924c7661ebf9a3
Opcode Fuzzy Hash: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
Instruction Fuzzy Hash: A2F030B0D41700CAD318EFF6AC957263B96EB9830AF14C03BA414C51A2D7794454DF2C

Function 004980A4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0,?,?,00000000,0049B628), ref: 004980FB
SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049817E
FindNextFileA.KERNEL32(000000FF,?,00000000,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000), ref: 00498196
FindClose.KERNEL32(000000FF,004981C1,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0), ref: 004981B4

Strings

isRS-???.tmp, xrefs: 004980E5
isRS-, xrefs: 0049811B

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
Instruction ID: fc6fb5a4e2302b333323d0d019d05182e8323e6fc1a1653111c694b95695a562
Opcode Fuzzy Hash: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
Instruction Fuzzy Hash: E1316A719016186FCF10EF69CC42ADEBBBCDB45314F5044BBA808E3291DA3C9F458E58

Function 00457594 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457611
PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457638
SetForegroundWindow.USER32(?), ref: 00457649
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457921,?,00000000,0045795D), ref: 0045790C

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045778C

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
Instruction ID: 8776962154e21e4b1c8854f5ca4bcfaa90dd950cda3ad59ac2e2fede597431d6
Opcode Fuzzy Hash: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
Instruction Fuzzy Hash: 2B91D334608204DFEB15CF55E991F5ABBF5EB89704F2184BAE80497792C638AE04DB68

Function 00455E0C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42

Strings

kernel32.dll, xrefs: 00455E37
GetDiskFreeSpaceExA, xrefs: 00455E32

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
Opcode Fuzzy Hash: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68

Function 00417CD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417D0F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A

Strings

,, xrefs: 00417D51

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
Opcode Fuzzy Hash: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8

Function 00464158 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,0046433F), ref: 004641CD
FindFirstFileA.KERNEL32(00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 00464213
FindNextFileA.KERNEL32(000000FF,?,00000000,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642C8
FindClose.KERNEL32(000000FF,004642F3,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642E6

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
Instruction ID: 9d9184480f8630aada0b530c6bd54f2fc26159d28d851f3c8c43bf9f92f270d6
Opcode Fuzzy Hash: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
Instruction Fuzzy Hash: 77418370A00A18DBCF10EFA5DC959DEB7B8EB88305F5044AAF804A7341E7789E448E59

Function 00463CDC Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,00463E99), ref: 00463D0D
FindFirstFileA.KERNEL32(00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463D9C
FindNextFileA.KERNEL32(000000FF,?,00000000,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E2E
FindClose.KERNEL32(000000FF,00463E55,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E48

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
Instruction ID: 85e7d80bc36d7b3e80fea797042c039a90a2821ca6a16b1e557570abf42aa49f
Opcode Fuzzy Hash: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
Instruction Fuzzy Hash: 3A41B770A00A589FCB11EF65CC45ADEB7B8EB88705F4044BAF404A7381E67D9F48CE59

Function 0042E934 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
Opcode Fuzzy Hash: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD

Function 0048393C Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0048397A
GetWindowLongA.USER32(00000000,000000F0), ref: 00483998
ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839BA
ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839CE

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
Instruction ID: 3cea9153c2b451a1fdc95e78a984a36fb28f479a74ffefb17a89e5a976076ef3
Opcode Fuzzy Hash: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
Instruction Fuzzy Hash: 160156B0705200ABEA00BF659CCBB5F22C55714745F44093BF4459B292CAADDA859B5C

Function 00462750 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00462824), ref: 004627A8
FindNextFileA.KERNEL32(000000FF,?,00000000,00462804,?,00000000,?,00000000,00462824), ref: 004627E4
FindClose.KERNEL32(000000FF,0046280B,00462804,?,00000000,?,00000000,00462824), ref: 004627FE

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
Instruction ID: e6acefadc91213b77ea930f6be1f86c6134c8588622ee3d3acab995ed1c325b6
Opcode Fuzzy Hash: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
Instruction Fuzzy Hash: 87210831904B08BECB11EB65CC41ACEB7ACDB49304F5084B7E808E32A1F6789E44CE69

Function 004241DC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004241E4
SetActiveWindow.USER32(?,?,?,0046CD53), ref: 004241F1

Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667

Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021125AC,0042420A,?,?,?,0046CD53), ref: 00423B4F

SetFocus.USER32(00000000,?,?,?,0046CD53), ref: 0042421E

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778

Function 00417CCE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417D0F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
Opcode Fuzzy Hash: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8

Function 00417598 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004175C3
GetCapture.USER32 ref: 004175CC

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
Opcode Fuzzy Hash: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798

Function 00424194 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0042419B

Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02

SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF

Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724

Function 004125D8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
Opcode Fuzzy Hash: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D

Function 00478AC0 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478C0E

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
Instruction ID: 8fc52e73ba06cc46e730b07d7f7f94568764801a7b8f51cd1014d1f63996c257
Opcode Fuzzy Hash: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
Instruction Fuzzy Hash: EC4148B5A44104DFCB10CF99C6888AAB7F5FB49310B64C99AF848DB701D738EE45DB58

Function 0045D23C Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ArcFourCrypt._ISCRYPT(?,?,?,0046DEA4,?,?,0046DEA4,00000000), ref: 0045D247

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CryptFour
String ID:
API String ID: 2153018856-0
Opcode ID: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
Instruction ID: 5effe0378c810cd07e0217cdc1e7a72ed78fe315a0c34b067f2c35eeb24cdbba
Opcode Fuzzy Hash: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
Instruction Fuzzy Hash: D0C09BF200420CBF650057D5ECC9C77B75CE6586547408126F7048210195726C104574

Function 0045D254 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DB14,?,0046DCF5), ref: 0045D25A

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CryptFour
String ID:
API String ID: 2153018856-0
Opcode ID: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
Instruction ID: 17600df93846144bfd8e61cd07b91608ca2a028cf3222f5d1774599e6ed580aa
Opcode Fuzzy Hash: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
Instruction Fuzzy Hash: B7A002F0B80300BAFD2057F15E5EF26252C97D0F01F2084657306E90D085A56400853C

Function 10001130 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3556712189.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.3556688410.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3556756676.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_EQ5Vcf19u8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2

Function 10001000 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3556712189.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.3556688410.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3556756676.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_EQ5Vcf19u8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction Fuzzy Hash:

Function 0044B658 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621

LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3

Strings

IsAppThemed, xrefs: 0044B929
DrawThemeEdge, xrefs: 0044B755
IsThemePartDefined, xrefs: 0044B779
IsThemeDialogTextureEnabled, xrefs: 0044B95F
GetThemeBackgroundRegion, xrefs: 0044B731
GetThemeIntList, xrefs: 0044B851
GetThemeColor, xrefs: 0044B79D
GetThemeSysSize, xrefs: 0044B8CF
GetCurrentThemeName, xrefs: 0044B995
EnableTheming, xrefs: 0044B9CB
GetThemeSysInt, xrefs: 0044B905
GetThemeSysColorBrush, xrefs: 0044B8AB
GetThemeSysColor, xrefs: 0044B899
DrawThemeParentBackground, xrefs: 0044B9B9
OpenThemeData, xrefs: 0044B68F
IsThemeBackgroundPartiallyTransparent, xrefs: 0044B78B
GetThemeSysString, xrefs: 0044B8F3
CloseThemeData, xrefs: 0044B6A1
GetThemeMargins, xrefs: 0044B83F
GetThemePartSize, xrefs: 0044B6FB
GetThemePosition, xrefs: 0044B809
GetThemeTextMetrics, xrefs: 0044B71F
GetThemeEnumValue, xrefs: 0044B7F7
GetThemePropertyOrigin, xrefs: 0044B863
DrawThemeIcon, xrefs: 0044B767
DrawThemeText, xrefs: 0044B6C5
IsThemeActive, xrefs: 0044B917
GetThemeBool, xrefs: 0044B7D3
SetWindowTheme, xrefs: 0044B875
DrawThemeBackground, xrefs: 0044B6B3
HitTestThemeBackground, xrefs: 0044B743
GetThemeFilename, xrefs: 0044B887
GetThemeBackgroundContentRect, xrefs: 0044B6D7, 0044B6E9
GetThemeAppProperties, xrefs: 0044B971
EnableThemeDialogTexture, xrefs: 0044B94D
GetThemeString, xrefs: 0044B7C1
GetThemeRect, xrefs: 0044B82D
GetThemeDocumentationProperty, xrefs: 0044B9A7
GetThemeInt, xrefs: 0044B7E5
GetThemeSysBool, xrefs: 0044B8BD
GetWindowTheme, xrefs: 0044B93B
GetThemeTextExtent, xrefs: 0044B70D
GetThemeFont, xrefs: 0044B81B
GetThemeSysFont, xrefs: 0044B8E1
SetThemeAppProperties, xrefs: 0044B983
uxtheme.dll, xrefs: 0044B67A
GetThemeMetric, xrefs: 0044B7AF

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc$LibraryLoadVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 1968650500-2910565190
Opcode ID: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
Opcode Fuzzy Hash: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD

Function 0041CA0C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0041CA40
CreateCompatibleDC.GDI32(?), ref: 0041CA4C
CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
CreateCompatibleDC.GDI32(?), ref: 0041CB2B
SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
RealizePalette.GDI32(00000000), ref: 0041CB7D
SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
RealizePalette.GDI32(0041CE3C), ref: 0041CB95
SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
SelectObject.GDI32(00000000,?), ref: 0041CBEE
DeleteDC.GDI32(00000000), ref: 0041CC04

Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
String ID:
API String ID: 269503290-0
Opcode ID: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
Opcode Fuzzy Hash: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68

Function 00456638 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004569E3), ref: 0045667E
CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,004569E3), ref: 004566A4
SysFreeString.OLEAUT32(00000000), ref: 0045685B

Strings

IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004568CA
IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004567F1
{pf32}\, xrefs: 0045671E
IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456840
IPropertyStore::Commit, xrefs: 004568E3
CoCreateInstance, xrefs: 004566AF
IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004567BD
%ProgramFiles(x86)%\, xrefs: 0045672E
IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456892
IPersistFile::Save, xrefs: 00456962
IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00456904

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CreateInstance$FreeString
String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
API String ID: 308859552-2363233914
Opcode ID: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
Instruction ID: 2d3acbfbfe5134b3b68b6dcde43dfe431d970b0eaffbfac770a5f5266a6492d0
Opcode Fuzzy Hash: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
Instruction Fuzzy Hash: 39B13170A00104AFDB50DFA9C845B9E7BF8AF09706F5540AAF804E7362DB78DD48CB69

Function 004983D0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000,00498B29,?,00000000), ref: 00498453
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000), ref: 00498466
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000), ref: 00498476
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498497
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000), ref: 004984A7

Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481

Strings

/REGU, xrefs: 00498429
Setup, xrefs: 0049843F
.msg, xrefs: 004984CA
/REG, xrefs: 00498405
.lst, xrefs: 004984E4
Inno-Setup-RegSvr-Mutex, xrefs: 0049845D

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 2000705611-3672972446
Opcode ID: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
Instruction ID: 1a66146e65e487955493167600903b91e60bc3637ed1504a34615a6495e02ea1
Opcode Fuzzy Hash: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
Instruction Fuzzy Hash: 5191A434A042049FDF11EBA9DC52BAE7BE5EF4A304F5144BBF500AB692DE7C9C05CA19

Function 0045A6D8 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045A994,?,?,?,?,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 0045A846

Strings

The file appears to be in use (%d). Will delete on restart., xrefs: 0045A88F
.chw, xrefs: 0045A78D
Failed to delete the file; it may be in use (%d)., xrefs: 0045A935
Failed to strip read-only attribute., xrefs: 0045A82B
.lnk, xrefs: 0045A7B3
.fts, xrefs: 0045A74C
.chm, xrefs: 0045A774
Stripped read-only attribute., xrefs: 0045A81F
.hlp, xrefs: 0045A70F
.gid, xrefs: 0045A728
Deleting file: %s, xrefs: 0045A7E5

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
Instruction ID: 43962401d403c06de7b31dde6fd87328655f81364e16ca473e433d379c6e1912
Opcode Fuzzy Hash: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
Instruction Fuzzy Hash: EC719070B002545BCB00EB6998417AE77A49F4931AF91896BFC01AB383DB7C9E1DC75E

Function 0045CBC0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0045CBDA
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CBFA
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CC07
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CC14
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CC22

Part of subcall function 0045CAC8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CB67,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CB41

AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCDB
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCE4

Strings

SetEntriesInAclW, xrefs: 0045CC1C
SetNamedSecurityInfoW, xrefs: 0045CC0E
GetNamedSecurityInfoW, xrefs: 0045CC01
advapi32.dll, xrefs: 0045CBF5
W, xrefs: 0045CCF2

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
API String ID: 59345061-4263478283
Opcode ID: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
Instruction ID: 99773ef8a3d0261052733c4904a47669a242c0659fe16ead1f438c4abb71ff4e
Opcode Fuzzy Hash: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
Instruction Fuzzy Hash: BD518471900308EFDB10DF99C881BEEBBB8EB48711F14806AF904E7241C678A945CFA9

Function 0041B3AC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
GetDC.USER32(00000000), ref: 0041B402
CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
ReleaseDC.USER32(00000000,00000000), ref: 0041B455
SelectObject.GDI32(00000000,?), ref: 0041B470
SelectObject.GDI32(?,00000000), ref: 0041B47F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
SelectObject.GDI32(?,00000000), ref: 0041B4C7
DeleteDC.GDI32(00000000), ref: 0041B4D0
DeleteDC.GDI32(?), ref: 0041B4D9

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8

Function 00472B48 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 337COMMON

Download Yara Rule

APIs

Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472D00
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472E07
SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472E1D
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472E42

Strings

.lnk, xrefs: 00472BD4
Filename: %s, xrefs: 00472CA2
target.lnk, xrefs: 00472E8C
.url, xrefs: 00472C1A
Desktop.ini, xrefs: 00472EC3
.pif, xrefs: 00472BF7, 00472D8B
{group}\, xrefs: 00472BA2

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
API String ID: 971782779-3668018701
Opcode ID: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
Instruction ID: 7edda302242157afef40b0e7c7e05039b068dedd9e36cd510e855ba872eb221a
Opcode Fuzzy Hash: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
Instruction Fuzzy Hash: D0D14574A001489FDB11EFA9D981BDDBBF4AF08304F50816AF904B7392C778AE45CB69

Function 00454874 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,?,00000000,?,00000000,00454B0D,?,0045AB6A,00000003,00000000,00000000,00454B44), ref: 0045498D

Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7

RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A40

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
, xrefs: 004548FE
RegOpenKeyEx, xrefs: 00454910
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
Instruction ID: 3b35aed17da8244e85d272d2923899a44a2159637523a8fd9e70e85f8d21f96a
Opcode Fuzzy Hash: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
Instruction Fuzzy Hash: 23914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69

Function 00459458 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00459364: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004594FF
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 00459569

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004595D0

Strings

v4.0.30319, xrefs: 004594F1
v2.0.50727, xrefs: 0045955B
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045951C
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459583
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004594B2
.NET Framework version %s not found, xrefs: 00459609
.NET Framework not found, xrefs: 0045961D
v1.1.4322, xrefs: 004595C2

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Close$Open
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 2976201327-446240816
Opcode ID: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
Instruction ID: e7879d346446e6db82ad1067b50e8ffdd52b59a139ce3e0e88c8f748029a0227
Opcode Fuzzy Hash: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
Instruction Fuzzy Hash: EB51A331A04148EBCB01DFA8C8A1BEE77A5DB59305F54447BA801DB353EA3D9E1ECB19

Function 00458A44 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00458A7B
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458A97
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458AA5
GetExitCodeProcess.KERNEL32(?), ref: 00458AB6
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458AFD
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458B19

Strings

Helper isn't responding; killing it., xrefs: 00458A87
Stopping 64-bit helper process. (PID: %u), xrefs: 00458A6D
Helper process exited., xrefs: 00458AC5
Helper process exited, but failed to get exit code., xrefs: 00458AEF
Helper process exited with failure code: 0x%x, xrefs: 00458AE3

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
Instruction ID: 3f2324d87e707cedf1d5c4e10b6e93e7b0b52df74c864805f1ac214018e434b5
Opcode Fuzzy Hash: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
Instruction Fuzzy Hash: 2F2130706087409AD720E779C44575BB6D49F08345F04CC2FF99AEB283DF78E8488B2A

Function 00454528 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B

Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7

Strings

, xrefs: 004545B1
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
RegCreateKeyEx, xrefs: 004545C3

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
Instruction ID: 93c55a0ab54dbcba353dd8d7ef9dbdddde8d62e860aeeeeaccb8ee2ace91ec52
Opcode Fuzzy Hash: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
Instruction Fuzzy Hash: 49810F75A00209AFDB00DFD5C981BDEB7B8EB49309F10452AF900FB282D7789E45CB69

Function 00496C50 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00496CCD
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496E21), ref: 00496CEE
CreateWindowExA.USER32(00000000,STATIC,00496E30,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496D15
SetWindowLongA.USER32(?,000000FC,004964A8), ref: 00496D28
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC,00496E30), ref: 00496D58
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00496DCC
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000), ref: 00496DD8

Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17

DestroyWindow.USER32(?,00496DFB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC), ref: 00496DEE

Strings

/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 00496D87
STATIC, xrefs: 00496D0E

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 1549857992-2312673372
Opcode ID: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
Instruction ID: 18f462a79ff6f3765b6ab1b49dcd34ad23a8ddcce266b6658739bc0f5698dca4
Opcode Fuzzy Hash: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
Instruction Fuzzy Hash: 61414C70A40208AFDF00EBA5DD42F9E7BB8EB08714F52457AF510F7291D7799E008B68

Function 0042E418 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E441
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E495

Strings

.DEFAULT\Control Panel\International, xrefs: 0042E46C
kernel32.dll, xrefs: 0042E43C
QaE, xrefs: 0042E4D7, 0042E4DF, 0042E4EA, 0042E50C
GetUserDefaultUILanguage, xrefs: 0042E437
Locale, xrefs: 0042E484
Control Panel\Desktop\ResourceLocale, xrefs: 0042E4A4

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
API String ID: 4190037839-2312295185
Opcode ID: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
Opcode Fuzzy Hash: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C

Function 004629F0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 004629FC
GetModuleHandleA.KERNEL32(user32.dll), ref: 00462A10
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462A1D
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462A2A
GetWindowRect.USER32(?,00000000), ref: 00462A76
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462AB4

Strings

GetMonitorInfoA, xrefs: 00462A24
user32.dll, xrefs: 00462A0B
(, xrefs: 00462A55
MonitorFromWindow, xrefs: 00462A17

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
Instruction ID: 865a179037155f8fdabe2954c964c2dd38b7d55406d5d1e7c7801a7b23b437f8
Opcode Fuzzy Hash: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
Instruction Fuzzy Hash: B7219575701B057BD610D6A88D85F3B36D8EB84715F094A2AF944DB3C1E6F8EC018B9A

Function 0042F188 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042F194
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
GetWindowRect.USER32(?,00000000), ref: 0042F20E
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C

Strings

user32.dll, xrefs: 0042F1A3
(, xrefs: 0042F1ED
GetMonitorInfoA, xrefs: 0042F1BC
MonitorFromWindow, xrefs: 0042F1AF

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
Opcode Fuzzy Hash: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9

Function 00458C1C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458DFB,?,00000000,00458E5E,?,?,02113858,00000000), ref: 00458C79
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CD6
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CE3
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458D2F
GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000), ref: 00458D55
GetLastError.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000), ref: 00458D5C

Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F

Strings

TransactNamedPipe, xrefs: 00458CEF
CreateEvent, xrefs: 00458C87

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
Instruction ID: 06b5d05a5e38ae799b2edb69ba26f0faef77b18cb4ad173b91f5c3c95d125767
Opcode Fuzzy Hash: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
Instruction Fuzzy Hash: EF418E75A00608AFDB15DF95C981F9EB7F8EB48714F1044AAF900F72D2DA789E44CA28

Function 00456D20 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456E85,?,?,00000031,?), ref: 00456D48
GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456D4E
LoadTypeLib.OLEAUT32(00000000,?), ref: 00456D9B

Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F

Strings

OLEAUT32.DLL, xrefs: 00456D43
GetProcAddress, xrefs: 00456D5B
LoadTypeLib, xrefs: 00456DA6
UnRegisterTypeLib, xrefs: 00456D3E
UnRegisterTypeLib, xrefs: 00456E07
ITypeLib::GetLibAttr, xrefs: 00456DD1

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
Instruction ID: d1bb8c6bfccdc0522a96f5e3020b18907c52df716e7671809b7eaf465cfb4023
Opcode Fuzzy Hash: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
Instruction Fuzzy Hash: 6831A375A00604AFDB41EFAACC12D5BB7BDEB8970675244A6FD04D3352DB38DD08CA28

Function 00401A90 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
LocalFree.KERNEL32(00651A58,00000000,00401B68), ref: 00401ACF
VirtualFree.KERNEL32(?,00000000,00008000,00651A58,00000000,00401B68), ref: 00401AEE
LocalFree.KERNEL32(00652A58,?,00000000,00008000,00651A58,00000000,00401B68), ref: 00401B2D
RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62

Strings

X*e, xrefs: 00401B1B, 00401B26, 00401B32
|0e, xrefs: 00401B07
,0e, xrefs: 00401B11

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: ,0e$X*e$|0e
API String ID: 3782394904-2478896455
Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE

Function 00416D80 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 00416E13
SaveDC.GDI32(?), ref: 00416E27
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
RestoreDC.GDI32(?,?), ref: 00416E65
CreateSolidBrush.GDI32(00000000), ref: 00416EE5
FrameRect.USER32(?,?,?), ref: 00416F18
DeleteObject.GDI32(?), ref: 00416F22
CreateSolidBrush.GDI32(00000000), ref: 00416F32
FrameRect.USER32(?,?,?), ref: 00416F65
DeleteObject.GDI32(?), ref: 00416F6F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
Opcode Fuzzy Hash: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99

Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
GetFileType.KERNEL32(?,000000F5), ref: 00404C11
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
GetLastError.KERNEL32(000000F5), ref: 00404C46

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D

Function 004221E8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 00422233
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
Opcode Fuzzy Hash: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698

Function 00481854 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(10000000), ref: 00481A11
FreeLibrary.KERNEL32(00000000), ref: 00481A25
SendNotifyMessageA.USER32(00020478,00000496,00002710,00000000), ref: 00481A97

Strings

DeinitializeSetup, xrefs: 0048190D
Deinitializing Setup., xrefs: 00481872
Restarting Windows., xrefs: 00481A72
GetCustomSetupExitCode, xrefs: 004818B1
Not restarting Windows because Setup is being run from the debugger., xrefs: 00481A46

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FreeLibrary$MessageNotifySend
String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 3817813901-1884538726
Opcode ID: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
Instruction ID: b122ee3e0244d1cffd13458a0655c780be2d4a3cdc4850abd58d30bc7702deed
Opcode Fuzzy Hash: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
Instruction Fuzzy Hash: C651BF347042409FD715EB69E9A5B6E7BE8EB19314F10887BE800C72B2DB389C46CB5D

Function 0046168C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004616C7
GetActiveWindow.USER32 ref: 0046172B
CoInitialize.OLE32(00000000), ref: 0046173F
SHBrowseForFolder.SHELL32(?), ref: 00461756
CoUninitialize.OLE32(00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046176B
SetActiveWindow.USER32(?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 00461781
SetActiveWindow.USER32(?,?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046178A

Strings

A, xrefs: 004616FF

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
String ID: A
API String ID: 2684663990-3554254475
Opcode ID: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
Instruction ID: 0f37cca2ee7d5c89cd5c8fe3b5c5f67eac08b275376d6c087401a1ac056189be
Opcode Fuzzy Hash: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
Instruction Fuzzy Hash: C3312F70E00348AFDB10EFA6D885A9EBBF8EB09304F55847AF404E7251E7785A048F59

Function 004729F8 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15,?,?,00000000,00472F84), ref: 00472A1C

Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A

Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B

SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15), ref: 00472A93
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000), ref: 00472A99

Strings

.ShellClassInfo, xrefs: 00472A4B
{0AFACED1-E828-11D1-9187-B532F1E9575D}, xrefs: 00472A55
desktop.ini, xrefs: 00472A30
target.lnk, xrefs: 00472A71
CLSID2, xrefs: 00472A46

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
API String ID: 884541143-1710247218
Opcode ID: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
Instruction ID: 1765d5ebfc4e6887f49e3816ac39c9d5a3c16910e93b0aec031ce55b1572895b
Opcode Fuzzy Hash: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
Instruction Fuzzy Hash: 6711B2707005147BD721EAAA8D82B9F73ACDB49714F61C17BB404B72C2DBBCAE01861C

Function 0045D2B4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D2BD
GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D2CD
GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D2DD
GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D2ED

Strings

inflateInit_, xrefs: 0045D2B7
inflateEnd, xrefs: 0045D2D7
inflateReset, xrefs: 0045D2E7
inflate, xrefs: 0045D2C7

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 190572456-3516654456
Opcode ID: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
Instruction ID: d913f85fec6517a53d2ec7ba369195fd603025f4bffd93910817278a70f0814a
Opcode Fuzzy Hash: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
Instruction Fuzzy Hash: C20112B0D00701DBE724DFF6ACC672636A5ABA8306F14C03B9D09962A2D77D0459DF2E

Function 0041A8DC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,00000000), ref: 0041A9B9
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
SetBkColor.GDI32(?,?), ref: 0041AA08
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
SetBkColor.GDI32(00000000,?), ref: 0041AAC3

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
Opcode Fuzzy Hash: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58

Function 004580C4 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458278,?, /s ",?,regsvr32.exe",?,00458278), ref: 004581EA

Strings

/s ", xrefs: 00458133
/u, xrefs: 00458126
regsvr32.exe", xrefs: 0045810B
CreateProcess, xrefs: 004581DC
0x%x, xrefs: 0045820D
Spawning 32-bit RegSvr32: , xrefs: 00458171
D, xrefs: 004581A0
Spawning 64-bit RegSvr32: , xrefs: 0045814F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
Instruction ID: cda81b302c56d3c3b7af3d8ffa4af26d40175ae7a7c1cff7e24eee752c39b11a
Opcode Fuzzy Hash: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
Instruction Fuzzy Hash: 21411670A047486BDB10EFD6D842B8DBBF9AF45305F50407FB904BB292DF789A098B19

Function 0044D178 Relevance: 13.6, APIs: 9, Instructions: 90COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
GetSysColor.USER32(00000014), ref: 0044D1B0
SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
GetSysColor.USER32(00000010), ref: 0044D202
SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
Opcode Fuzzy Hash: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668

Function 0041B66C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B745
GetDC.USER32(?), ref: 0041B751
SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
RealizePalette.GDI32(00000000), ref: 0041B792
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4

Strings

%H, xrefs: 0041B674

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Palette$Select$BitmapCreateFocusRealize
String ID: %H
API String ID: 3275473261-1959103961
Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9

Function 0041B93C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041BA17
GetDC.USER32(?), ref: 0041BA23
SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
RealizePalette.GDI32(00000000), ref: 0041BA69
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1

Strings

%H, xrefs: 0041B944

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Palette$Select$BitmapCreateFocusRealize
String ID: %H
API String ID: 3275473261-1959103961
Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4

Function 004964F4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933

Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B

GetWindowThreadProcessId.USER32(00000000,?), ref: 00496585
OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496599
SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004965B3
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965BF
CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965C5
Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965D8

Strings

Deleting Uninstall data files., xrefs: 004964FB

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 1570157960-2568741658
Opcode ID: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
Instruction ID: caddedc05ae4add9971b90b84c259ce0cd5246952d50e779d54ebc968ffbf915
Opcode Fuzzy Hash: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
Instruction Fuzzy Hash: 73216170204250BFEB10EB6ABC82B2637A8DB54728F53453BB501961D6DA7CAC448A6D

Function 004701FC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9,?,?,?,?,00000000), ref: 00470263
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9), ref: 0047027A
AddFontResourceA.GDI32(00000000), ref: 00470297
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004702AB

Strings

Failed to open Fonts registry key., xrefs: 00470281
AddFontResource, xrefs: 004702B5
Failed to set value in Fonts registry key., xrefs: 0047026C

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseFontMessageNotifyOpenResourceSendValue
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 955540645-649663873
Opcode ID: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
Instruction ID: 122e39bb1ea2b43e4c2a7da55aa69ddad999e5e54c07bca5f4119535fc7344d3
Opcode Fuzzy Hash: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
Instruction Fuzzy Hash: 6921E271741204BBDB10EAA68C46FAE67AC9B14704F208477B904EB3C3DA7C9E01866D

Function 00462E30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE

GetVersion.KERNEL32 ref: 00462E60
SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462E9E
SHGetFileInfo.SHELL32(00462F3C,00000000,?,00000160,00004011), ref: 00462EBB
LoadCursorA.USER32(00000000,00007F02), ref: 00462ED9
SetCursor.USER32(00000000,00000000,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462EDF
SetCursor.USER32(?,00462F1F,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462F12

Strings

Explorer, xrefs: 00462E7A

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
String ID: Explorer
API String ID: 2594429197-512347832
Opcode ID: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
Instruction ID: b0f6820fd5a5ea072646c086af9eca81c98a3cd1ffd9b7ca0f87214cf94a4ba1
Opcode Fuzzy Hash: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
Instruction Fuzzy Hash: CD21E7307403047AEB15BB759D47B9A3798DB09708F4004BFFA05EA1C3EEBD9901966D

Function 00478370 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8), ref: 004783CC
CloseHandle.KERNEL32(00000000,?,?,?,02112BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA

Strings

kernel32.dll, xrefs: 00478384
GetFinalPathNameByHandleA, xrefs: 0047837F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FileHandle$AddressAttributesCloseCreateModuleProc
String ID: GetFinalPathNameByHandleA$kernel32.dll
API String ID: 2704155762-2318956294
Opcode ID: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
Instruction ID: 2a72e966618face2f1bd82d2a524167157479a72732682c44667b4342ad9b4bf
Opcode Fuzzy Hash: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
Instruction Fuzzy Hash: 370180A07C070536E520316A4C8AFBB654C8B50769F14863FBA1DFA2D3FDED9D06016E

Function 00459E0C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00459F8E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 00459ED2

Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9

Strings

Deleting directory: %s, xrefs: 00459E5B
Failed to delete directory (%d). Will retry later., xrefs: 00459EEB
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459F47
Failed to delete directory (%d)., xrefs: 00459F68
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459EAC
Stripped read-only attribute., xrefs: 00459E94
Failed to strip read-only attribute., xrefs: 00459EA0

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
Instruction ID: b8d9b7298ea7c3337bda5d500217c07e27fbd6b384233f4239b27a523d6d10d0
Opcode Fuzzy Hash: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
Instruction Fuzzy Hash: 1841A331A04208CACB10EB69C8413AEB6A55F4530AF54897BAC01D73D3CB7C8E0DC75E

Function 00422E50 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00422EA4
GetCapture.USER32 ref: 00422EB3
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
ReleaseCapture.USER32 ref: 00422EBE
GetActiveWindow.USER32 ref: 00422ECD
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
GetActiveWindow.USER32 ref: 00422FBF

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
Opcode Fuzzy Hash: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49

Function 0042F290 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
GetActiveWindow.USER32 ref: 0042F2DA
MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$ActiveLong$Message
String ID:
API String ID: 2785966331-0
Opcode ID: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
Opcode Fuzzy Hash: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58

Function 00429480 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042948A
GetTextMetricsA.GDI32(00000000), ref: 00429493

Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7

SelectObject.GDI32(00000000,00000000), ref: 004294A2
GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
SelectObject.GDI32(00000000,00000000), ref: 004294B6
ReleaseDC.USER32(00000000,00000000), ref: 004294BE
GetSystemMetrics.USER32(00000006), ref: 004294E3
GetSystemMetrics.USER32(00000006), ref: 004294FD

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
String ID:
API String ID: 1583807278-0
Opcode ID: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
Opcode Fuzzy Hash: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A

Function 0041DE24 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0041DE27
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
GetStockObject.GDI32(00000007), ref: 0041DE5B
GetStockObject.GDI32(00000005), ref: 0041DE67
GetStockObject.GDI32(0000000D), ref: 0041DE73
LoadIconA.USER32(00000000,00007F00), ref: 0041DE84

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ObjectStock$CapsDeviceIconLoadRelease
String ID:
API String ID: 225703358-0
Opcode ID: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
Opcode Fuzzy Hash: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E

Function 00463240 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 00463344
SetCursor.USER32(00000000,00000000,00007F02,00000000,004633D9), ref: 0046334A
SetCursor.USER32(?,004633C1,00007F02,00000000,004633D9), ref: 004633B4

Strings

, xrefs: 004635BF
Internal error: Item already expanding, xrefs: 004632E1
, xrefs: 004635DA

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $Internal error: Item already expanding
API String ID: 1675784387-1948079669
Opcode ID: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
Instruction ID: e4e85f4aa3fa623d7d3a169fbc538aa22306e9421cedfdc69a3031d12d347dae
Opcode Fuzzy Hash: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
Instruction Fuzzy Hash: 4CB18270604284EFDB11DF29C545B9ABBF1BF04305F1484AAE8469B792DB78EE44CB4A

Function 00453D30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17

Strings

.tmp, xrefs: 00453DD3
[rename], xrefs: 00453E7A, 00453EB6
MoveFileEx, xrefs: 00454027
WININIT.INI, xrefs: 00453DC5
NUL, xrefs: 00453ED9

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
Opcode Fuzzy Hash: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58

Function 00476C50 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476CA9
SetWindowLongW.USER32(00000000,000000FC,00476C04), ref: 00476CD0
GetACP.KERNEL32(00000000,00476EE8,?,00000000,00476F12), ref: 00476D0D
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476D53

Strings

Inno Setup: Language, xrefs: 00476DDB
COMBOBOX, xrefs: 00476CA2

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ClassInfoLongMessageSendWindow
String ID: COMBOBOX$Inno Setup: Language
API String ID: 3391662889-4234151509
Opcode ID: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
Instruction ID: b13fa11fcbd9abdf7db93726dac51e4442bd67f198c8610d2c1064f44be53319
Opcode Fuzzy Hash: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
Instruction Fuzzy Hash: 46812C346006059FDB10DF69D985AEAB7F2FB09304F15C1BAE808EB762D778AD41CB58

Function 00408720 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A

Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586

Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7

Strings

:mm:ss, xrefs: 00408936
AMPM, xrefs: 00408905
mmmm d, yyyy, xrefs: 0040882B
:mm, xrefs: 0040891C
m/d/yy, xrefs: 00408809

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
Opcode Fuzzy Hash: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D

Function 004116F4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A

Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6

Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD

Strings

?, xrefs: 004117A6
,, xrefs: 0041179F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
Opcode Fuzzy Hash: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58

Function 0041BE63 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
DeleteObject.GDI32(?), ref: 0041BF9F
DeleteObject.GDI32(?), ref: 0041BFA8
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68

Function 0041CED8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
RealizePalette.GDI32(?), ref: 0041CF92
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
SelectPalette.GDI32(?,?,00000001), ref: 0041D05F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
String ID:
API String ID: 2222416421-0
Opcode ID: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
Opcode Fuzzy Hash: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58

Function 004572DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,?,?), ref: 0045732E

Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C

Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9

Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457395
TranslateMessage.USER32(?), ref: 004573B3
DispatchMessageA.USER32(?), ref: 004573BC

Strings

[Paused] , xrefs: 00457364

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
String ID: [Paused]
API String ID: 1007367021-4230553315
Opcode ID: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
Instruction ID: a72840e20965590be0df7748d4dcd1bfe023db3bc5775872eefead19b10ec59e
Opcode Fuzzy Hash: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
Instruction Fuzzy Hash: 633175319082449ADB11DBB9EC81B9E7FB8EF49314F5540B7EC00E7292D73C9909DB69

Function 0046B420 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON

Download Yara Rule

APIs

GetCursor.USER32(00000000,0046B55F), ref: 0046B4DC
LoadCursorA.USER32(00000000,00007F02), ref: 0046B4EA
SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4F0
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4FA
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B500

Strings

CheckPassword, xrefs: 0046B484

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
Instruction ID: 9465d4cba05e43c3341d6d018928b45656d3fee3f016636846a90655da25d4f4
Opcode Fuzzy Hash: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
Instruction Fuzzy Hash: D0316334740204AFD711EF69C899B9A7BE4EF45308F5580B6F9049B3A2D7789E40CB99

Function 00477C6C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00477B94: GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
Part of subcall function 00477B94: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
Part of subcall function 00477B94: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5

SendMessageA.USER32(00000000,0000004A,00000000,00478026), ref: 00477CA1
GetTickCount.KERNEL32 ref: 00477CE6
GetTickCount.KERNEL32 ref: 00477CF0
MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477D45

Strings

CallSpawnServer: Unexpected response: $%x, xrefs: 00477CD6
CallSpawnServer: Unexpected status: %d, xrefs: 00477D2E

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
API String ID: 613034392-3771334282
Opcode ID: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
Instruction ID: 262cbc5b9954910938d5a1e8e32dc50db46ad6f301169d9d39307b56b522dac3
Opcode Fuzzy Hash: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
Instruction Fuzzy Hash: 87318474B042159EDB10EBB9C8867EE76A0AF08714F90807AB548EB392D67C9D4187AD

Function 00459784 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045983F

Strings

Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045984A
.NET Framework CreateAssemblyCache function failed, xrefs: 00459862
CreateAssemblyCache, xrefs: 00459836
Fusion.dll, xrefs: 004597DF
Failed to load .NET Framework DLL "%s", xrefs: 00459824

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc
String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
API String ID: 190572456-3990135632
Opcode ID: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
Instruction ID: 9a538673283cb431493768ab67eac729fe35d93f11f945e2dcd414e2b3f175b6
Opcode Fuzzy Hash: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
Instruction Fuzzy Hash: A2318B70E10649ABCB10FFA5C88169EB7B8EF45315F50857BE814E7382DB389E08C799

Function 0041C148 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055

GetFocus.USER32 ref: 0041C168
GetDC.USER32(?), ref: 0041C174
SelectPalette.GDI32(?,?,00000000), ref: 0041C195
RealizePalette.GDI32(?), ref: 0041C1A1
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
ReleaseDC.USER32(?,?), ref: 0041C1ED

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Palette$Select$BitsFocusObjectRealizeRelease
String ID:
API String ID: 3303097818-0
Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28

Function 00418C54 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000E), ref: 00418C70
GetSystemMetrics.USER32(0000000D), ref: 00418C78
6F532980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E

Part of subcall function 004107F8: 6F52C400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC

6F59CB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
6F59C740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
6F59CB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
6F530860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: MetricsSystem$C400C740F530860F532980
String ID:
API String ID: 209721339-0
Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759

Function 00483C6C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483D24), ref: 00483D09

Strings

System\CurrentControlSet\Control\ProductOptions, xrefs: 00483C90
WinNT, xrefs: 00483CB9
LanmanNT, xrefs: 00483CD3
ProductType, xrefs: 00483CA8
ServerNT, xrefs: 00483CED

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseOpen
String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 47109696-2530820420
Opcode ID: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
Instruction ID: 212569cff1cfb7858b589fbdbabdc9c693f1f7cc945fcf11155ec0ddb5f1f406
Opcode Fuzzy Hash: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
Instruction Fuzzy Hash: CC117C30704244AADB10FF65D862B5E7BF9DB45B05F618877A800E7282EB78AE05875C

Function 0041B462 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 0041B470
SelectObject.GDI32(?,00000000), ref: 0041B47F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
SelectObject.GDI32(?,00000000), ref: 0041B4C7
DeleteDC.GDI32(00000000), ref: 0041B4D0
DeleteDC.GDI32(?), ref: 0041B4D9

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8

Function 00495508 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00495519

Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7

SelectObject.GDI32(00000000,00000000), ref: 0049553B
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
GetTextMetricsA.GDI32(00000000,?), ref: 00495571
ReleaseDC.USER32(00000000,00000000), ref: 0049558E

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495546

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 2948443157-222967699
Opcode ID: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
Instruction ID: fbfe8d588f566b1ae935688c8d8bbf43f3780a3d17a9f30f48774e54417b88ea
Opcode Fuzzy Hash: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
Instruction Fuzzy Hash: 98018476A04704BFEB05DBE9CC41E5EB7EDEB48714F614476F604E7281D678AE008B28

Function 00423394 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 004233AF
WindowFromPoint.USER32(?,?), ref: 004233BC
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
GetCurrentThreadId.KERNEL32 ref: 004233D1
SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
SetCursor.USER32(00000000), ref: 00423413

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D

Function 004019CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0217C330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0217C330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0217C330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0217C330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

|0e, xrefs: 00401A04
,0e, xrefs: 00401A0E

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: ,0e$|0e
API String ID: 730355536-1358723455
Opcode ID: 303ccfa916ee30606edfd417ee1dfeae8d79d4aa2781d0ec5268568314661242
Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
Opcode Fuzzy Hash: 303ccfa916ee30606edfd417ee1dfeae8d79d4aa2781d0ec5268568314661242
Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD

Function 0049532C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 0049533C
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495349
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495356

Strings

GetMonitorInfoA, xrefs: 00495350
MonitorFromRect, xrefs: 00495343
user32.dll, xrefs: 00495337

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
Instruction ID: d6622564654ba01390171a2dbbf88ec7785202fdd48675fe733a6c53722864ad
Opcode Fuzzy Hash: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
Instruction Fuzzy Hash: 7EF0F692741F156ADA3121660C41B7F6B8CCB917B1F240137BE44A7382E9ED8C0047ED

Function 0045D688 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D691
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D6A1
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D6B1

Strings

BZ2_bzDecompressInit, xrefs: 0045D68B
BZ2_bzDecompress, xrefs: 0045D69B
BZ2_bzDecompressEnd, xrefs: 0045D6AB

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 190572456-212574377
Opcode ID: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
Instruction ID: 26f5c6c79611f6cc0facecefa5b4932716cc5d8e9f8ea2477ead0514974f6e87
Opcode Fuzzy Hash: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
Instruction Fuzzy Hash: 0EF01DB0D00705DFD724EFB6ACC672736D5AB6831AF50813B990E95262D778045ACF2C

Function 0042EA1C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004812C8), ref: 0042EA35
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C

Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9

ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60

Strings

ChangeWindowMessageFilterEx, xrefs: 0042EA2B
user32.dll, xrefs: 0042EA30

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 142928637-2676053874
Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E

Function 0044C7DC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C

Strings

LresultFromObject, xrefs: 0044C7F6
CreateStdAccessibleObject, xrefs: 0044C806
oleacc.dll, xrefs: 0044C7E6

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2238633743-1050967733
Opcode ID: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
Opcode Fuzzy Hash: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C

Function 00478C20 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43

Strings

VerifyVersionInfoW, xrefs: 00478C3D
VerSetConditionMask, xrefs: 00478C2D
kernel32.dll, xrefs: 00478C21

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
API String ID: 667068680-222143506
Opcode ID: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
Instruction ID: 32a0137ea675787c0bb1f7a77b9c903aea73f6d33f3aa717a8ad139b0a70eb03
Opcode Fuzzy Hash: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
Instruction Fuzzy Hash: 4DC0C9F02C1700EEAA01B7B11DCAA7A255CC500728320843F7049BA182D97C0C104F3C

Function 0041B508 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B57E
GetDC.USER32(?), ref: 0041B58A
GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
ReleaseDC.USER32(?,?), ref: 0041B626

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
String ID:
API String ID: 2502006586-0
Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5

Function 0045D04C Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D184,?,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0F6

Strings

CURRENT_USER, xrefs: 0045D08B
MACHINE, xrefs: 0045D09A
USERS, xrefs: 0045D0A9
CLASSES_ROOT, xrefs: 0045D07C

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
Instruction ID: 81e1e27ad3ae8d1ea1d6b81b4c13ff0be47bc54c17845d393ef4ad8e2f10c1e8
Opcode Fuzzy Hash: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
Instruction Fuzzy Hash: 2C117535A04608AFD731DA91C942B9EB6ADDF4470AF6040776D00572C3D67C5F0B992E

Function 0041BD8C Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
GetDC.USER32(00000000), ref: 0041BDE9
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
ReleaseDC.USER32(00000000,00000000), ref: 0041BE56

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69

Function 0047E758 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0047E766
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CD49), ref: 0047E78C
GetWindowLongA.USER32(?,000000EC), ref: 0047E79C
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E7BD
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E7D1
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E7ED

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
Instruction ID: 463a5c2536fff799c7bf7cf61cbf8045bc8b98cac2b0bb45a0840e8ed8c25010
Opcode Fuzzy Hash: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
Instruction Fuzzy Hash: 53010CB5641210ABEA00D769DE81F6637D8AB1C320F0943A6B959DF3E3C738EC408B49

Function 0041B270 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B

UnrealizeObject.GDI32(00000000), ref: 0041B27C
SelectObject.GDI32(?,00000000), ref: 0041B28E
SetBkColor.GDI32(?,00000000), ref: 0041B2B1
SetBkMode.GDI32(?,00000002), ref: 0041B2BC
SetBkColor.GDI32(?,00000000), ref: 0041B2D7
SetBkMode.GDI32(?,00000001), ref: 0041B2E2

Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A

Function 004538BC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB

Strings

_iu, xrefs: 0045394D
.tmp, xrefs: 0045395F
!nI, xrefs: 004538EC, 004538F7, 00453952, 0045395C, 0045392C, 00453936

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: !nI$.tmp$_iu
API String ID: 3498533004-584216493
Opcode ID: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
Instruction ID: 7da7e9bbb2667b7856572ae533a3071efe8e017fb0344d9459fa270775feb22d
Opcode Fuzzy Hash: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
Instruction Fuzzy Hash: 1831C5B0A00249ABCB11EF95D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69

Function 00497D5C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC

ShowWindow.USER32(?,00000005,00000000,00497FC1,?,?,00000000), ref: 00497D92

Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7

Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3

Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481

Strings

.msg, xrefs: 00497DF8
.dat, xrefs: 00497DD9
Uninstall, xrefs: 00497D78
IMsg, xrefs: 00497E66

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
Instruction ID: abb28459e614be91aca1b68aa70fad33032f6e559e3bf784a216f74f74fa669e
Opcode Fuzzy Hash: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
Instruction Fuzzy Hash: 89314F34A14114AFCB00EF65DD9296E7BB5EF89314F91857AF800AB395DB38BD01CB68

Function 0042EAA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09

Strings

ShutdownBlockReasonCreate, xrefs: 0042EAD0
user32.dll, xrefs: 0042EAD5

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressByteCharHandleModuleMultiProcWide
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 828529508-2866557904
Opcode ID: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
Opcode Fuzzy Hash: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E

Function 00457FF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458028
GetExitCodeProcess.KERNEL32(?,?), ref: 00458049
CloseHandle.KERNEL32(?,0045807C), ref: 0045806F

Strings

GetExitCodeProcess, xrefs: 00458052
MsgWaitForMultipleObjects, xrefs: 00458035

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
Instruction ID: 2f0632834368beac7d1c7250186d6a5b4d0e74160b608b18ba1b2b0c741dc3d5
Opcode Fuzzy Hash: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
Instruction Fuzzy Hash: 8101A231600204AFD710EBA98C02A5A73A8EB49B25F51407BFC10E73D3DE399E08965D

Function 0042E9AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9

Strings

ChangeWindowMessageFilter, xrefs: 0042E9B8
user32.dll, xrefs: 0042E9BD

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 3478007392-2498399450
Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E

Function 00477B94 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5

Strings

AllowSetForegroundWindow, xrefs: 00477BA5
user32.dll, xrefs: 00477BAA

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressHandleModuleProcProcessThreadWindow
String ID: AllowSetForegroundWindow$user32.dll
API String ID: 1782028327-3855017861
Opcode ID: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
Instruction ID: d51ed2a8d8be4cb67b0f2e6afaff03014389f5b4c9f6752a27b175deb1fe6994
Opcode Fuzzy Hash: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
Instruction Fuzzy Hash: D7D0C790248701B9D910B3F64D46E9F3A5D894471CB50C47BB418E61C5DA7CFD04893D

Function 00416C2C Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 00416C52
SaveDC.GDI32(?), ref: 00416C83
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
RestoreDC.GDI32(?,?), ref: 00416D0B
EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58

Function 00414800 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 00414836
MulDiv.KERNEL32(?,?,?), ref: 00414850
MulDiv.KERNEL32(?,?,?), ref: 00414879
MulDiv.KERNEL32(?,?,?), ref: 004148A4
MulDiv.KERNEL32(00000000,?,00000000), ref: 004148EC

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19

Function 004297CC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
Opcode Fuzzy Hash: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228

Function 0041BBB8 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
GetDC.USER32(00000000), ref: 0041BC12
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
DeleteObject.GDI32(00000000), ref: 0041BC9A

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: MetricsSystem$BitmapCreateDeleteObject
String ID:
API String ID: 1095203571-0
Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98

Function 004735D8 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0045D04C: SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7

GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 00473665
GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 0047367B

Strings

Failed to set permissions on registry key (%d)., xrefs: 0047368C
Setting permissions on registry key: %s\%s, xrefs: 0047362A
Could not set permissions on the registry key because it currently does not exist., xrefs: 0047366F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLast
String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
API String ID: 1452528299-4018462623
Opcode ID: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
Instruction ID: ad6b00cc897a6d1501f3fc6a2a631de3da5dc8c6e7b4eccdfad28332e4495c63
Opcode Fuzzy Hash: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
Instruction Fuzzy Hash: A121C870A046445FCB10DFA9C8826EEBBE4DF49319F50817BE408E7392D7785E098B6D

Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D

Function 004143E0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
RealizePalette.GDI32(00000000), ref: 00414421
SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
RealizePalette.GDI32(00000000), ref: 0041443B
ReleaseDC.USER32(00000000,00000000), ref: 00414446

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Palette$RealizeSelect$Release
String ID:
API String ID: 2261976640-0
Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765

Function 00424CE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092

Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA

OffsetRect.USER32(?,?,?), ref: 00424DC9
DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
OffsetRect.USER32(?,?,?), ref: 00424E9D

Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD

Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47

Strings

vLB, xrefs: 00424CF3, 00424DD1

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
String ID: vLB
API String ID: 1477829881-1797516613
Opcode ID: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
Opcode Fuzzy Hash: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44

Function 00406FA4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON

Download Yara Rule

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5

Strings

Z, xrefs: 0040703C

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
Opcode Fuzzy Hash: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A

Function 0044CFC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0044D04E
DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101

Strings

, xrefs: 0044D033

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
Opcode Fuzzy Hash: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64

Function 0042EF74 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042EF9E

Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7

SelectObject.GDI32(?,00000000), ref: 0042EFC1
ReleaseDC.USER32(00000000,?), ref: 0042F0A0

Strings

...\, xrefs: 0042F052

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CreateFontIndirectObjectReleaseSelect
String ID: ...\
API String ID: 3133960002-983595016
Opcode ID: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
Opcode Fuzzy Hash: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59

Function 00416410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
UnregisterClassA.USER32(?,00400000), ref: 004164AB
RegisterClassA.USER32(?), ref: 004164CE

Strings

@, xrefs: 00416429

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 32c7bff64fe8078beb5c73cee1a3f36bf3645a98757bc26b4be27a2261280048
Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
Opcode Fuzzy Hash: 32c7bff64fe8078beb5c73cee1a3f36bf3645a98757bc26b4be27a2261280048
Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A

Function 00498210 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 00498280
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 004982A9
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004982C2

Strings

isRS-%.3u.tmp, xrefs: 0049825F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
Instruction ID: fc33356634acd7bce8b4c2965ae56e8bcff63ef6fc68eceab8a95db248f88364
Opcode Fuzzy Hash: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
Instruction Fuzzy Hash: 0B216471E00609ABCF10EFA9C8819AFBBB8AF45714F10457FB814B72D1DB389E018A59

Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
ExitProcess.KERNEL32 ref: 00404E0D

Strings

Error, xrefs: 00404DB9
Runtime error at 00000000, xrefs: 00404DBE, 00404DD1

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED

Function 00456BFC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456C50
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456C7D

Strings

RegisterTypeLib, xrefs: 00456C88
LoadTypeLib, xrefs: 00456C5B

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
Instruction ID: 3ed1135b8019c5f4588910a0035f5c9e1cabb82a18fedb82429c118dce795412
Opcode Fuzzy Hash: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
Instruction Fuzzy Hash: 2911B430B00604AFDB02EFA6CD51A5EB7BDEB89705F5184B6FC44D3752DA389904CA24

Function 00457154 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045716E
SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045720B

Strings

Failed to create DebugClientWnd, xrefs: 004571D4
Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0045719A

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
API String ID: 3850602802-3720027226
Opcode ID: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
Instruction ID: a6ca84080c04e90ac639e3db27cd2c1e4b46fe4ea5f20cae781d9f83c3d7e460
Opcode Fuzzy Hash: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
Instruction Fuzzy Hash: 1011E770248240AFD710AB69AC85B5FBBD89B54319F15407AFA849B383D7798C18C7AE

Function 004786EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC

GetFocus.USER32 ref: 00478757
GetKeyState.USER32(0000007A), ref: 00478769
WaitMessage.USER32(?,00000000,00478790,?,00000000,004787B7,?,?,00000001,00000000,?,?,?,00480402,00000000,004812C8), ref: 00478773

Strings

Wnd=$%x, xrefs: 0047873B

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
Instruction ID: f17a5035e7dee30901ec9a03c3a5a372f1d0714b29ccd98a4f066b2945bd060b
Opcode Fuzzy Hash: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
Instruction Fuzzy Hash: CE11C634A40244AFD704EF65DC49A9EBBF8EB49314F6184BFF409E7681DB386D00CA69

Function 0046E610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E618
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E627

Strings

%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 0046E69C
(invalid), xrefs: 0046E6AA

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
Instruction ID: 5dd65cae4c1adac9d47cc9ad6336eda1851498fedff4a8a979bd050f9c4a6815
Opcode Fuzzy Hash: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
Instruction Fuzzy Hash: A81136A440C3909ED340DF2AC04432BBAE4AB99704F44892EF8C8C6381E779C848DBB7

Function 00453F76 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83

Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B

MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8

Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F

Strings

MoveFile, xrefs: 00453FB1
DeleteFile, xrefs: 00453F94

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: DeleteFile$MoveFile
API String ID: 3024442154-139070271
Opcode ID: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
Opcode Fuzzy Hash: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529

Function 00459364 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1

Strings

SOFTWARE\Microsoft\.NETFramework, xrefs: 00459384
InstallRoot, xrefs: 004593A0
.NET Framework not found, xrefs: 004593C0

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
Instruction ID: 1950c6f853cc10ed35e504d9d8503a730f6ffd27dc9bba4e9fa27fab35675349
Opcode Fuzzy Hash: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
Instruction Fuzzy Hash: 12F0AF31300110DBCB10EB9AD885B6F6299DB9931AF50503BF981DB293E73CCC168629

Function 00483BC4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C05
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C28

Strings

System\CurrentControlSet\Control\Windows, xrefs: 00483BD2
CSDVersion, xrefs: 00483BFC

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3677997916-1910633163
Opcode ID: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
Instruction ID: 1d850e848a14c5c59b8e95f13e5f63a8fb365af486cc5d6c9f9b701d22fca986
Opcode Fuzzy Hash: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
Instruction Fuzzy Hash: 56F03176E40208A6DF10EAD48C45BAFB3BCAB14B05F104967EA10F7280E678AB048B59

Function 0042D8F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910

Strings

GetSystemWow64DirectoryA, xrefs: 0042D900
kernel32.dll, xrefs: 0042D905

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 1646373207-4063490227
Opcode ID: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
Opcode Fuzzy Hash: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D

Function 0042EB54 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68

Strings

ShutdownBlockReasonDestroy, xrefs: 0042EB58
user32.dll, xrefs: 0042EB5D

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD

Function 0044F744 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785

Strings

user32.dll, xrefs: 0044F77A
NotifyWinEvent, xrefs: 0044F775

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NotifyWinEvent$user32.dll
API String ID: 1646373207-597752486
Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D

Function 00498968 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978

Strings

DisableProcessWindowsGhosting, xrefs: 00498968
user32.dll, xrefs: 0049896D

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
Instruction ID: 34f838485a85c0df890c3e192e44216071158a5cea444d63bbc0a0b2480586ef
Opcode Fuzzy Hash: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
Instruction Fuzzy Hash: 22B002C0651707589D5032FA0D06B3F48484C5276D728057F3414A51C6DD6C89115D3F

Function 004645F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7

LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609

Strings

shell32.dll, xrefs: 004645FE
SHPathPrepareForWriteA, xrefs: 004645F9

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2238633743-2683653824
Opcode ID: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
Instruction ID: ed4894befccbfeda2ad80f7d1b9e1cb4df1a551eae9986247d0c145e26b1cd95
Opcode Fuzzy Hash: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
Instruction Fuzzy Hash: DDB092D0A82740A4C90077F2985B90F2A4488A271EB10153B710476483EABC84100EAE

Function 0047D67C Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54), ref: 0047D7CC
FindClose.KERNEL32(000000FF,0047D7F7,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54,00000000), ref: 0047D7EA

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
Instruction ID: 2ce97de6e4eb512f8d4c2eb376340b964b0e691095a652a34be041e4083b4e02
Opcode Fuzzy Hash: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
Instruction Fuzzy Hash: 07813A74D0024D9FCF11EFA5CC91ADFBBB8EF49304F5080AAE908A7291D6399A46CF54

Function 004755AC Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36

Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD

GetLastError.KERNEL32(00000000,00475721,?,?,0049C1E0,00000000), ref: 0047560A

Strings

MoveFileEx, xrefs: 0047566F
, xrefs: 00475642, 0047565D
LoggedMsgBox returned an unexpected value. Assuming Cancel., xrefs: 004756DF

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CountErrorFileLastMoveTick
String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
API String ID: 2406187244-2685451598
Opcode ID: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
Instruction ID: cfe7f312216358cbd0971b398f0cafde252de4893b1317a5ce8d70824cf78b76
Opcode Fuzzy Hash: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
Instruction Fuzzy Hash: 4D418570A006099BDB10EFA5D882AEF77B5FF48314F508537E408BB395D7789A058BA9

Function 00413CF8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00413D46
GetDesktopWindow.USER32 ref: 00413DFE

Part of subcall function 00418EC0: 6F59C6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9

SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98

Function 00408A54 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B

Function 0044E8C4 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D

Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82

InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991

Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8

IsRectEmpty.USER32(?), ref: 0044E953
ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
String ID:
API String ID: 855768636-0
Opcode ID: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
Opcode Fuzzy Hash: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299

Function 00495924 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,00000000), ref: 00495988
OffsetRect.USER32(?,00000000,?), ref: 004959A3
OffsetRect.USER32(?,?,00000000), ref: 004959BD
OffsetRect.USER32(?,00000000,?), ref: 004959D8

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
Instruction ID: 9409249b62c1188f54b5b62e2685c04785358b71117f53a2337039625fc08c68
Opcode Fuzzy Hash: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
Instruction Fuzzy Hash: 1121AEB6700701AFDB00DE69CD81E5BB7DAEFC4350F248A2AF944C3249D638ED048761

Function 00417218 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00417260
SetCursor.USER32(00000000), ref: 004172A3
GetLastActivePopup.USER32(?), ref: 004172CD
GetForegroundWindow.USER32(?), ref: 004172D4

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
Opcode Fuzzy Hash: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E

Function 004955DC Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000008,?), ref: 004955F1
MulDiv.KERNEL32(?,00000008,?), ref: 00495605
MulDiv.KERNEL32(?,00000008,?), ref: 00495619
MulDiv.KERNEL32(?,00000008,?), ref: 00495637

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
Instruction ID: b77f8f3c6746ea581d036ce488ab013aedd37a602364075716cddbfd1b85439e
Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
Instruction Fuzzy Hash: A5112E72604504ABCB40DEA9D8C4D9B7BECEF8D324B6441AAF908DB242D674ED408B68

Function 0041F480 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
RegisterClassA.USER32(00499598), ref: 0041F4D4
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
Opcode Fuzzy Hash: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC

Function 00454F7C Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
Opcode Fuzzy Hash: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78

Function 0040D010 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58,0000000A,00000000), ref: 0040D041
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58), ref: 0040D05B
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68

Function 00401548 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,|0e,?,?,?,004018B4), ref: 00401566
VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,|0e,?,?,?,004018B4), ref: 0040158B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,|0e,?,?,?,004018B4), ref: 004015B1

Strings

|0e, xrefs: 0040154B

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Virtual$Alloc$Free
String ID: |0e
API String ID: 3668210933-1077209858
Opcode ID: 4da9ee4765cce6e6c7be3d7cc9adf05dad1d6bab5239e3db9b33b19d934b365d
Instruction ID: ed10fda1d5a177d2a0c43996bc0be7fa2989f050302610c9045c0a13ae1d279a
Opcode Fuzzy Hash: 4da9ee4765cce6e6c7be3d7cc9adf05dad1d6bab5239e3db9b33b19d934b365d
Instruction Fuzzy Hash: AFF0C8716403206AEB315A294C85F133AD4DBC5754F104075BE09FF3DAD6B8980082AC

Function 004705A0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000), ref: 004705F1

Strings

Unsetting NTFS compression on file: %s, xrefs: 004705D7
Failed to set NTFS compression state (%d)., xrefs: 00470602
Setting NTFS compression on file: %s, xrefs: 004705BF

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
API String ID: 1452528299-3038984924
Opcode ID: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
Instruction ID: 452327faed6fd823952186a677ff1a78a18aba12ee86070aec797b5412e08bdc
Opcode Fuzzy Hash: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
Instruction Fuzzy Hash: A5018B71D09248A6CB04D7AD94512DDBBE49F4D314F44C5FFE459D7342DB780A088B9E

Function 0046FDF4 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 0046FE45

Strings

Setting NTFS compression on directory: %s, xrefs: 0046FE13
Unsetting NTFS compression on directory: %s, xrefs: 0046FE2B
Failed to set NTFS compression state (%d)., xrefs: 0046FE56

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
API String ID: 1452528299-1392080489
Opcode ID: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
Instruction ID: 6c3eba688a3488f6cff2036d9eec8e6f632fba0cce39d579df3f4bd3b957a0ce
Opcode Fuzzy Hash: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
Instruction Fuzzy Hash: E5014421E0824856CB04D7ADE44129DBBA49F49304F4485BBA495E7253EB790A09879B

Function 00455D9C Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000,0045B7D5), ref: 00455DD8
RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000), ref: 00455DE1
RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
Opcode Fuzzy Hash: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D

Function 0047CD48 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0047CD69
GetLastError.KERNEL32 ref: 0047CD73
GetTickCount.KERNEL32 ref: 0047CD7D
Sleep.KERNEL32(00000032), ref: 0047CD8D

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
Instruction ID: 56d8cd0ebf6ab4a4d31aad6ab38b951dee0ff9c0bbbb70c30f4e079d31b44593
Opcode Fuzzy Hash: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
Instruction Fuzzy Hash: C6E0ED6A30921149863131AE98CA6AF4D48CBC2324B28853FE08CE6283C89C4C0A867E

Function 00478204 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB,00000000), ref: 0047820D
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB), ref: 00478213
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478235
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478246

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
Instruction ID: 91f0679cb69370e855683a510bc75a037ced8834772831ea40795c83ba0b1c60
Opcode Fuzzy Hash: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
Instruction Fuzzy Hash: D8F037716447007BD600E6B58C81E5B73DCEB44354F04493E7E98C71C1DA78DC089776

Function 00424240 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32(?), ref: 0042424C
IsWindowVisible.USER32(?), ref: 0042425D
IsWindowEnabled.USER32(?), ref: 00424267
SetForegroundWindow.USER32(?), ref: 00424271

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
Opcode Fuzzy Hash: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD

Function 0040626C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 0040626F
GlobalUnlock.KERNEL32(00000000), ref: 00406276
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
GlobalLock.KERNEL32(00000000), ref: 00406281

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A

Function 0047A218 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BB01,?,00000000,00000000,00000001,00000000,0047A4B5,?,00000000), ref: 0047A479

Strings

Failed to parse "reg" constant, xrefs: 0047A480
Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A2ED

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
API String ID: 3535843008-1938159461
Opcode ID: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
Instruction ID: 25f2a786541cb687838a6194ffc4a73185deb9e5551b5ad8c851c0bf1152322b
Opcode Fuzzy Hash: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
Instruction Fuzzy Hash: 22817274E00108AFCB10DF95D485ADEBBF9AF88344F50817AE814B7392D739AE05CB99

Function 0048358C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835C5
SetActiveWindow.USER32(?,00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835D7

Strings

Will not restart Windows automatically., xrefs: 004836F6

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window$ActiveForeground
String ID: Will not restart Windows automatically.
API String ID: 307657957-4169339592
Opcode ID: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
Instruction ID: 4bdce942002d158aae482430f0c171f92fa141a3e9c551c877f01fd154286bbb
Opcode Fuzzy Hash: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
Instruction Fuzzy Hash: 7F414870648240BFD321FF68DC92B6D3BE49718B09F6448B7E440573A2E37D9A059B1D

Function 004763AC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON

Download Yara Rule

APIs

LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764B0
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764C4

Strings

Extracting temporary file: , xrefs: 004763EC

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: FileTime$Local
String ID: Extracting temporary file:
API String ID: 791338737-4171118009
Opcode ID: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
Instruction ID: 173659db1c42fed311bbc77dc24fc0b62308bfde4479aaaaa113f8cb774a82d8
Opcode Fuzzy Hash: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
Instruction Fuzzy Hash: 9541B670E00649AFCB01DFA5C892AAFBBB9EB09704F51847AF814A7291D7789905CB58

Function 0046CC0C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

Failed to proceed to next wizard page; aborting., xrefs: 0046CD24
Failed to proceed to next wizard page; showing wizard., xrefs: 0046CD38

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
Instruction ID: bcb3787111d781b294161d03010f6e791927551fc3c7e501f8e48cd77162cd73
Opcode Fuzzy Hash: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
Instruction Fuzzy Hash: A531C430604204DFD711EB59D9C5BA977F5EB06304F5500BBF448AB392D7786E40CB49

Function 00478E98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(?,00478F7E,?,?,00000001,00000000,00000000,00478F99), ref: 00478F67

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478EF2
%s\%s_is1, xrefs: 00478F10

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1598650737
Opcode ID: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
Instruction ID: 4b2a563bf9abf46f4fe3d7c32e0d4fce195dfbf5fea183d3e913b06dd9c9918d
Opcode Fuzzy Hash: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
Instruction Fuzzy Hash: EC218070B44244AFDB11DBA9CC45A9EBBF9EB8D704F90847BE408E7381DB789D018B58

Function 00450168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E

Strings

open, xrefs: 00450221

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ExecuteMessageSendShell
String ID: open
API String ID: 812272486-2758837156
Opcode ID: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
Opcode Fuzzy Hash: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59

Function 00455290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D

Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7

Strings

<, xrefs: 004552E6

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <
API String ID: 893404051-4251816714
Opcode ID: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
Opcode Fuzzy Hash: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98

Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0217C330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0217C330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0217C330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0217C330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

), xrefs: 004025AE

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: )
API String ID: 2227675388-1084416617
Opcode ID: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
Opcode Fuzzy Hash: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C

Function 00496B2E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496B69

Strings

/INITPROCWND=$%x , xrefs: 00496B94
@, xrefs: 00496B34

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
Instruction ID: 88b10d18150c6b9811cea3f3864e76c9cf3cbfb68c265b437af87b1fefc14b87
Opcode Fuzzy Hash: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
Instruction Fuzzy Hash: A3117231A042489FDF01DBA4E855BAEBFE8EB49314F51847BE504E7292EB3CA905C658

Function 00447414 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

SysFreeString.OLEAUT32(?), ref: 004474C6

Strings

Unknown Method, xrefs: 0044749F
NIL Interface Exception, xrefs: 00447468

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
Opcode Fuzzy Hash: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69

Function 004963A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000,00496443), ref: 0049640E
CloseHandle.KERNEL32(004964A8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000), ref: 00496425

Part of subcall function 004962F8: GetLastError.KERNEL32(00000000,00496390,?,?,?,?), ref: 0049631C

Strings

0nI, xrefs: 004963D9, 004963E8

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: 0nI
API String ID: 3798668922-794067871
Opcode ID: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
Instruction ID: 4379268ebcebee96409867e54b2437a6ba0b21f89d1dc4ba20584320bf55fb87
Opcode Fuzzy Hash: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
Instruction Fuzzy Hash: 840182B1644248AFDB00EBD1DC42A9EBBACDF08704F51403AB904E7281D6785E008A2D

Function 0042DD64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8

Strings

Inno Setup: No Icons, xrefs: 0042DD76

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E

Function 00452E88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452EC3
GetLastError.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452ECB

Strings

T$H, xrefs: 00452EF9

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: T$H
API String ID: 1799206407-488339322
Opcode ID: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
Instruction ID: d2ab7b9b66ca24062e77e49c95e81f13ab46b8af1b1b2eb811bbb53637dcbd2b
Opcode Fuzzy Hash: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
Instruction Fuzzy Hash: 86F0F971A04204AB8B01DB7A9D4249EB7ECEB8A32171045BBFC04E3642E7B84E048558

Function 00452908 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 0045293F
GetLastError.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 00452947

Strings

T$H, xrefs: 00452975

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: T$H
API String ID: 2018770650-488339322
Opcode ID: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
Instruction ID: a1d21d86fbcf93c7076efe682877c1f84c37cf58088428800e153654eea74c02
Opcode Fuzzy Hash: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
Instruction Fuzzy Hash: 05F0C2B2B04608ABDB01EFB59D414AEB7E8EB4E315B6045B7FC04E3742E6B85E148598

Function 00452E10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RemoveDirectoryA.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E47
GetLastError.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E4F

Strings

T$H, xrefs: 00452E7D

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID: T$H
API String ID: 377330604-488339322
Opcode ID: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
Instruction ID: a8b2bafe79397aca91686f8656b478e2385adfe3b855dfce5f6cc0b9ba314abc
Opcode Fuzzy Hash: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
Instruction Fuzzy Hash: 70F0FC71A04708AFCF01EF759D4249EB7E8DB4E31575049B7FC14E3642E7785E048598

Function 00498004 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0047D0CC: FreeLibrary.KERNEL32(73AF0000,00481A2F), ref: 0047D0E2

Part of subcall function 0047CD9C: GetTickCount.KERNEL32 ref: 0047CDE6

Part of subcall function 00457294: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004572B3

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049895B), ref: 00498059
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049895B), ref: 0049805F

Strings

Detected restart. Removing temporary directory., xrefs: 00498013

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
Instruction ID: bb05712aa7eb36d303e19ffab6eef2c78f2a463723ea7eca767f41585c441369
Opcode Fuzzy Hash: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
Instruction Fuzzy Hash: BDE0E532208A406DDA1177BABC1396B7F5CDB46768B22487FF50882552D92D481CC53D

Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356

Strings

H6c, xrefs: 0040335B

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: H6c
API String ID: 2123368496-3698304253
Opcode ID: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
Instruction ID: ff8fa06d391bd0b31f892a344b3e95d40f530220570fde7b1ba7fad45aeb04f1
Opcode Fuzzy Hash: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
Instruction Fuzzy Hash: 45C002609013058AD754AF7579467162A94D751349F80447FF114BA3E1D77C82055BDD

Function 00455674 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 00455693
Sleep.KERNEL32(?), ref: 004556A3
GetLastError.KERNEL32 ref: 004556B6
GetLastError.KERNEL32 ref: 004556C0

Memory Dump Source

Source File: 00000001.00000002.3554983010.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3554957587.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555057788.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555076842.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555094183.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3555110326.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
Opcode Fuzzy Hash: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC

Analysis Process: classichomecinema.exePID: 7640, Parent PID: 7620COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	69.6%
Signature Coverage:	17.5%
Total number of Nodes:	473
Total number of Limit Nodes:	24

Executed Functions

Function 00AB5E59 Relevance: 70.2, APIs: 34, Strings: 6, Instructions: 210
memorysleeplibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.NTDLL(00AE4FD0), ref: 00AB5E8D
GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 00AB5EA4
GetProcAddress.KERNEL32(00000000), ref: 00AB5EAD
GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 00AB5EBC
GetProcAddress.KERNEL32(00000000), ref: 00AB5EBF
GetTickCount.KERNEL32 ref: 00AB5ED3

Part of subcall function 00AB59F4: _malloc.LIBCMT ref: 00AB5A02

GetVersionExA.KERNEL32(00AE4E20), ref: 00AB5F00
_malloc.LIBCMT ref: 00AB5F2C

Part of subcall function 00AC1FAC: __FF_MSGBANNER.LIBCMT ref: 00AC1FC3
Part of subcall function 00AC1FAC: __NMSG_WRITE.LIBCMT ref: 00AC1FCA
Part of subcall function 00AC1FAC: RtlAllocateHeap.NTDLL(008B0000,00000000,00000001), ref: 00AC1FEF

_malloc.LIBCMT ref: 00AB5F3C
_malloc.LIBCMT ref: 00AB5F47
_malloc.LIBCMT ref: 00AB5F52
_malloc.LIBCMT ref: 00AB5F5D
_malloc.LIBCMT ref: 00AB5F68
_malloc.LIBCMT ref: 00AB5F73
_malloc.LIBCMT ref: 00AB5F7F
GetProcessHeap.KERNEL32(00000000,00000004), ref: 00AB5F96
RtlAllocateHeap.NTDLL(00000000), ref: 00AB5F9F
GetProcessHeap.KERNEL32(00000000,00000400), ref: 00AB5FAB
RtlAllocateHeap.NTDLL(00000000), ref: 00AB5FAE
GetProcessHeap.KERNEL32(00000000,00000400), ref: 00AB5FB9
RtlAllocateHeap.NTDLL(00000000), ref: 00AB5FBC
RtlEnterCriticalSection.NTDLL(00AE4FD0), ref: 00AB5FF3
RtlLeaveCriticalSection.NTDLL(00AE4FD0), ref: 00AB6000
_malloc.LIBCMT ref: 00AB6021
_malloc.LIBCMT ref: 00AB602F
_malloc.LIBCMT ref: 00AB6036
_malloc.LIBCMT ref: 00AB6057
QueryPerformanceCounter.KERNEL32(00000200), ref: 00AB6063
Sleep.KERNEL32(00000000), ref: 00AB6071
_malloc.LIBCMT ref: 00AB607D
_malloc.LIBCMT ref: 00AB608D
Sleep.KERNEL32(0000EA60), ref: 00AB60FF
RtlEnterCriticalSection.NTDLL(00AE4FD0), ref: 00AB610A
RtlLeaveCriticalSection.NTDLL(00AE4FD0), ref: 00AB611B

Strings

]Np, xrefs: 00AB5ED9
strcat, xrefs: 00AB5EAF
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 00AB6124
sprintf, xrefs: 00AB5E9E
gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d, xrefs: 00AB603E
ntdll.dll, xrefs: 00AB5E99, 00AB5EA3, 00AB5EB4

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: _malloc$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$]Np$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
API String ID: 4273019447-62021870
Opcode ID: c522db2eb2f6a2424b093e59ad3dd5254e8937dc2fa667ac10941573a61ee6ea
Instruction ID: c4b30fc6e6f281774afc993307d391dedb4a74e6affb9c8fc0cc22e1048a55db
Opcode Fuzzy Hash: c522db2eb2f6a2424b093e59ad3dd5254e8937dc2fa667ac10941573a61ee6ea
Instruction Fuzzy Hash: BD71C8B1D053809FD710EFB4AC59B5B7BE8AF89B00F05081EF18597292DBB84905CBD6

Function 00ABE9A6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00ABE9BC
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00ABE9D5
GetAdaptersInfo.IPHLPAPI(?,?), ref: 00ABE9FA
FreeLibrary.KERNEL32(00000000), ref: 00ABEA83

Strings

iphlpapi.dll, xrefs: 00ABE9B0
GetAdaptersInfo, xrefs: 00ABE9CF

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: Library$AdaptersAddressFreeInfoLoadProc
String ID: GetAdaptersInfo$iphlpapi.dll
API String ID: 514930453-3114217049
Opcode ID: 3e373134c0409cf5bf1f0a31ebb89724f4db0ae960f9cb6827ad3aba61a6221e
Instruction ID: f7407c85ebf3d8fc9d12753c8a6d849a838babd6788e18c7dc57bb29b0d70951
Opcode Fuzzy Hash: 3e373134c0409cf5bf1f0a31ebb89724f4db0ae960f9cb6827ad3aba61a6221e
Instruction Fuzzy Hash: 3D21A375A042099FDB10DFA8D884AEEBBFCFF45351F1441AEE505E7242DB309D458BA4

Function 00AB2B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00000000), ref: 00AB2BE4
WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 00AB2C07

Part of subcall function 00AB9505: WSAGetLastError.WS2_32(00000000,?,?,00AB2A51), ref: 00AB9513

WSASetLastError.WS2_32 ref: 00AB2CD3
select.WS2_32(?,?,00000000,00000000,00000000), ref: 00AB2CE7

Strings

3', xrefs: 00AB2C85

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: ErrorLast$Recvselect
String ID: 3'
API String ID: 886190287-280543908
Opcode ID: 3966c879a4e00a89ae98cb7802a4e15b116a09d80a3e814b13228bffd320d64e
Instruction ID: b4f8e52ab6eb2fa3f5797dab8d34a72233e4aab6902b02009b85e3b56526db17
Opcode Fuzzy Hash: 3966c879a4e00a89ae98cb7802a4e15b116a09d80a3e814b13228bffd320d64e
Instruction Fuzzy Hash: 24417DB1A153018FDB20DF64C9157EBBBECAF84354F144D2EF49587292EB70D9409B92

Function 00ABE8A2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00ABE8C1
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 00ABE8FF
GetLastError.KERNEL32 ref: 00ABE960
CloseHandle.KERNEL32(?), ref: 00ABE997

Strings

\\.\PhysicalDrive0, xrefs: 00ABE8BA

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: CloseControlCreateDeviceErrorFileHandleLast
String ID: \\.\PhysicalDrive0
API String ID: 4026078076-1180397377
Opcode ID: 09a52af708d42fe6759761d6c4c99f4a7a577822bfbfe3dd696f12bad3721725
Instruction ID: 806c629f9452087cb00c0c3dc52f2cb7ee386e0c26a05c043af6073f4a2383f1
Opcode Fuzzy Hash: 09a52af708d42fe6759761d6c4c99f4a7a577822bfbfe3dd696f12bad3721725
Instruction Fuzzy Hash: 72316E75E00219AFDB24DF94D884AEEBBB8FF45710F24416AE505A7282D7705E09CBE0

Function 00AEF21D Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(-C448D760), ref: 00B13978

Strings

^0s, xrefs: 00AFFDAD

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AE8000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AE8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae8000_classichomecinema.jbxd

Similarity

API ID: CloseHandle
String ID: ^0s
API String ID: 2962429428-4263405714
Opcode ID: 1e84acf074a9bbbc6055d08f1e07e31911314f495d98b6f2567ac3587e3376ec
Instruction ID: 2ffb568a22a7b7fafc9f4a700d16d760f0bc10830ab654d575b316ce46388bce
Opcode Fuzzy Hash: 1e84acf074a9bbbc6055d08f1e07e31911314f495d98b6f2567ac3587e3376ec
Instruction Fuzzy Hash: 2051C1F391C6109FE308AE29EC9577AB7E9EB88710F164A2DFAC9C7704D6315C408696

Function 00AF0010 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(-C448D760), ref: 00B13978

Strings

^0s, xrefs: 00AFFDAD

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AE8000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AE8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae8000_classichomecinema.jbxd

Similarity

API ID: CloseHandle
String ID: ^0s
API String ID: 2962429428-4263405714
Opcode ID: cf2c784872a2197bf033916813916896aecaa4c89dec95eeb82f5eed13489d62
Instruction ID: 8b391d003676fa32c102e6f429a4db1e55054db3640474f8776f47af8f82153d
Opcode Fuzzy Hash: cf2c784872a2197bf033916813916896aecaa4c89dec95eeb82f5eed13489d62
Instruction Fuzzy Hash: D951C1F391C6109FE308AE29EC9577AB7E9EB88710F164A3DFAC9C7704D6315C408696

Function 00AB5DEE Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]Np, xrefs: 00AB5ED9
strcat, xrefs: 00AB5EAF
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 00AB6124
gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d, xrefs: 00AB603E
ntdll.dll, xrefs: 00AB5EB4

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID:
String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$]Np$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$strcat
API String ID: 0-112600469
Opcode ID: c9382f7515c6b277282ae0b37377d27ec2f4876ee3afd0c579bbac68f7908876
Instruction ID: 74780cc4503afe5c8e1d25ac41a7ba4ab3e9faded3ca3b77c9e67dc287a1a7c7
Opcode Fuzzy Hash: c9382f7515c6b277282ae0b37377d27ec2f4876ee3afd0c579bbac68f7908876
Instruction Fuzzy Hash: 34811571D097805FC710EF74AC5AB9B7BE8AF8A710F15081EF1849B292C7B44506CBD6

Function 00AB62A7 Relevance: 54.9, APIs: 19, Strings: 12, Instructions: 697
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(00AE4FD0), ref: 00AB649E
RtlLeaveCriticalSection.NTDLL(00AE4FD0), ref: 00AB64AF

Strings

, xrefs: 00AB6B00
block, xrefs: 00AB663E
auth_ip, xrefs: 00AB65FA, 00AB6866
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 00AB6124
auth_swith, xrefs: 00AB65CE
connect, xrefs: 00AB64B5, 00AB6513
<htm, xrefs: 00AB6445
idle, xrefs: 00AB64D7, 00AB6821
%d;, xrefs: 00AB6890
updurls, xrefs: 00AB64F9
updips, xrefs: 00AB64E8, 00AB6845
disconnect, xrefs: 00AB64C6, 00AB67CD

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls
API String ID: 3168844106-2823103634
Opcode ID: 12e51174fc1a69f626fda0ee4f42db25a07db5709400653381def2a48c7ba7e2
Instruction ID: 18f5c07251599cf608ae01b68352b209610d713071f4a081746e48f6993cf979
Opcode Fuzzy Hash: 12e51174fc1a69f626fda0ee4f42db25a07db5709400653381def2a48c7ba7e2
Instruction Fuzzy Hash: B43254326083819FC724DB34D952BEFBBE8AF86714F14491EF48A8B293DB349405CB52

Function 00AB6364 Relevance: 42.4, APIs: 14, Strings: 10, Instructions: 385
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(00AE4FD0), ref: 00AB649E
RtlLeaveCriticalSection.NTDLL(00AE4FD0), ref: 00AB64AF
_malloc.LIBCMT ref: 00AB6536
RtlEnterCriticalSection.NTDLL(00AE4FD0), ref: 00AB6548
RtlLeaveCriticalSection.NTDLL(00AE4FD0), ref: 00AB6554

Strings

block, xrefs: 00AB663E
auth_ip, xrefs: 00AB65FA
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 00AB6124
auth_swith, xrefs: 00AB65CE
connect, xrefs: 00AB64B5, 00AB6513
<htm, xrefs: 00AB6445
idle, xrefs: 00AB64D7
updurls, xrefs: 00AB64F9
updips, xrefs: 00AB64E8
disconnect, xrefs: 00AB64C6

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$_malloc
String ID: <htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls
API String ID: 362512214-1437582238
Opcode ID: 9cef5c96be09e324a7633d4c8f7af415360ff5445f8160c22c5cb041e6b84835
Instruction ID: d6d7a53be94a5bd16b5680ba18f95cc8fdc9ec4100c717698da30f788a724e2e
Opcode Fuzzy Hash: 9cef5c96be09e324a7633d4c8f7af415360ff5445f8160c22c5cb041e6b84835
Instruction Fuzzy Hash: E8C19832648381AFC721AB349D62BDF7BE8AF86B14F19051DF4869B393DB24C905C752

Function 00AB1CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00AB1D11
GetLastError.KERNEL32 ref: 00AB1D23

Part of subcall function 00AB1712: __EH_prolog.LIBCMT ref: 00AB1717

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00AB1D59
GetLastError.KERNEL32 ref: 00AB1D6B
__beginthreadex.LIBCMT ref: 00AB1DB1
GetLastError.KERNEL32 ref: 00AB1DC6
CloseHandle.KERNEL32(00000000), ref: 00AB1DDD
CloseHandle.KERNEL32(00000000), ref: 00AB1DEC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00AB1E14
CloseHandle.KERNEL32(00000000), ref: 00AB1E1B

Strings

thread, xrefs: 00AB1DFB
thread.exit_event, xrefs: 00AB1D84
thread.entry_event, xrefs: 00AB1D3C

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
String ID: thread$thread.entry_event$thread.exit_event
API String ID: 831262434-3017686385
Opcode ID: 8b4280c7fc31625e8178a827bb25c05a83486892777f9679f03451589dbd36b0
Instruction ID: 197b28717db6aafadd9b1d3d0049768e4975032502c4b46aeb5737097f5107b0
Opcode Fuzzy Hash: 8b4280c7fc31625e8178a827bb25c05a83486892777f9679f03451589dbd36b0
Instruction Fuzzy Hash: FA315E71A007019FD700EF64C859BABBBA8EF84750F14496EF8558B292EB309D49CBD2

Function 00AB4D86 Relevance: 16.8, APIs: 11, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00AB4D8B
RtlEnterCriticalSection.NTDLL(00AE4FD0), ref: 00AB4DB7
RtlLeaveCriticalSection.NTDLL(00AE4FD0), ref: 00AB4DC3

Part of subcall function 00AB4BED: __EH_prolog.LIBCMT ref: 00AB4BF2
Part of subcall function 00AB4BED: InterlockedExchange.KERNEL32(?,00000000), ref: 00AB4CF2

RtlEnterCriticalSection.NTDLL(00AE4FD0), ref: 00AB4E93
RtlLeaveCriticalSection.NTDLL(00AE4FD0), ref: 00AB4E99
RtlEnterCriticalSection.NTDLL(00AE4FD0), ref: 00AB4EA0
RtlLeaveCriticalSection.NTDLL(00AE4FD0), ref: 00AB4EA6
RtlEnterCriticalSection.NTDLL(00AE4FD0), ref: 00AB50A7
RtlLeaveCriticalSection.NTDLL(00AE4FD0), ref: 00AB50AD
RtlEnterCriticalSection.NTDLL(00AE4FD0), ref: 00AB50B8
RtlLeaveCriticalSection.NTDLL(00AE4FD0), ref: 00AB50C1

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
String ID:
API String ID: 2062355503-0
Opcode ID: 994f1ad32d2b3809a1e5f6f3e47b30abffb80c3a4fc42c86b592e050f5ff3b35
Instruction ID: 5471921b7e6aaf35180663688f7d3078a2c469cba687206bbebd23ecc96c8b1e
Opcode Fuzzy Hash: 994f1ad32d2b3809a1e5f6f3e47b30abffb80c3a4fc42c86b592e050f5ff3b35
Instruction Fuzzy Hash: D5B18C71D0425DDFDF25DFA0D941BEEBBB8AF08314F10405AE405B6292DBB45A89CFA2

Function 00401301 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32(?,0000000A), ref: 00401351
SizeofResource.KERNEL32(00000000), ref: 00401370

Strings

, xrefs: 00401407

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: Resource$FindSizeof
String ID:
API String ID: 3019604839-3916222277
Opcode ID: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
Instruction ID: 779852d327d389dbbb2f1b261a2bb7141e3a4eae573781fe7d13a424a4f3f89b
Opcode Fuzzy Hash: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
Instruction Fuzzy Hash: F1811075D04258DFDF01CFE8D985AEEBBB0BF09305F1400AAE581B7262C3385A84DB69

Function 00AB26DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00AB2706
CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 00AB272B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00AD3163), ref: 00AB2738

Part of subcall function 00AB1712: __EH_prolog.LIBCMT ref: 00AB1717

SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 00AB2778
RtlLeaveCriticalSection.NTDLL(?), ref: 00AB27D9

Strings

timer, xrefs: 00AB2745

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
String ID: timer
API String ID: 4293676635-1792073242
Opcode ID: 9011f57a9f025ac06b6a81f38491db16d945d0b31617398787af0fc545bb7350
Instruction ID: 30b46fc7f84c4b8c79231e9792bb9a3e86eb8a2255ea40e3b2706330875be1d4
Opcode Fuzzy Hash: 9011f57a9f025ac06b6a81f38491db16d945d0b31617398787af0fc545bb7350
Instruction Fuzzy Hash: BD31BEB1904705AFD310DF75C984B96BBECFB48761F004A2EF81683681DB70D845CB95

Function 00AB1BA7 Relevance: 7.6, APIs: 5, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00AB1BAC
RtlEnterCriticalSection.NTDLL ref: 00AB1BBC
RtlLeaveCriticalSection.NTDLL ref: 00AB1BEA
RtlEnterCriticalSection.NTDLL ref: 00AB1C13
RtlLeaveCriticalSection.NTDLL ref: 00AB1C56

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$H_prolog
String ID:
API String ID: 1633115879-0
Opcode ID: 20c627ce095fd45558d5a0eb1f22b9f7576112c4e91cefc4988b6a695d2a5d24
Instruction ID: 5012af209e41c1e5b242b5b71cbc9da9433becb4e2ef1ad9867f2d6b06d727b4
Opcode Fuzzy Hash: 20c627ce095fd45558d5a0eb1f22b9f7576112c4e91cefc4988b6a695d2a5d24
Instruction Fuzzy Hash: E221BC75A00604DFCB14CF68C844B9ABBB8FF49315F10854AE81A97302D775ED05CBE0

Function 00AB6BC2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(0000EA60), ref: 00AB60FF
RtlEnterCriticalSection.NTDLL(00AE4FD0), ref: 00AB610A
RtlLeaveCriticalSection.NTDLL(00AE4FD0), ref: 00AB611B

Strings

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 00AB6124

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleep
String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
API String ID: 1566154052-1923541051
Opcode ID: 268490d476457aa12ec8feab3549b22f19728a5ab365436089d02f94fe5f6206
Instruction ID: 396fca99c941a6ab56df7b8298abd799f12fb85573dda6f74a237cf89dfdad22
Opcode Fuzzy Hash: 268490d476457aa12ec8feab3549b22f19728a5ab365436089d02f94fe5f6206
Instruction Fuzzy Hash: 51217932848B818FD321EF78EC066E17BB4FF1AB01B19049AE4C697557DA24A946CB91

Function 00401DA5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32 ref: 00401D97
SetEvent.KERNEL32(?), ref: 00401F4E

Strings

.exe, xrefs: 00401DCD
'l3k, xrefs: 0040DC44

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: EventOpen
String ID: 'l3k$.exe
API String ID: 3658969616-2632659021
Opcode ID: 91863bf70a53044422b0483ecfc40545a46aab5f930189fa63745c934b42f44f
Instruction ID: 866a35bc240b9fc6576fee2ec2866792a1cd1e7454ba96a004f15cac11a8e27f
Opcode Fuzzy Hash: 91863bf70a53044422b0483ecfc40545a46aab5f930189fa63745c934b42f44f
Instruction Fuzzy Hash: 30115730608641CBE3119B209F443A737B8AB52341F6444BACC87F61A1C73C894A864E

Function 00402A20 Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00402A46

Part of subcall function 00403B64: HeapCreate.KERNEL32(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
Part of subcall function 00403B64: HeapDestroy.KERNEL32 ref: 00403BB4

GetCommandLineA.KERNEL32 ref: 00402A94
GetStartupInfoA.KERNEL32(?), ref: 00402ABF
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402AE2

Part of subcall function 00402B3B: ExitProcess.KERNEL32 ref: 00402B58

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
Instruction ID: 5f87248e4510ca7a7a053da507506fe2897125482441b09741c869e2758f94b2
Opcode Fuzzy Hash: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
Instruction Fuzzy Hash: BA214CB19006159ADB04AFA6DE49A6E7FA8EB04715F10413FF905BB2D1DB384900CA6C

Function 00AB2EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 00AB2EEE
WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 00AB2EFD
WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 00AB2F0C
setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 00AB2F36

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: ErrorLast$Socketsetsockopt
String ID:
API String ID: 2093263913-0
Opcode ID: 706ea15e827e540c21b9f3a1edac479e71a11c61b847a7dcb78b46c10c915a79
Instruction ID: 9549f4a47782ae6fded12a3c8962e805711f4f3521483d858c59b1bb750882f5
Opcode Fuzzy Hash: 706ea15e827e540c21b9f3a1edac479e71a11c61b847a7dcb78b46c10c915a79
Instruction Fuzzy Hash: 32018872A11204BFDB209FB5DC89B9B7BBCEB85771F008566F919CB151D67089008BA0

Function 00AB2DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB2D39: WSASetLastError.WS2_32(00000000), ref: 00AB2D47
Part of subcall function 00AB2D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 00AB2D5C

WSASetLastError.WS2_32(00000000), ref: 00AB2E6D
select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 00AB2E83

Strings

3', xrefs: 00AB2E22

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: ErrorLast$Sendselect
String ID: 3'
API String ID: 2958345159-280543908
Opcode ID: 3950b5c4d327cc7364793352cb0e09a75b51d95055cc31da38e17167a881ec9a
Instruction ID: 85f29cbafc024a18c60cf48c846fde4ec8960eb4594acbce22dd76a5b379b342
Opcode Fuzzy Hash: 3950b5c4d327cc7364793352cb0e09a75b51d95055cc31da38e17167a881ec9a
Instruction Fuzzy Hash: 2431E1B0E102059FDF10DFA8C9267EEBBFDEF08394F04456AE80493243E77199518BA0

Function 00AB2AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 00AB2AEA
connect.WS2_32(?,?,?), ref: 00AB2AF5

Strings

3', xrefs: 00AB2B3B

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: ErrorLastconnect
String ID: 3'
API String ID: 374722065-280543908
Opcode ID: f3534f26fb5afebb502d7e86cc18771a0fe90884b925a1b8b3bdff2dd8488848
Instruction ID: be9a85827030fb04694f2bcd08b0aa2e2a1c998f2be71115db7e44921d37e3bc
Opcode Fuzzy Hash: f3534f26fb5afebb502d7e86cc18771a0fe90884b925a1b8b3bdff2dd8488848
Instruction Fuzzy Hash: 8021C971E10204AFCF10EFA8D9257EEBBBDAF44360F14855AE81897283DB744A019B91

Function 00402337 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.KERNEL32(?,classic_home_cinema_i56,00000000), ref: 004022EC
RegCloseKey.KERNEL32(?), ref: 0040DC57

Strings

C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe, xrefs: 0040235C, 0040D73B

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: CloseValue
String ID: C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe
API String ID: 3132538880-1803433813
Opcode ID: 4641593bd5b9a3a0876b7d8202a09f3115f7eab90c517f239208f8895dcf671e
Instruction ID: b1a5d16bc2ceaa1898fa32fc664c1ab5dfaf230487324fad3e5fab9b3683b2a9
Opcode Fuzzy Hash: 4641593bd5b9a3a0876b7d8202a09f3115f7eab90c517f239208f8895dcf671e
Instruction Fuzzy Hash: 3811E12190D6808FC7455B64AF60AA63BB4A706344F1511BFE586B72A3D67C080EEB5F

Function 004017DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.KERNEL32(?,classic_home_cinema_i56,00000000), ref: 004022EC
RegCloseKey.KERNEL32(?), ref: 0040DC57

Strings

classic_home_cinema_i56, xrefs: 00401E76

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: CloseValue
String ID: classic_home_cinema_i56
API String ID: 3132538880-2700033101
Opcode ID: 4287fdbf53fc794595f1aed1c1d10a152eebe4ca104611573b2e0ccfdb467f27
Instruction ID: abb10eb6e4bb699019dab5373a34cee33de05093fc496e8c800fed89ae831c8e
Opcode Fuzzy Hash: 4287fdbf53fc794595f1aed1c1d10a152eebe4ca104611573b2e0ccfdb467f27
Instruction Fuzzy Hash: 630181319095848FD7554B64AF65BE63B74E316340F1100BAE586772B3D63C0D4AEB1F

Function 00401E73 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.KERNEL32(?,classic_home_cinema_i56,00000000), ref: 004022EC
RegCloseKey.KERNEL32(?), ref: 0040DC57

Strings

classic_home_cinema_i56, xrefs: 00401E76

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: CloseValue
String ID: classic_home_cinema_i56
API String ID: 3132538880-2700033101
Opcode ID: 75121968fd5ef4a19553090efa96eea6fe73361e7bcf2ad820954a38ba505515
Instruction ID: 36ff87731a71f486ac3fab46f0b3d8485277f928bed09576c9e55bbfb23ba6dd
Opcode Fuzzy Hash: 75121968fd5ef4a19553090efa96eea6fe73361e7bcf2ad820954a38ba505515
Instruction Fuzzy Hash: FD01D1315095808FC7418BA4AF60AE63B74E306300B1000BAE186772B3D63C0D5AEF1E

Function 00AB353E Relevance: 4.6, APIs: 3, Instructions: 127COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB3543

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 235f107673443dc190cec384a7956e355a63a6fa6f988b7f9f38d46a6759e2de
Instruction ID: 55d495cbf710b7d77a16d2708a889043931cc46192548ae19a3ce1db81c14a24
Opcode Fuzzy Hash: 235f107673443dc190cec384a7956e355a63a6fa6f988b7f9f38d46a6759e2de
Instruction Fuzzy Hash: 32515EB1904216EFCF18DF68D5516AABBB4FF08320F14815EF8299B382D774DA11CBA0

Function 00AB369A Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 00AB36A7

Part of subcall function 00AB2420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00AB2432
Part of subcall function 00AB2420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00AB2445
Part of subcall function 00AB2420: RtlEnterCriticalSection.NTDLL(?), ref: 00AB2454
Part of subcall function 00AB2420: InterlockedExchange.KERNEL32(?,00000001), ref: 00AB2469
Part of subcall function 00AB2420: RtlLeaveCriticalSection.NTDLL(?), ref: 00AB2470

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
String ID:
API String ID: 1601054111-0
Opcode ID: b4aa6f2a65ab516e39ad99536178505f1d346e8660fb3003a2c010debe0eab87
Instruction ID: f5f0225326dac021eac9bcd1976359e123d1fc7512b1778c9c77393ec60c4a20
Opcode Fuzzy Hash: b4aa6f2a65ab516e39ad99536178505f1d346e8660fb3003a2c010debe0eab87
Instruction Fuzzy Hash: 4B11E7F6100208ABDF21DF54CC45FEA3BADEF05350F204116FE12CA692CB74D9A19B94

Function 00AC10F0 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON

Download Yara Rule

APIs

__beginthreadex.LIBCMT ref: 00AC1106
CloseHandle.KERNEL32(?,?,?,?,?,00000002,00AB9985,00000000), ref: 00AC1137
ResumeThread.KERNEL32(?,?,?,?,?,00000002,00AB9985,00000000), ref: 00AC1145

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: CloseHandleResumeThread__beginthreadex
String ID:
API String ID: 1685284544-0
Opcode ID: 8b95f5f5a0ef942ccfb866243ed6ef3e795ab37ca4f15787da0755430f02c580
Instruction ID: fdb5194742b01e5121ae2cb26c1f33046da4489dc877da8c514b48d7bb093909
Opcode Fuzzy Hash: 8b95f5f5a0ef942ccfb866243ed6ef3e795ab37ca4f15787da0755430f02c580
Instruction Fuzzy Hash: 88F0C274300200AFDB209FACDC80F95B3E8EF49325F29062EF254C7291C3B5EC828A90

Function 00AB1AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00AE529C), ref: 00AB1ABA
WSAStartup.WS2_32(00000002,00000000), ref: 00AB1ACB
InterlockedExchange.KERNEL32(00AE52A0,00000000), ref: 00AB1AD7

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: Interlocked$ExchangeIncrementStartup
String ID:
API String ID: 1856147945-0
Opcode ID: 66d272f0f0b7876379189feb5d4e2b03b7d0acf6851ac635b2e8b4d81ca75709
Instruction ID: 40dc45aff4d808c931df1ec38a8da7f38344e60a06043e59574178f0609c7fdf
Opcode Fuzzy Hash: 66d272f0f0b7876379189feb5d4e2b03b7d0acf6851ac635b2e8b4d81ca75709
Instruction Fuzzy Hash: EDD05E31D45A046FD220BBF1AD0EAB87B6CE70A716F800656FE66C41D1EA51691085A6

Function 00AB4BED Relevance: 3.1, APIs: 2, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB4BF2

Part of subcall function 00AB1BA7: __EH_prolog.LIBCMT ref: 00AB1BAC
Part of subcall function 00AB1BA7: RtlEnterCriticalSection.NTDLL ref: 00AB1BBC
Part of subcall function 00AB1BA7: RtlLeaveCriticalSection.NTDLL ref: 00AB1BEA
Part of subcall function 00AB1BA7: RtlEnterCriticalSection.NTDLL ref: 00AB1C13
Part of subcall function 00AB1BA7: RtlLeaveCriticalSection.NTDLL ref: 00AB1C56

Part of subcall function 00ABD0F7: __EH_prolog.LIBCMT ref: 00ABD0FC
Part of subcall function 00ABD0F7: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00ABD17B

InterlockedExchange.KERNEL32(?,00000000), ref: 00AB4CF2

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
String ID:
API String ID: 1927618982-0
Opcode ID: 560a52164de4c452ff6f7ea95f6c6e21be8001f7cc90dcc6ca92da74a7a1f6ec
Instruction ID: 0630d933407f25090d9db07559b9cde278df67fc64066a85a86104b7d272d173
Opcode Fuzzy Hash: 560a52164de4c452ff6f7ea95f6c6e21be8001f7cc90dcc6ca92da74a7a1f6ec
Instruction Fuzzy Hash: 99512671D04248DFDB15DFA8C995AEEBFB8EF08310F14816AE806AB353DB709A44CB51

Function 00401807 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,00409178), ref: 00401812

Strings

hq~N, xrefs: 0040DAFE

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: lstrcmpi
String ID: hq~N
API String ID: 1586166983-2856139384
Opcode ID: 1408b6bc1364a524a577bb1ecb9208685e1e78e33e21863dad005ec10d89d2c5
Instruction ID: 02c9e1440662b1061e397cefb6380b0f254cf22eb9495d952fe0c81fe0b57e01
Opcode Fuzzy Hash: 1408b6bc1364a524a577bb1ecb9208685e1e78e33e21863dad005ec10d89d2c5
Instruction Fuzzy Hash: 0D212430918285CBC7109BA9EE547E63BB0B706300F5481B5D585B62B3C33C8D4AEB0C

Function 00AB2D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 00AB2D47
WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 00AB2D5C

Part of subcall function 00AB9505: WSAGetLastError.WS2_32(00000000,?,?,00AB2A51), ref: 00AB9513

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: ErrorLast$Send
String ID:
API String ID: 1282938840-0
Opcode ID: efce0dbef11b7d9b644105f935a7ad2a5b2b74272824895171b6dfd1c6aa0746
Instruction ID: d9ee502cc32006c64a449918778e65d161abef1f4c2a82aba1beed4002bb8025
Opcode Fuzzy Hash: efce0dbef11b7d9b644105f935a7ad2a5b2b74272824895171b6dfd1c6aa0746
Instruction Fuzzy Hash: 700184B5500205AFDB20AFA9DD459ABBBFCEF453A4720052FF95983201EB709D019761

Function 00401B83 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,00409178), ref: 00401812

Strings

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe, xrefs: 00401B92

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: lstrcmpi
String ID: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
API String ID: 1586166983-2063213804
Opcode ID: 73f53f1329700b03cf39f3da3dd474ad4c5c296959517e005705f258587d62e8
Instruction ID: 37889ca4e6f963634dbb771ac37cc27f8cb514cf9ce9245705ad4c9862584455
Opcode Fuzzy Hash: 73f53f1329700b03cf39f3da3dd474ad4c5c296959517e005705f258587d62e8
Instruction Fuzzy Hash: 79014B31D10205CBD7109B59DE88B9977B4FB0A341F2080BAE549F62E1DB789E4ADB4C

Function 00403B64 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75

Part of subcall function 00403A1C: GetVersionExA.KERNEL32 ref: 00403A3B

HeapDestroy.KERNEL32 ref: 00403BB4

Part of subcall function 00403F3B: HeapAlloc.KERNEL32(00000000,00000140,00403B9D,000003F8), ref: 00403F48

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
Instruction ID: 13181fdbc77bd6b5762d4953551df96dffaf81345f3f43d3ea23e6f05a00c699
Opcode Fuzzy Hash: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
Instruction Fuzzy Hash: 58F065706547029ADB101F319E4572A3EA89B4075BF10447FFD00F51D1EFBC9784951D

Function 00AB5119 Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00AB511E

Part of subcall function 00AB3D7E: htons.WS2_32(?), ref: 00AB3DA2
Part of subcall function 00AB3D7E: htonl.WS2_32(00000000), ref: 00AB3DB9
Part of subcall function 00AB3D7E: htonl.WS2_32(00000000), ref: 00AB3DC0

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: htonl$H_prologhtons
String ID:
API String ID: 4039807196-0
Opcode ID: 9317cac234aba1c3b99956b1bfb76be75bb3c9abeba734b5d38fe20455e7977c
Instruction ID: 248b9c4a231968ef9a191a04373b117ebe2d0cb69e87bc673e2b3617ab95e1ea
Opcode Fuzzy Hash: 9317cac234aba1c3b99956b1bfb76be75bb3c9abeba734b5d38fe20455e7977c
Instruction Fuzzy Hash: CC814975D0424E8ECF05DFA8D190AEEBBF8EF48310F20815AD851BB242EA765A45CF61

Function 00ABD9C0 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00ABD9C5

Part of subcall function 00AB1A01: TlsGetValue.KERNEL32 ref: 00AB1A0A

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: H_prologValue
String ID:
API String ID: 3700342317-0
Opcode ID: 82348e04484e8ee50c8da58666bf775aaaedbc9b57f51c7619e041899d0a9e6b
Instruction ID: b6bea9c03c347872202ffae1e3e25b1a285502e34ea29b33551c988164a0372a
Opcode Fuzzy Hash: 82348e04484e8ee50c8da58666bf775aaaedbc9b57f51c7619e041899d0a9e6b
Instruction Fuzzy Hash: A52121B2904209AFDB04DF95D541AEEBBFCEF49350F10411EE515A7242E775AA00DBA1

Function 004018C3 Relevance: 1.6, APIs: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32 ref: 004018C3

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0fd94987bcb25d7c377d2996674c6c4ad75bd9d17f6e3ebe7861f22310b9b88b
Instruction ID: b943bf9dd02f481aa5c205b1905e0ba4ea34cd51cd036043cf3558cfe0d4bd24
Opcode Fuzzy Hash: 0fd94987bcb25d7c377d2996674c6c4ad75bd9d17f6e3ebe7861f22310b9b88b
Instruction Fuzzy Hash: F311E365A0D6818FC7018B74AF606E23BB4A716340B8410BAD0DAA7273D63C4D47EB1E

Function 00ABD550 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00ABD555

Part of subcall function 00AB26DB: RtlEnterCriticalSection.NTDLL(?), ref: 00AB2706
Part of subcall function 00AB26DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 00AB272B
Part of subcall function 00AB26DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00AD3163), ref: 00AB2738
Part of subcall function 00AB26DB: SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 00AB2778
Part of subcall function 00AB26DB: RtlLeaveCriticalSection.NTDLL(?), ref: 00AB27D9

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
String ID:
API String ID: 4293676635-0
Opcode ID: 67f1101348cb02834b029726b95c507ea74ef3b42a76a49239f457a5f7bfe99d
Instruction ID: 30ebeb56b4c9bd635b5589afe2a52664b912e49256c3005f34614338496c22ce
Opcode Fuzzy Hash: 67f1101348cb02834b029726b95c507ea74ef3b42a76a49239f457a5f7bfe99d
Instruction Fuzzy Hash: F5019EB1910B14DFC728CF1AD540999FBE4FF88710B16C5AF944A9B722E7B1AA40CB94

Function 00ABD32F Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00ABD334

Part of subcall function 00AC27B5: _malloc.LIBCMT ref: 00AC27CD

Part of subcall function 00ABD550: __EH_prolog.LIBCMT ref: 00ABD555

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: H_prolog$_malloc
String ID:
API String ID: 4254904621-0
Opcode ID: bb91d1545742ffdbe79c4e63aa6db15319505e125f0568b94a55416661cedf98
Instruction ID: 97598f68db83e28a0b3a7aa8e44e44eae8f6c582e505792581e784afe68ebc33
Opcode Fuzzy Hash: bb91d1545742ffdbe79c4e63aa6db15319505e125f0568b94a55416661cedf98
Instruction Fuzzy Hash: 34E08C71A00105ABCB19DF68D9127AD77A4EB44300F0046AEB80AD6341EB308A008651

Function 00AC2452 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AC48BA: __getptd_noexit.LIBCMT ref: 00AC48BB
Part of subcall function 00AC48BA: __amsg_exit.LIBCMT ref: 00AC48C8

Part of subcall function 00AC2493: __getptd_noexit.LIBCMT ref: 00AC2497
Part of subcall function 00AC2493: __freeptd.LIBCMT ref: 00AC24B1
Part of subcall function 00AC2493: RtlExitUserThread.NTDLL(?,00000000,?,00AC2473,00000000), ref: 00AC24BA

__XcptFilter.LIBCMT ref: 00AC247F

Part of subcall function 00AC7944: __getptd_noexit.LIBCMT ref: 00AC7948

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
String ID:
API String ID: 1405322794-0
Opcode ID: 3b0600f51b08c862891ec26eb6d2868e48f423b9148bd73e984882a69f007489
Instruction ID: 9d193704293b1329fb78564e518a94507be98a05d3bc665c182a3d67afd73ffc
Opcode Fuzzy Hash: 3b0600f51b08c862891ec26eb6d2868e48f423b9148bd73e984882a69f007489
Instruction Fuzzy Hash: E8E0ECB5944604AFEB08BBA0DA0AF2E77A5AF04311F21459DF1029B2A2CA749940DF24

Function 00401EC0 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32 ref: 00401EC0

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0c72abbdb5a8916e4e24aebaccfaa2dc4555aad13b2a805eb269692c872dd74b
Instruction ID: bb3ea7cc9101fcf5625ecd8c52feba8398713153468fd2575f0ccc666973f7e5
Opcode Fuzzy Hash: 0c72abbdb5a8916e4e24aebaccfaa2dc4555aad13b2a805eb269692c872dd74b
Instruction Fuzzy Hash: 56E0E574D01218DFCB14CE98D5A4BECB7B1BB08300F10806AE80277390D7395849DA19

Function 0040D445 Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?), ref: 0040D45D

Memory Dump Source

Source File: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: c69ef31a7dd5daa9f4eddc9d810b040cbef82ecd0c1d190c9d93c4d740a89546
Instruction ID: 27853292b9ebee26673c9e2a29a24e742e5dd7611a9ba99aca8ceaee4ed323a0
Opcode Fuzzy Hash: c69ef31a7dd5daa9f4eddc9d810b040cbef82ecd0c1d190c9d93c4d740a89546
Instruction Fuzzy Hash: 9DD0A7F0D0502CABC71496529E89EE7225CCB04B40F140077650AF20D2E67C8A496A3B

Function 00AEFE8C Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00B1A3D1

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AE8000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AE8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae8000_classichomecinema.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5d1af92810e3336f48f7e051dcd9041a263417117cbc74df5e94e2152289242a
Instruction ID: 6970130845bc06879a9beff4d9a11339f1730972e4c627a5eabdd29547dfb8b9
Opcode Fuzzy Hash: 5d1af92810e3336f48f7e051dcd9041a263417117cbc74df5e94e2152289242a
Instruction Fuzzy Hash: AFD092B041DA00CFD305AF59D484679BBF1EF88700F52882D92C582A18DA700081AA9B

Function 004019B4 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32 ref: 0040D0A1

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 6cee8c885636b5c7a1842f4f198ef58604c2e65a1783f243f6e934eccc6f75ac
Instruction ID: 674d0c7ab9eb076612fc70335bf35aceca667704559374c7c7f61bf7c3824fc7
Opcode Fuzzy Hash: 6cee8c885636b5c7a1842f4f198ef58604c2e65a1783f243f6e934eccc6f75ac
Instruction Fuzzy Hash: 1EC012B4A8D128DAC206A6D64E08EFDB1684F09300F3004736587300D28AFC088A6AAF

Function 0040D727 Relevance: 1.5, APIs: 1, Instructions: 6registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(?), ref: 0040E063

Memory Dump Source

Source File: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a8de28602004eb34c581e09bfa0515beefc3a9b04618b09406c365c5d84848a7
Instruction ID: 9e0b40aab8dab8ddf24eea744c943b127f270eb78f13ff0892a98b979a6b27b3
Opcode Fuzzy Hash: a8de28602004eb34c581e09bfa0515beefc3a9b04618b09406c365c5d84848a7
Instruction Fuzzy Hash: 0BB09230904129DACB114F718A0877E7A70BA40700B114D2AC462B1090C7B98112BA5A

Function 0040D5E6 Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32 ref: 0040D5E6

Memory Dump Source

Source File: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 8f1124ad888b4c9081d48329b3ea00d471a1649e9795068a1de60722a707dddc
Instruction ID: 4a60a1b0ca679bb79b7e450458cb74753b6a01bb9afd35d6987d8c6a1826db30
Opcode Fuzzy Hash: 8f1124ad888b4c9081d48329b3ea00d471a1649e9795068a1de60722a707dddc
Instruction Fuzzy Hash: ABA022A0E0C002FEE8A02FC00EAEF2222CC030030CFA080323303300C0083C000EEA2E

Function 0040183A Relevance: 1.5, APIs: 1, Instructions: 5registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?), ref: 0040DF3A

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e66dba9bc5a59dec1b9cdc0a82b5261c8e6dde639c67a711cb867eaa7357f7a8
Instruction ID: 3e4ad85b022d709214506f7c5254eb6a474fc2c7e84a93c50c55e0b9104debd3
Opcode Fuzzy Hash: e66dba9bc5a59dec1b9cdc0a82b5261c8e6dde639c67a711cb867eaa7357f7a8
Instruction Fuzzy Hash: 1BB01230C08001D6CE000BC08A0481876315E01310322803396C3300E08A3D4409BA1F

Function 0040D5A3 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 0040D5A3

Memory Dump Source

Source File: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: f5a9a6cd0d3dfde358d1ed34cf1567730a744f26f3328395782056a37fe8e46c
Instruction ID: ca83de31cf88e0f7b1adfe4b18ba6b195261e8afb7945e6c10c43b12717cba52
Opcode Fuzzy Hash: f5a9a6cd0d3dfde358d1ed34cf1567730a744f26f3328395782056a37fe8e46c
Instruction Fuzzy Hash: 01A00270914105EFCB104F659AC806CBEB5B648391BB1887EE04BF25A0DB3446CDAA59

Function 00401D97 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00401D97

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5eacc4ed5d6b71a6d6739c56d810addfd786f62a5f4c78bf6b01d583d0a40c8d
Instruction ID: a1f870591d39bb6d8b96134987fb6292501960ea232182ac0741a513a4621017
Opcode Fuzzy Hash: 5eacc4ed5d6b71a6d6739c56d810addfd786f62a5f4c78bf6b01d583d0a40c8d
Instruction Fuzzy Hash: 08900220204101DAE2040A725A4821566D8660874572145395443E1161DA3480055929

Function 00AC1160 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00AC0610: OpenEventA.KERNEL32(00100002,00000000,00000000,04E612CA), ref: 00AC06B0
Part of subcall function 00AC0610: CloseHandle.KERNEL32(00000000), ref: 00AC06C5
Part of subcall function 00AC0610: ResetEvent.KERNEL32(00000000,04E612CA), ref: 00AC06CF
Part of subcall function 00AC0610: CloseHandle.KERNEL32(00000000,04E612CA), ref: 00AC0704

TlsSetValue.KERNEL32(0000002B,?), ref: 00AC11AA

Memory Dump Source

Source File: 00000002.00000002.3555577941.0000000000AB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab1000_classichomecinema.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$OpenResetValue
String ID:
API String ID: 1556185888-0
Opcode ID: 544f75488d2f826cfd534f392688e58bbab03cd7d30ae3dbcbfbc274844ed6ca
Instruction ID: 69e4ad5a1763c499df4fb58a7004d71cefcd62cb64fab8d75f71a482374ba47e
Opcode Fuzzy Hash: 544f75488d2f826cfd534f392688e58bbab03cd7d30ae3dbcbfbc274844ed6ca
Instruction Fuzzy Hash: 3B018B71A04648EFC710CF99DD45F5ABBA8FB09770F104B2AF825D7380D775A9008BA0

Function 00401649 Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000040,00409068), ref: 0040D0F5

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9e0ac0af364bcf308370d120fd539e398a1cb38d8b3d6c89812f58aa12c3aa18
Instruction ID: 6bf2a068bfca1c8f86339732706a30905d399dbcba2ad77db48a53c6abb8bc1c
Opcode Fuzzy Hash: 9e0ac0af364bcf308370d120fd539e398a1cb38d8b3d6c89812f58aa12c3aa18
Instruction Fuzzy Hash: 6F018F30A01209AFDB04DF98C859BEEBBB4EB04310F10406AB655B76C1D378A945DB16

Function 0040D407 Relevance: 1.3, APIs: 1, Instructions: 6sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 0040D862

Memory Dump Source

Source File: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: af258db13700fd9185a0206c61946e01d9dbc35cdb0cb0c98d9fd85e272a22aa
Instruction ID: c0f68ce38cdc4fabbd5a2d72d20c4ce279d657f5bf4ba57cb2acef1ece1c22d5
Opcode Fuzzy Hash: af258db13700fd9185a0206c61946e01d9dbc35cdb0cb0c98d9fd85e272a22aa
Instruction Fuzzy Hash: 05B01230D44200DBD24057E0CF44A3C36749710300F100167E522B71D0CF381A45550F

Function 00401CE6 Relevance: 1.3, APIs: 1, Instructions: 4sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 0040D0B6

Memory Dump Source

Source File: 00000002.00000002.3554963346.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3554963346.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d8ab2787facf2e2e3614e7dcd922b2cf540d4d131cdf778710a0da2ab63d60cd
Instruction ID: 7353c5f7f151f97415b3cc1148ceb921584a2174ecfd3d22fe05316cc8b1a890
Opcode Fuzzy Hash: d8ab2787facf2e2e3614e7dcd922b2cf540d4d131cdf778710a0da2ab63d60cd
Instruction Fuzzy Hash: 7CA002609CD610C6E1485B907B59B2535306F00725F662137924BB84E14A7D550BBA5F

Non-executed Functions

Function 6096748C Relevance: 131.0, APIs: 72, Strings: 2, Instructions: 1504COMMON

Download Yara Rule

APIs

sqlite3_malloc.SQLITE3 ref: 609674C6

Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4

Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B

sqlite3_step.SQLITE3 ref: 6096755A
sqlite3_malloc.SQLITE3 ref: 6096783A
sqlite3_bind_int64.SQLITE3 ref: 609678A8
sqlite3_column_bytes.SQLITE3 ref: 609678E8
sqlite3_column_blob.SQLITE3 ref: 60967901
sqlite3_column_int64.SQLITE3 ref: 6096791A
sqlite3_column_int64.SQLITE3 ref: 60967931
sqlite3_column_int64.SQLITE3 ref: 60967950
sqlite3_step.SQLITE3 ref: 609679C3
sqlite3_bind_int64.SQLITE3 ref: 60967AA9
sqlite3_step.SQLITE3 ref: 60967AB4
sqlite3_column_int.SQLITE3 ref: 60967AC7
sqlite3_reset.SQLITE3 ref: 60967AD4
sqlite3_bind_int.SQLITE3 ref: 60967B89
sqlite3_step.SQLITE3 ref: 60967B94
sqlite3_column_int64.SQLITE3 ref: 60967BB0
sqlite3_column_int64.SQLITE3 ref: 60967BCF
sqlite3_column_int64.SQLITE3 ref: 60967BE6
sqlite3_column_bytes.SQLITE3 ref: 60967C05
sqlite3_column_blob.SQLITE3 ref: 60967C1E

Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED50

sqlite3_bind_int64.SQLITE3 ref: 60967C72
sqlite3_step.SQLITE3 ref: 60967C7D
memcmp.MSVCRT ref: 60967D4C
sqlite3_free.SQLITE3 ref: 60967D69
sqlite3_free.SQLITE3 ref: 60967D74
sqlite3_free.SQLITE3 ref: 60967FF7
sqlite3_free.SQLITE3 ref: 60968002

Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621

sqlite3_reset.SQLITE3 ref: 60967C93

Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE

sqlite3_reset.SQLITE3 ref: 60967CA7
sqlite3_reset.SQLITE3 ref: 60968035
sqlite3_bind_int64.SQLITE3 ref: 60967B72

Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3

sqlite3_bind_int64.SQLITE3 ref: 6096809D
sqlite3_bind_int64.SQLITE3 ref: 609680C6
sqlite3_step.SQLITE3 ref: 609680D1
sqlite3_column_int.SQLITE3 ref: 609680F3
sqlite3_reset.SQLITE3 ref: 60968104
sqlite3_step.SQLITE3 ref: 60968139
sqlite3_column_int64.SQLITE3 ref: 60968151
sqlite3_reset.SQLITE3 ref: 6096818A

Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED2B
Part of subcall function 6095ECA6: sqlite3_bind_value.SQLITE3 ref: 6095EDDF

sqlite3_reset.SQLITE3 ref: 609679E9

Part of subcall function 609160CD: sqlite3_realloc.SQLITE3 ref: 609160EF

sqlite3_column_bytes.SQLITE3 ref: 60967587

Part of subcall function 6091D5DC: sqlite3_value_bytes.SQLITE3 ref: 6091D5F4

sqlite3_column_blob.SQLITE3 ref: 60967572

Part of subcall function 6091D57E: sqlite3_value_blob.SQLITE3 ref: 6091D596

sqlite3_reset.SQLITE3 ref: 609675B7
sqlite3_bind_int.SQLITE3 ref: 60967641
sqlite3_step.SQLITE3 ref: 6096764C
sqlite3_column_int64.SQLITE3 ref: 6096766E
sqlite3_reset.SQLITE3 ref: 6096768B
sqlite3_bind_int.SQLITE3 ref: 6096754F

Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704

sqlite3_bind_int.SQLITE3 ref: 609690B2
sqlite3_bind_blob.SQLITE3 ref: 609690DB
sqlite3_step.SQLITE3 ref: 609690E6
sqlite3_reset.SQLITE3 ref: 609690F1
sqlite3_free.SQLITE3 ref: 60969102
sqlite3_free.SQLITE3 ref: 6096910D

Strings

d, xrefs: 6096875D
, xrefs: 60968643

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_reset$sqlite3_step$sqlite3_column_int64sqlite3_free$sqlite3_bind_int64$sqlite3_bind_int$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mprintf$sqlite3_column_intsqlite3_mutex_leave$memcmpsqlite3_bind_blobsqlite3_bind_valuesqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_initializesqlite3_mutex_entersqlite3_prepare_v2sqlite3_reallocsqlite3_value_blobsqlite3_value_bytes
String ID: $d
API String ID: 2451604321-2084297493
Opcode ID: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
Instruction ID: 6b7ea73e19bc996eb6a422b8fcf26663d3cb25e4dd91ceba81a4d6a678ae72ab
Opcode Fuzzy Hash: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
Instruction Fuzzy Hash: 2CF2CF74A152288FDB54CF68C980B9EBBF2BF69304F1185A9E888A7341D774ED85CF41

Function 6096A5EE Relevance: 81.5, APIs: 45, Strings: 1, Instructions: 1006COMMON

Download Yara Rule

APIs

sqlite3_value_text.SQLITE3 ref: 6096A64C
sqlite3_value_bytes.SQLITE3 ref: 6096A656
sqlite3_strnicmp.SQLITE3 ref: 6096A682
sqlite3_strnicmp.SQLITE3 ref: 6096A6BC
sqlite3_mprintf.SQLITE3 ref: 6096A6F9
sqlite3_malloc.SQLITE3 ref: 6096A754
sqlite3_step.SQLITE3 ref: 6096A969
sqlite3_free.SQLITE3 ref: 6096A9AC
sqlite3_finalize.SQLITE3 ref: 6096A9BB
sqlite3_strnicmp.SQLITE3 ref: 6096B04A

Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445

sqlite3_value_int.SQLITE3 ref: 6096B241
sqlite3_malloc.SQLITE3 ref: 6096B270
sqlite3_bind_null.SQLITE3 ref: 6096B2DF
sqlite3_step.SQLITE3 ref: 6096B2EA
sqlite3_reset.SQLITE3 ref: 6096B2F5
sqlite3_value_int.SQLITE3 ref: 6096B43B
sqlite3_value_text.SQLITE3 ref: 6096B530
sqlite3_value_bytes.SQLITE3 ref: 6096B576
sqlite3_free.SQLITE3 ref: 6096B5F4

Strings

optimize, xrefs: 6096A677

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_stepsqlite3_strnicmp$sqlite3_freesqlite3_mallocsqlite3_resetsqlite3_value_bytessqlite3_value_intsqlite3_value_text$sqlite3_bind_intsqlite3_bind_nullsqlite3_finalizesqlite3_mprintf
String ID: optimize
API String ID: 1540667495-3797040228
Opcode ID: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
Instruction ID: 15d53f9c7948a495e2c6926a79545eea34293df74e7a3e63ea56b3727437b729
Opcode Fuzzy Hash: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
Instruction Fuzzy Hash: 54B2F670A142198FEB14DF68C890B9DBBF6BF68304F1085A9E889AB351E774DD85CF41

Function 609660FA Relevance: 39.4, APIs: 19, Strings: 3, Instructions: 926COMMON

Download Yara Rule

APIs

sqlite3_finalize.SQLITE3 ref: 60966178
sqlite3_free.SQLITE3 ref: 60966183
sqlite3_value_numeric_type.SQLITE3 ref: 609661AE
sqlite3_value_numeric_type.SQLITE3 ref: 609661DE
sqlite3_value_text.SQLITE3 ref: 60966236
sqlite3_value_int.SQLITE3 ref: 60966274
memcmp.MSVCRT ref: 6096639E

Part of subcall function 60940A5B: sqlite3_malloc.SQLITE3 ref: 60940AA1
Part of subcall function 60940A5B: sqlite3_free.SQLITE3 ref: 60940C1D

sqlite3_mprintf.SQLITE3 ref: 60966B51
sqlite3_mprintf.SQLITE3 ref: 60966B7D

Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA

Strings

DESC, xrefs: 60966CB3
x, xrefs: 609664F1
ASC, xrefs: 60966CA5

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_freesqlite3_mprintfsqlite3_value_numeric_type$memcmpsqlite3_finalizesqlite3_initializesqlite3_mallocsqlite3_value_intsqlite3_value_textsqlite3_vmprintf
String ID: ASC$DESC$x
API String ID: 4082667235-1162196452
Opcode ID: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
Instruction ID: 01f4316cc9c65235d83944c747b96ccca9397e1276bdc6c450b31a73d7ca280a
Opcode Fuzzy Hash: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
Instruction Fuzzy Hash: AD921274A14319CFEB10CFA9C99079DBBB6BF69304F20816AD858AB342D774E985CF41

Function 6096923E Relevance: 29.3, APIs: 19, Instructions: 779COMMON

Download Yara Rule

APIs

sqlite3_bind_int64.SQLITE3(?,?), ref: 609693A5
sqlite3_step.SQLITE3(?,?), ref: 609693B0
sqlite3_column_int64.SQLITE3(?,?), ref: 609693DC

Part of subcall function 6096A2BD: sqlite3_bind_int64.SQLITE3 ref: 6096A322
Part of subcall function 6096A2BD: sqlite3_step.SQLITE3 ref: 6096A32D
Part of subcall function 6096A2BD: sqlite3_column_int.SQLITE3 ref: 6096A347
Part of subcall function 6096A2BD: sqlite3_reset.SQLITE3 ref: 6096A354

sqlite3_reset.SQLITE3(?,?), ref: 609693F3
sqlite3_malloc.SQLITE3(?), ref: 60969561
sqlite3_malloc.SQLITE3(?), ref: 6096958D
sqlite3_step.SQLITE3(?), ref: 609695D2
sqlite3_column_int64.SQLITE3(?), ref: 609695EA
sqlite3_reset.SQLITE3(?), ref: 60969604
sqlite3_realloc.SQLITE3(?), ref: 609697D0
sqlite3_realloc.SQLITE3(?), ref: 609698A9

Part of subcall function 609129D5: sqlite3_initialize.SQLITE3(?,?,?,60915F55,?,?,?,?,?,?,00000000,?,?,?,60915FE2,00000000), ref: 609129E0

sqlite3_bind_int64.SQLITE3(?,?), ref: 609699B8
sqlite3_bind_int64.SQLITE3(?), ref: 6096934D

Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3

sqlite3_bind_int64.SQLITE3(?,?), ref: 60969A6A
sqlite3_step.SQLITE3(?,?), ref: 60969A75
sqlite3_reset.SQLITE3(?,?), ref: 60969A80
sqlite3_free.SQLITE3(?), ref: 60969D41
sqlite3_free.SQLITE3(?), ref: 60969D4C
sqlite3_free.SQLITE3(?), ref: 60969D5B

Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_bind_int64$sqlite3_freesqlite3_resetsqlite3_step$sqlite3_column_int64sqlite3_mallocsqlite3_realloc$sqlite3_column_intsqlite3_initializesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2
String ID:
API String ID: 961572588-0
Opcode ID: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
Instruction ID: dba6eef834311e7f80380fc62c490a647dd1765b4da9a7e0a506f520bf28697a
Opcode Fuzzy Hash: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
Instruction Fuzzy Hash: 9872F275A042298FDB24CF69C88078DB7F6FF98314F1586A9D889AB341D774AD81CF81

Function 60963143 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 301COMMON

Download Yara Rule

APIs

sqlite3_stricmp.SQLITE3 ref: 60963159
sqlite3_bind_int64.SQLITE3 ref: 609633E6
sqlite3_mutex_leave.SQLITE3 ref: 609634B6

Strings

indexed, xrefs: 609631F0
2, xrefs: 60963403
foreign key, xrefs: 609631B8

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_stricmp
String ID: 2$foreign key$indexed
API String ID: 4126863092-702264400
Opcode ID: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
Instruction ID: 3d5d194cd292e354de8359ea213fef7e5121ae3f60f7d2d7ba557b44893e8b9c
Opcode Fuzzy Hash: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
Instruction Fuzzy Hash: 6BE1B374A142099FDB04CFA8D590A9DBBF2BFA9304F21C129E855AB754DB35ED82CF40

Function 6094A6C5 Relevance: 10.6, APIs: 7, Instructions: 144COMMON

Download Yara Rule

APIs

sqlite3_bind_int64.SQLITE3 ref: 6094A72B
sqlite3_step.SQLITE3 ref: 6094A73C
sqlite3_column_blob.SQLITE3 ref: 6094A760
sqlite3_column_bytes.SQLITE3 ref: 6094A77C
sqlite3_malloc.SQLITE3 ref: 6094A793
sqlite3_reset.SQLITE3 ref: 6094A7F2
sqlite3_free.SQLITE3(?), ref: 6094A87C

Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_bind_int64sqlite3_column_blobsqlite3_column_bytessqlite3_freesqlite3_mallocsqlite3_mutex_entersqlite3_resetsqlite3_step
String ID:
API String ID: 2794791986-0
Opcode ID: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
Instruction ID: 088d5e00ded46b3eb5457b54e5d33bc48436a4b712d77f6ae5dc1ca3eb859b7b
Opcode Fuzzy Hash: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
Instruction Fuzzy Hash: BE5110B5A042058FCB04CF69C48069ABBF6FF68318F158569E858AB345D734EC82CF90

Function 6093323D Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 432COMMON

Download Yara Rule

APIs

sqlite3_stricmp.SQLITE3 ref: 609334A2
sqlite3_stricmp.SQLITE3 ref: 609334BB

Strings

USING COVERING INDEX , xrefs: 609333F7
DISTINCT, xrefs: 60933658
ORDER BY, xrefs: 60933671

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_stricmp
String ID: USING COVERING INDEX $DISTINCT$ORDER BY
API String ID: 912767213-1308749736
Opcode ID: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
Instruction ID: 4f43644a9add5c5df618cbd47cd61ce2203d262f2077f605e752fe25420d36ab
Opcode Fuzzy Hash: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
Instruction Fuzzy Hash: 2412D674A08268CFDB25DF28C880B5AB7B3AFA9314F1085E9E8899B355D774DD81CF41

Function 6094B407 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

sqlite3_bind_int64.SQLITE3 ref: 6094B488
sqlite3_step.SQLITE3 ref: 6094B496
sqlite3_reset.SQLITE3 ref: 6094B4A4
sqlite3_bind_int64.SQLITE3 ref: 6094B4D2
sqlite3_step.SQLITE3 ref: 6094B4E0
sqlite3_reset.SQLITE3 ref: 6094B4EE

Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$memmove
String ID:
API String ID: 4082478743-0
Opcode ID: 967f7dd55d0e0ed5657609aa573e07de9c17706341fbe9ef37ba536950e7892f
Instruction ID: 9e7f29540a3c6f2d28ce6b101cd1a975f5529a8f599b89b7128c34d749e8d9ce
Opcode Fuzzy Hash: 967f7dd55d0e0ed5657609aa573e07de9c17706341fbe9ef37ba536950e7892f
Instruction Fuzzy Hash: DD41D2B4A087018FCB50DF69C484A9EB7F6EFA8364F158929EC99CB315E734E8418F51

Function 6094D33B Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 6094D354
sqlite3_mutex_leave.SQLITE3 ref: 6094D546

Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905D8B
Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DA4
Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DB8

sqlite3_stricmp.SQLITE3 ref: 6094D3DA

Strings

BINARY, xrefs: 6094D45D, 6094D469
INTEGER, xrefs: 6094D462

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_stricmp$sqlite3_mutex_entersqlite3_mutex_leave
String ID: BINARY$INTEGER
API String ID: 317512412-1676293250
Opcode ID: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
Instruction ID: cace79839434994537c0410bddb438ad3d501bddbf1b20fcc6a8a8bdb5da7fdd
Opcode Fuzzy Hash: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
Instruction Fuzzy Hash: 8E712978A056099BDB05CF69C49079EBBF2BFA8308F11C529EC55AB3A4D734E941CF80

Function 6094B54C Relevance: 7.6, APIs: 5, Instructions: 145COMMON

Download Yara Rule

APIs

sqlite3_bind_int64.SQLITE3 ref: 6094B582
sqlite3_step.SQLITE3 ref: 6094B590
sqlite3_column_int64.SQLITE3 ref: 6094B5AD
sqlite3_reset.SQLITE3 ref: 6094B5EE
memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: memmovesqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_step
String ID:
API String ID: 2802900177-0
Opcode ID: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
Instruction ID: fa681a173a9aa7ad5377a8f3376375fc0286f70c891b696e42c92f52458a3a0e
Opcode Fuzzy Hash: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
Instruction Fuzzy Hash: 0B517D75A082018FCB14CF69C48169EF7F7FBA8314F25C669D8499B318EA74EC81CB81

Function 6093F42E Relevance: 6.4, APIs: 4, Instructions: 416COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 6093F443

Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8

sqlite3_mutex_enter.SQLITE3 ref: 6093F45C

Part of subcall function 60939559: memcmp.MSVCRT ref: 60939694
Part of subcall function 60939559: memcmp.MSVCRT ref: 609396CA

sqlite3_mutex_leave.SQLITE3 ref: 6093F8CD
sqlite3_mutex_leave.SQLITE3 ref: 6093F8E3

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: memcmpsqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
String ID:
API String ID: 4038589952-0
Opcode ID: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
Instruction ID: 916146ddc5613ce70bfe97dc7fabc38680eb49f4f4fdba01105907ea2da9c682
Opcode Fuzzy Hash: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
Instruction Fuzzy Hash: 87F13674A046158FDB18CFA9C590A9EB7F7AFA8308F248429E846AB355D774EC42CF40

Function 6094C64A Relevance: 6.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

APIs

Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F

sqlite3_bind_int64.SQLITE3 ref: 6094C719
sqlite3_step.SQLITE3 ref: 6094C72A
sqlite3_reset.SQLITE3 ref: 6094C73B

Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5

Part of subcall function 6094A9F5: sqlite3_free.SQLITE3(?,?,?,00000000,?,?,6094AC3F), ref: 6094AA7A

sqlite3_free.SQLITE3 ref: 6094C881

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_bind_int64sqlite3_freesqlite3_resetsqlite3_step$memmovesqlite3_column_int64
String ID:
API String ID: 3487101843-0
Opcode ID: 010aee262a3d8dae5049234a4ef50880699508b325a3cdc2c8e6f431e5b9abd3
Instruction ID: dadb85a3919e548a164012fc2e04d9b0ab11445217433cc10b515e99a95ed5c3
Opcode Fuzzy Hash: 010aee262a3d8dae5049234a4ef50880699508b325a3cdc2c8e6f431e5b9abd3
Instruction Fuzzy Hash: 3681FA74A046098FCB44DF99C480A9DF7F7AFA8354F258529E855AB314EB34EC46CF90

Function 6096A38C Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B

sqlite3_bind_int.SQLITE3 ref: 6096A3DE

Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704

sqlite3_column_int.SQLITE3 ref: 6096A3F3
sqlite3_step.SQLITE3 ref: 6096A435
sqlite3_reset.SQLITE3 ref: 6096A445

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_prepare_v2sqlite3_resetsqlite3_step
String ID:
API String ID: 247099642-0
Opcode ID: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
Instruction ID: 69535c0605dcb565d56369453fd68d3a3097adfd173720c6e67b3d4aca8354ad
Opcode Fuzzy Hash: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
Instruction Fuzzy Hash: FF2151B0A143148BEB109FA9D88479EB7FAEF64308F00852DE89597350EBB8D845CF51

Function 6096A2BD Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B

sqlite3_bind_int64.SQLITE3 ref: 6096A322

Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3

sqlite3_step.SQLITE3 ref: 6096A32D
sqlite3_column_int.SQLITE3 ref: 6096A347

Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C

sqlite3_reset.SQLITE3 ref: 6096A354

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2sqlite3_resetsqlite3_stepsqlite3_value_int
String ID:
API String ID: 326482775-0
Opcode ID: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
Instruction ID: 7c1586c82cd56d85cf32929a5cd575737867df940847ca2bf63216634e784e33
Opcode Fuzzy Hash: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
Instruction Fuzzy Hash: 0E214DB0A043049BDB04DFA9C480B9EF7FAEFA8354F04C429E8959B340E778D8418B51

Function 6094B6ED Relevance: 4.5, APIs: 3, Instructions: 34COMMON

Download Yara Rule

APIs

sqlite3_bind_int64.SQLITE3 ref: 6094B71E

Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3

sqlite3_bind_int64.SQLITE3 ref: 6094B73C
sqlite3_step.SQLITE3 ref: 6094B74A

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_bind_int64$sqlite3_mutex_leavesqlite3_step
String ID:
API String ID: 3305529457-0
Opcode ID: dc92f9052f14c19b23696c87723feab2593fd922d888b89f432a916288e70c30
Instruction ID: cea3564161c85327b61b62d60446574847d05a2bcfebeda4641ea5396b37aa5a
Opcode Fuzzy Hash: dc92f9052f14c19b23696c87723feab2593fd922d888b89f432a916288e70c30
Instruction Fuzzy Hash: D401A8B45047049FCB00DF19D9C968ABBE5FF98354F158869FC888B305D374E8548BA6

Function 6090C1D6 Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 6090C1EA
sqlite3_mutex_leave.SQLITE3 ref: 6090C22F

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave
String ID:
API String ID: 1477753154-0
Opcode ID: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
Instruction ID: fc120f7ed3300d8301d0f99cb769197b575d5683181bd6b289e4b53452841bc5
Opcode Fuzzy Hash: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
Instruction Fuzzy Hash: 6501F4715042548BDB449F2EC4C576EBBEAEF65318F048469DD419B326D374D882CBA1

Function 609255D4 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406

sqlite3_mutex_leave.SQLITE3 ref: 609255B2

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_logsqlite3_mutex_leave
String ID:
API String ID: 1465156292-0
Opcode ID: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
Instruction ID: 19c4c58ecb434a21204d9b38047e93a23a7f28015e8477a734fda6841bb58fe8
Opcode Fuzzy Hash: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
Instruction Fuzzy Hash: 56317AB4A082188FCB04DF69D880A8EBBF6FF99314F008559FC5897348D734D940CBA5

Function 609254B1 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406

sqlite3_mutex_leave.SQLITE3 ref: 60925508

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_logsqlite3_mutex_leave
String ID:
API String ID: 1465156292-0
Opcode ID: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
Instruction ID: ad89f0bb34aa7175efe61e1ac22fb0c12735e6005c3b9edbf096fd229bca234b
Opcode Fuzzy Hash: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
Instruction Fuzzy Hash: 5A01A475B107148BCB109F2ACC8164BBBFAEF68254F05991AEC41DB315D775ED458BC0

Function 60925686 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406

sqlite3_mutex_leave.SQLITE3 ref: 609256D3

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_logsqlite3_mutex_leave
String ID:
API String ID: 1465156292-0
Opcode ID: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
Instruction ID: 4fd0dfe8dd6226820e052206e0db6187a6d8a97f2116fb4a305c2fd2856f8961
Opcode Fuzzy Hash: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
Instruction Fuzzy Hash: 94F08CB5A002099BCB00DF2AD88088ABBBAFF98264B05952AEC049B314D770E941CBD0

Function 60925655 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406

sqlite3_mutex_leave.SQLITE3 ref: 60925678

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_logsqlite3_mutex_leave
String ID:
API String ID: 1465156292-0
Opcode ID: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
Instruction ID: bc2fa39936d9f4ed0ba1ebf98b65e017ff83ed2bbf5e058a49948814e7f33c49
Opcode Fuzzy Hash: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
Instruction Fuzzy Hash: 59E0EC74A042089BCB04DF6AD4C194AB7F9EF58258B14D665EC458B309E231E9858BC1

Function 609256E5 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

sqlite3_bind_int64.SQLITE3 ref: 60925704

Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_bind_int64sqlite3_mutex_leave
String ID:
API String ID: 3064317574-0
Opcode ID: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
Instruction ID: 7a9bf9350bb0d435b7485bd9c083abc2dab3a9c90cc7cce47300d03dda88f0d0
Opcode Fuzzy Hash: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
Instruction Fuzzy Hash: FFD092B4909309AFCB00EF29C48644EBBE5AF98258F40C82DFC98C7314E274E8408F92

Function 609255FF Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
Instruction ID: 29002ccca7877ead4b7e7e784383ace88c03f26ddf616943a2b43c0eb71ea2e3
Opcode Fuzzy Hash: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
Instruction Fuzzy Hash: 36E0E2B850430DABDF00CF09D8C188A7BAAFB08364F10C119FC190B305C371E9548BA1

Function 6092562A Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
Instruction ID: a276b763828cd9d21177d39229c24ef0f5c00ef14d0f26540801fec71d9d5410
Opcode Fuzzy Hash: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
Instruction Fuzzy Hash: 29E0E2B850430DABDF00CF09D8C198A7BAAFB08264F10C119FC190B304C331E9148BE1

Function 6090F435 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
Instruction ID: aa639d4c52eda77921d109c173628d401b16d57fa3137d2b917a91732d8775c8
Opcode Fuzzy Hash: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
Instruction Fuzzy Hash: D7C01265704208574B00E92DE8C154577AA9718164B108039E80B87301D975ED084291

Function 6096C598 Relevance: 51.2, APIs: 22, Strings: 7, Instructions: 417COMMON

Download Yara Rule

APIs

sqlite3_initialize.SQLITE3 ref: 6096C5BE

Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1

sqlite3_log.SQLITE3 ref: 6096C5FC
sqlite3_free.SQLITE3 ref: 6096C67E
sqlite3_free.SQLITE3 ref: 6096CD71
sqlite3_mutex_leave.SQLITE3 ref: 6096CD80
sqlite3_errcode.SQLITE3 ref: 6096CD88
sqlite3_close.SQLITE3 ref: 6096CD97
sqlite3_create_function.SQLITE3 ref: 6096CDF8

Strings

simple, xrefs: 6096CAAC
BINARY, xrefs: 6096C752, 6096C77A, 6096C7A2, 6096C7E7
rtree_i32, xrefs: 6096CD1E
RTRIM, xrefs: 6096C7CA
NOCASE, xrefs: 6096C817
porter, xrefs: 6096CACA
rtree, xrefs: 6096CCF8

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_free$sqlite3_closesqlite3_create_functionsqlite3_errcodesqlite3_initializesqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
String ID: BINARY$NOCASE$RTRIM$porter$rtree$rtree_i32$simple
API String ID: 1320758876-2501389569
Opcode ID: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
Instruction ID: 66f98c4e8467cc0752991b2fada45a5d6d89a43a55ba94f1559c09c68fc79e30
Opcode Fuzzy Hash: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
Instruction Fuzzy Hash: 7A024BB05183019BEB119F64C49536ABFF6BFA1348F11882DE8959F386D7B9C845CF82

Function 60926471 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

sqlite3_free.SQLITE3 ref: 609264C9

Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80

sqlite3_free.SQLITE3 ref: 60926526
sqlite3_free.SQLITE3 ref: 6092652E
sqlite3_free.SQLITE3 ref: 6092658C
sqlite3_free.SQLITE3 ref: 60926626
sqlite3_win32_mbcs_to_utf8.SQLITE3 ref: 6092662E
sqlite3_free.SQLITE3 ref: 60926638
sqlite3_snprintf.SQLITE3 ref: 6092666B
sqlite3_free.SQLITE3 ref: 60926673
sqlite3_snprintf.SQLITE3 ref: 609266B8

Strings

\, xrefs: 6092668B
winFullPathname1, xrefs: 609264DE
winFullPathname2, xrefs: 60926543
winFullPathname3, xrefs: 609265A1
winFullPathname4, xrefs: 6092660B

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_mbcs_to_utf8
String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
API String ID: 937752868-2111127023
Opcode ID: 790c833cc1fbb367a9c2b03a48d0fe6427ec60a778556f52a2f7a42315cae969
Instruction ID: 65a1564e5812e901c47d2d0e8e64920046ae54dd737849fc0956122b524b53c9
Opcode Fuzzy Hash: 790c833cc1fbb367a9c2b03a48d0fe6427ec60a778556f52a2f7a42315cae969
Instruction Fuzzy Hash: 19512C706187018FE700AF69D88575DBFF6AFA5708F10C81DE8999B214EB78C845DF42

Function 6092A6C1 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 352COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 6092A712
sqlite3_malloc.SQLITE3 ref: 6092A738
memcmp.MSVCRT ref: 6092A7A9
sqlite3_mprintf.SQLITE3 ref: 6092A7C7
memcmp.MSVCRT ref: 6092A96E
memcmp.MSVCRT ref: 6092A998
memcmp.MSVCRT ref: 6092A9C6
memcmp.MSVCRT ref: 6092AA18
sqlite3_mprintf.SQLITE3 ref: 6092AA48
sqlite3_mprintf.SQLITE3 ref: 6092AA73
sqlite3_malloc.SQLITE3 ref: 6092AAB4
sqlite3_vfs_find.SQLITE3 ref: 6092AAE5
sqlite3_mprintf.SQLITE3 ref: 6092AB02
sqlite3_free.SQLITE3 ref: 6092AB17

Strings

cache, xrefs: 6092A991, 6092AB3D
@, xrefs: 6092A6E0
access, xrefs: 6092A9E6

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: memcmp$sqlite3_mprintf$sqlite3_malloc$sqlite3_freesqlite3_vfs_find
String ID: @$access$cache
API String ID: 4158134138-1361544076
Opcode ID: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
Instruction ID: 35071b2ec389daa84eb338d99e29a1052eb2425681bc363379ff67fe3f9a0dd7
Opcode Fuzzy Hash: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
Instruction Fuzzy Hash: 27D19E75D183458BDB11CF69E58039EBBF7AFAA304F20846ED4949B349D339D882CB52

Function 6094844A Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 374COMMON

Download Yara Rule

APIs

sqlite3_log.SQLITE3 ref: 609498F5

Strings

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0), xrefs: 60948788
BEGIN;, xrefs: 609485DB
PRAGMA vacuum_db.synchronous=OFF, xrefs: 609485BB
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 60948728
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %', xrefs: 60948708
ATTACH '' AS vacuum_db;, xrefs: 60948529
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' , xrefs: 60948748
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 609486C8
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';, xrefs: 60948768
ATTACH ':memory:' AS vacuum_db;, xrefs: 60948534
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' , xrefs: 609486E8

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_log
String ID: ATTACH '' AS vacuum_db;$ATTACH ':memory:' AS vacuum_db;$BEGIN;$INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)$PRAGMA vacuum_db.synchronous=OFF$SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' $SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0$SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'$SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' $SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';$SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
API String ID: 632333372-52344843
Opcode ID: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
Instruction ID: 17dae18cb22bd420f764556e48f7e631e7f528851c991f2db59136dec61311d4
Opcode Fuzzy Hash: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
Instruction Fuzzy Hash: 1202F6B0A046299BDB2ACF18C88179EB7FABF65304F1081D9E858AB355D771DE81CF41

Function 609602C8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 266COMMON

Download Yara Rule

APIs

Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B

Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043

sqlite3_malloc.SQLITE3 ref: 60960384
sqlite3_free.SQLITE3 ref: 609605EA
sqlite3_result_error_code.SQLITE3 ref: 6096060D
sqlite3_free.SQLITE3 ref: 60960618
sqlite3_result_text.SQLITE3 ref: 6096063C

Strings

offsets, xrefs: 609602DF

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_free$sqlite3_result_error_code$sqlite3_bind_int64sqlite3_mallocsqlite3_mprintfsqlite3_resetsqlite3_result_textsqlite3_stepsqlite3_value_bytes
String ID: offsets
API String ID: 463808202-2642679573
Opcode ID: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
Instruction ID: 1101d6838161b799219a4b3d5732631e197d31251dd2d8b91c34f261bd2faa79
Opcode Fuzzy Hash: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
Instruction Fuzzy Hash: 72C1D374A183198FDB14CF59C580B8EBBF2BFA8314F2085A9E849AB354D734D985CF52

Function 6091A3AA Relevance: 16.7, APIs: 11, Instructions: 175COMMON

Download Yara Rule

APIs

sqlite3_value_text.SQLITE3 ref: 6091A3C1
sqlite3_value_bytes.SQLITE3 ref: 6091A3D6
sqlite3_value_text.SQLITE3 ref: 6091A3E4
sqlite3_value_bytes.SQLITE3 ref: 6091A416
sqlite3_value_text.SQLITE3 ref: 6091A424
sqlite3_value_bytes.SQLITE3 ref: 6091A43A
sqlite3_result_text.SQLITE3 ref: 6091A5A2

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_text
String ID:
API String ID: 2903785150-0
Opcode ID: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
Instruction ID: 050d84d3da0bd462ad4a4a15df4a38950001fc66f1de33c81d7c2c3a6f7146e7
Opcode Fuzzy Hash: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
Instruction Fuzzy Hash: 8971D074E086599FCF00DFA8C88069DBBF2BF59314F1485AAE855AB304E734EC85CB91

Function 6092854D Relevance: 15.4, APIs: 10, Instructions: 432COMMON

Download Yara Rule

APIs

sqlite3_malloc.SQLITE3 ref: 6092861F
sqlite3_free.SQLITE3 ref: 6092878D

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_freesqlite3_malloc
String ID:
API String ID: 423083942-0
Opcode ID: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
Instruction ID: dba10035f3c017a022ff92dc0406edc4c972eb6647695f7afdbed5011b3e14eb
Opcode Fuzzy Hash: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
Instruction Fuzzy Hash: 9112E3B4A15218CFCB18CF98D480A9EBBF6BF98304F24855AD855AB319D774EC42CF90

Function 60912453 Relevance: 15.2, APIs: 10, Instructions: 247COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091264D
sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912662
sqlite3_malloc.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091273E
sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912753
sqlite3_os_init.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912758
sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912803
sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091280E
sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091282A
sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091283F

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
String ID:
API String ID: 3556715608-0
Opcode ID: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
Instruction ID: 37d7613b282c24208f37f95ee69ae3eaf9c0527d79975c213f2f38643f7f707f
Opcode Fuzzy Hash: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
Instruction Fuzzy Hash: FEA14A71A2C215CBEB009F69CC843257FE7B7A7318F10816DD415AB2A0E7B9DC95EB11

Function 6095F5D9 Relevance: 15.1, APIs: 10, Instructions: 121COMMON

Download Yara Rule

APIs

sqlite3_malloc.SQLITE3 ref: 6095F645
sqlite3_exec.SQLITE3 ref: 6095F686

Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8

sqlite3_free_table.SQLITE3 ref: 6095F6A0
sqlite3_mprintf.SQLITE3 ref: 6095F6C7

Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA

sqlite3_free.SQLITE3 ref: 6095F6B4

Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80

sqlite3_free.SQLITE3 ref: 6095F6D4
sqlite3_free.SQLITE3 ref: 6095F6ED
sqlite3_free_table.SQLITE3 ref: 6095F6FF
sqlite3_realloc.SQLITE3 ref: 6095F71B
sqlite3_free_table.SQLITE3 ref: 6095F72D

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_freesqlite3_free_table$sqlite3_execsqlite3_initializesqlite3_logsqlite3_mallocsqlite3_mprintfsqlite3_mutex_entersqlite3_reallocsqlite3_vmprintf
String ID:
API String ID: 1866449048-0
Opcode ID: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
Instruction ID: 9ac78cbffd0e0cf27e5d0fdbf17c3a3d034f00011a14f89e76d08e502163788c
Opcode Fuzzy Hash: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
Instruction Fuzzy Hash: 8751F1B49467099FDB01DF69D59178EBBF6FF68318F104429E884AB300D379D894CB91

Function 6091C159 Relevance: 14.0, Strings: 11, Instructions: 290COMMON

Download Yara Rule

Strings

ANY(, xrefs: 6091C375
%s USING %sINDEX %s%s, xrefs: 6091C460
rowid, xrefs: 6091C317, 6091C3C1, 6091C400
SCAN, xrefs: 6091C1C7
AND , xrefs: 6091C363
)><, xrefs: 6091C392, 6091C434
0, xrefs: 6091C4E4
, xrefs: 6091C4F8
%s USING AUTOMATIC %sINDEX%.0s%s, xrefs: 6091C46E
SEARCH, xrefs: 6091C1A7, 6091C1D1
COVERING , xrefs: 6091C45B

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID:
String ID: $ AND $%s USING %sINDEX %s%s$%s USING AUTOMATIC %sINDEX%.0s%s$)><$0$ANY($COVERING $SCAN$SEARCH$rowid
API String ID: 0-780898
Opcode ID: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
Instruction ID: 1b008e11d07f16b9462ef115b46fd1892196ed4c5360d6a6f9a636b6bab85f9b
Opcode Fuzzy Hash: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
Instruction Fuzzy Hash: 46D109B0A087099FD714CF99C19079DBBF2BFA8308F10886AE495AB355D774D982CF81

Function 609061F1 Relevance: 13.9, Strings: 11, Instructions: 114COMMON

Download Yara Rule

Strings

aolf, xrefs: 6090626D
buod, xrefs: 609062B9
txet, xrefs: 60906237
rahc, xrefs: 60906227
tni, xrefs: 6090628D
bolb, xrefs: 6090623F
laer, xrefs: 609062A7
laer, xrefs: 60906261
bolc, xrefs: 6090622F
aolf, xrefs: 609062B0
buod, xrefs: 60906279

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID:
String ID: aolf$aolf$bolb$bolc$buod$buod$laer$laer$rahc$tni$txet
API String ID: 0-2604012851
Opcode ID: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
Instruction ID: a78f5df49eecf700eafad7d6eadd6707640e608d2d263d021760269e78388884
Opcode Fuzzy Hash: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
Instruction Fuzzy Hash: 2D31B171A891458ADB21891C85503EE7FBB9BE3344F28902EC8B2DB246C735CCD0C3A2

Function 60939559 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 426COMMON

Download Yara Rule

APIs

Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8

memcmp.MSVCRT ref: 60939694
memcmp.MSVCRT ref: 609396CA
memcmp.MSVCRT ref: 6093973E
sqlite3_log.SQLITE3 ref: 60939807
memcmp.MSVCRT ref: 609399B9

Strings

0, xrefs: 609399AA
SQLite format 3, xrefs: 609396BF

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: memcmp$sqlite3_logsqlite3_mutex_try
String ID: 0$SQLite format 3
API String ID: 3174206576-3388949527
Opcode ID: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
Instruction ID: d3cc03899c2fb96d27ccc41cf7ad58ff30b38a29db2c3208110d6cb2c70dce50
Opcode Fuzzy Hash: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
Instruction Fuzzy Hash: A3028BB0A082659BDB09CF68D48178ABBF7FFA5308F148269E8459B345DB74DC85CF81

Function 6095F004 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMON

Download Yara Rule

APIs

sqlite3_value_text.SQLITE3 ref: 6095F030
sqlite3_value_text.SQLITE3 ref: 6095F03E
sqlite3_stricmp.SQLITE3 ref: 6095F0B3
sqlite3_free.SQLITE3 ref: 6095F180

Part of subcall function 6092E279: strcmp.MSVCRT ref: 6092E2AE
Part of subcall function 6092E279: sqlite3_free.SQLITE3 ref: 6092E3A8

sqlite3_free.SQLITE3 ref: 6095F1BD

Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80

sqlite3_result_error_code.SQLITE3 ref: 6095F34E

Strings

|, xrefs: 6095F2F5

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_free$sqlite3_value_text$sqlite3_mutex_entersqlite3_result_error_codesqlite3_stricmpstrcmp
String ID: |
API String ID: 1576672187-2343686810
Opcode ID: bd5e6f80f73383bab87bf36e59bc4c906ea1158fee4d4fada053c93264453b50
Instruction ID: c4017fd8acd983bc841f22cdb0f4132ffe50c361176833da1127552c957ad2bb
Opcode Fuzzy Hash: bd5e6f80f73383bab87bf36e59bc4c906ea1158fee4d4fada053c93264453b50
Instruction Fuzzy Hash: B2B189B4A08308CBDB01CF69C491B9EBBF2BF68358F148968E854AB355D734EC55CB81

Function 6095D3BB Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 187COMMON

Download Yara Rule

APIs

sqlite3_snprintf.SQLITE3 ref: 6095D450

Part of subcall function 60917354: sqlite3_vsnprintf.SQLITE3 ref: 60917375

sqlite3_snprintf.SQLITE3 ref: 6095D4A1
sqlite3_snprintf.SQLITE3 ref: 6095D525

Strings

)><, xrefs: 6095D3ED
sqlite_temp_master, xrefs: 6095D58A
, xrefs: 6095D410
sqlite_master, xrefs: 6095D57F

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_snprintf$sqlite3_vsnprintf
String ID: $)><$sqlite_master$sqlite_temp_master
API String ID: 652164897-1572359634
Opcode ID: 8bad6b48079287e07d66e35ebf7d727d8c0cc4a3de3635d3393f65d8d520b325
Instruction ID: a98725bc65f6cff0ffebef66634980575a39ba2d787d432de3c608a01e11e389
Opcode Fuzzy Hash: 8bad6b48079287e07d66e35ebf7d727d8c0cc4a3de3635d3393f65d8d520b325
Instruction Fuzzy Hash: 5991F275E05219CFCB15CF98C48169DBBF2BFA9308F14845AE859AB314DB34ED46CB81

Function 6091B05A Relevance: 12.3, APIs: 8, Instructions: 349COMMON

Download Yara Rule

APIs

sqlite3_value_text.SQLITE3 ref: 6091B06E
sqlite3_result_error_toobig.SQLITE3 ref: 6091B178
sqlite3_result_error_nomem.SQLITE3 ref: 6091B197
sqlite3_result_text.SQLITE3 ref: 6091B5A3

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
String ID:
API String ID: 2352520524-0
Opcode ID: 91a3e282f54c964bbb8224fbc5594699699e4a7ba29507b0b3f6ff953b241f0e
Instruction ID: 99f21b63ad5c9672efebb0dd762c853f70c7e366ddc85f9db9da2d733c13ec0c
Opcode Fuzzy Hash: 91a3e282f54c964bbb8224fbc5594699699e4a7ba29507b0b3f6ff953b241f0e
Instruction Fuzzy Hash: F9E16B71E4C2199BDB208F18C89039EBBF7AB65314F1584DAE8A857351D738DCC19F82

Function 6096A481 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B

sqlite3_exec.SQLITE3 ref: 6096A4D7

Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8

sqlite3_result_text.SQLITE3 ref: 6096A5D3

Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445

sqlite3_exec.SQLITE3 ref: 6096A523
sqlite3_exec.SQLITE3 ref: 6096A554
sqlite3_exec.SQLITE3 ref: 6096A57F
sqlite3_result_error_code.SQLITE3 ref: 6096A5E1

Strings

optimize, xrefs: 6096A498

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_exec$sqlite3_bind_intsqlite3_freesqlite3_logsqlite3_mprintfsqlite3_resetsqlite3_result_error_codesqlite3_result_textsqlite3_stepsqlite3_value_bytes
String ID: optimize
API String ID: 3659050757-3797040228
Opcode ID: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
Instruction ID: 653702cfcd2f061f0588c77de086fc27204f9fc351fc8b4992cba684a546c14d
Opcode Fuzzy Hash: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
Instruction Fuzzy Hash: E831C3B11187119FE310DF24C49570FBBE6ABA1368F10C91DF9968B350E7B9D8459F82

Function 6096544A Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

sqlite3_column_blob.SQLITE3 ref: 609654FB
sqlite3_column_bytes.SQLITE3 ref: 60965510
sqlite3_reset.SQLITE3 ref: 60965556
sqlite3_reset.SQLITE3 ref: 609655B8

Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE

sqlite3_malloc.SQLITE3 ref: 60965655
sqlite3_free.SQLITE3 ref: 60965714
sqlite3_free.SQLITE3 ref: 6096574B

Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80

sqlite3_free.SQLITE3 ref: 609657AA

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_free$sqlite3_mutex_entersqlite3_reset$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mutex_leave
String ID:
API String ID: 2722129401-0
Opcode ID: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
Instruction ID: e3a8cc565ee031670952cbbbf81914cbe75110044a29491daaf6513bdc913a85
Opcode Fuzzy Hash: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
Instruction Fuzzy Hash: BBD1D270E14219CFEB14CFA9C48469DBBF2BF68304F20856AD899AB346D774E845CF81

Function 609644FC Relevance: 12.2, APIs: 8, Instructions: 204COMMON

Download Yara Rule

APIs

sqlite3_malloc.SQLITE3 ref: 609645D9

Part of subcall function 60928099: sqlite3_malloc.SQLITE3 ref: 609280ED

sqlite3_free.SQLITE3 ref: 609647C5

Part of subcall function 60963D35: memcmp.MSVCRT ref: 60963E74

sqlite3_free.SQLITE3 ref: 6096476B

Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80

sqlite3_free.SQLITE3 ref: 6096477B
sqlite3_free.SQLITE3 ref: 60964783

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_free$sqlite3_malloc$memcmpsqlite3_mutex_enter
String ID:
API String ID: 571598680-0
Opcode ID: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
Instruction ID: 53ad94a03898eae12f4127695087571842428d6fdffc19c65fee49adcf86f1ae
Opcode Fuzzy Hash: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
Instruction Fuzzy Hash: 5E91F674E14228CFEB14CFA9D890B9EBBB6BB99304F1085AAD849A7344D734DD81CF51

Function 609634F0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

sqlite3_blob_reopen.SQLITE3 ref: 60963510

Part of subcall function 60962F28: sqlite3_log.SQLITE3 ref: 60962F5D

sqlite3_mprintf.SQLITE3 ref: 60963534
sqlite3_blob_open.SQLITE3 ref: 6096358B
sqlite3_blob_bytes.SQLITE3 ref: 609635A3
sqlite3_malloc.SQLITE3 ref: 609635BB
sqlite3_blob_read.SQLITE3 ref: 60963602
sqlite3_free.SQLITE3 ref: 60963621

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_blob_bytessqlite3_blob_opensqlite3_blob_readsqlite3_blob_reopensqlite3_freesqlite3_logsqlite3_mallocsqlite3_mprintf
String ID:
API String ID: 4276469440-0
Opcode ID: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
Instruction ID: 177081cd506585250240414a33056f89eeda992db91a315aff795e5fc91eaf1e
Opcode Fuzzy Hash: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
Instruction Fuzzy Hash: C641E5B09087059FDB40DF29C48179EBBE6AF98354F01C87AE898DB354E734D841DB92

Function 6091A226 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

sqlite3_value_text.SQLITE3 ref: 6091A240
sqlite3_value_text.SQLITE3 ref: 6091A24E
sqlite3_value_bytes.SQLITE3 ref: 6091A25A
sqlite3_value_text.SQLITE3 ref: 6091A27C

Strings

LIKE or GLOB pattern too complex, xrefs: 6091A267
ESCAPE expression must be a single character, xrefs: 6091A293

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_value_text$sqlite3_value_bytes
String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
API String ID: 4080917175-264706735
Opcode ID: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
Instruction ID: 7e7232241edcba55bc41816b79a09feadaac9d75cc2fb544db44a2248cbef301
Opcode Fuzzy Hash: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
Instruction Fuzzy Hash: A4214C74A182198BCB00DF79C88165EBBF6FF64354B108AA9E864DB344E734DCC6CB95

Function 609250BB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 6092506E: sqlite3_log.SQLITE3 ref: 609250AB

sqlite3_mutex_enter.SQLITE3 ref: 609250E7
sqlite3_value_text16.SQLITE3 ref: 60925100
sqlite3_value_text16.SQLITE3 ref: 6092512C
sqlite3_mutex_leave.SQLITE3 ref: 6092513E

Strings

out of memory, xrefs: 609250C6, 609250EC
library routine called out of sequence, xrefs: 609250D8

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_value_text16$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
String ID: library routine called out of sequence$out of memory
API String ID: 2019783549-3029887290
Opcode ID: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
Instruction ID: f6310061860eb79c45c0a7b6efb00bde58ba827c5a391e7df96a4cb3fbc4cfa9
Opcode Fuzzy Hash: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
Instruction Fuzzy Hash: 81014C70A083049BDB14AF69C9C170EBBE6BF64248F0488A9EC958F30EE775D8818B51

Function 609406CF Relevance: 10.5, APIs: 7, Instructions: 40COMMON

Download Yara Rule

APIs

sqlite3_finalize.SQLITE3 ref: 609406E3

Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940672
Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940696

sqlite3_free.SQLITE3 ref: 609406F7
sqlite3_free.SQLITE3 ref: 60940705
sqlite3_free.SQLITE3 ref: 60940713
sqlite3_free.SQLITE3 ref: 6094071E
sqlite3_free.SQLITE3 ref: 60940729
sqlite3_free.SQLITE3 ref: 6094073C

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_free$sqlite3_log$sqlite3_finalize
String ID:
API String ID: 1159759059-0
Opcode ID: 19269ae46022e444f8470c890b78f38089a522c4155da373e534dfec766a18bc
Instruction ID: 8ceab58ab7f3fb7faec85fb80e78016d1f3d655de586deaf1cb04ee1bc4e3406
Opcode Fuzzy Hash: 19269ae46022e444f8470c890b78f38089a522c4155da373e534dfec766a18bc
Instruction Fuzzy Hash: C801E8B45447108BDB00AF78C4C5A59BBE5EF79B18F06096DECCA8B305D734D8809B91

Function 60947378 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 292COMMON

Download Yara Rule

APIs

sqlite3_free.SQLITE3(?), ref: 609476DD

Part of subcall function 60904423: sqlite3_mutex_leave.SQLITE3(6090449D,?,?,?,60908270), ref: 60904446

sqlite3_log.SQLITE3 ref: 609498F5

Strings

d, xrefs: 609474ED
|, xrefs: 609499CF
List of tree roots: , xrefs: 60947599

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_freesqlite3_logsqlite3_mutex_leave
String ID: List of tree roots: $d$|
API String ID: 3709608969-1164703836
Opcode ID: 4de08d56d8a6e192ae2dda07a929c8b2a00a3f2e2d212eb9bfb53aebfe2a6bac
Instruction ID: c91562837ba2d96ae21b52ab8334c840e7cbe23d8154f1acff92b465618a0bd4
Opcode Fuzzy Hash: 4de08d56d8a6e192ae2dda07a929c8b2a00a3f2e2d212eb9bfb53aebfe2a6bac
Instruction Fuzzy Hash: 3FE10570A043698BDB22CF18C88179DFBBABF65304F1185D9E858AB251D775DE81CF81

Function 60960052 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

APIs

Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043

sqlite3_column_int64.SQLITE3 ref: 609600BA
sqlite3_column_text.SQLITE3 ref: 609600EF
sqlite3_free.SQLITE3 ref: 6096029A

Strings

e, xrefs: 60960227

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_column_textsqlite3_freesqlite3_resetsqlite3_result_error_codesqlite3_step
String ID: e
API String ID: 786425071-4024072794
Opcode ID: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
Instruction ID: e80500568aa73e744b5c90812a7938b6c4ac38b40afb48beb036dafaf3e7d002
Opcode Fuzzy Hash: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
Instruction Fuzzy Hash: 6291E270A18609CFDB04CF99C494B9EBBF2BF98314F108529E869AB354D774E885CF91

Function 609470DE Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110COMMON

Download Yara Rule

APIs

sqlite3_exec.SQLITE3 ref: 6094716D

Strings

sqlite_temp_master, xrefs: 609470F1
|, xrefs: 609499CF
sqlite_master, xrefs: 609470E7

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_exec
String ID: sqlite_master$sqlite_temp_master$|
API String ID: 2141490097-2247242311
Opcode ID: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
Instruction ID: 9143400cfb6dc20a8edc2ca7c04099347fc9d468871a1d2187ae3123f936d49a
Opcode Fuzzy Hash: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
Instruction Fuzzy Hash: C551B6B09083289BDB26CF18C885799BBFABF59304F108599E498A7351D775DA84CF41

Function 60963637 Relevance: 7.8, APIs: 5, Instructions: 258COMMON

Download Yara Rule

APIs

sqlite3_realloc.SQLITE3(?,?), ref: 6096373B
memcmp.MSVCRT(?,?), ref: 60963782
sqlite3_free.SQLITE3 ref: 60963843
sqlite3_free.SQLITE3 ref: 609638D9
sqlite3_free.SQLITE3 ref: 60963953

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_free$memcmpsqlite3_realloc
String ID:
API String ID: 3422960571-0
Opcode ID: 50eda45380483794e32bdd730fc6b6b580c41d30328003452ec2c22d7d846426
Instruction ID: 3b390e38dde49c5924589a602beaf2ee173d98914be71c714148da16d267e2cf
Opcode Fuzzy Hash: 50eda45380483794e32bdd730fc6b6b580c41d30328003452ec2c22d7d846426
Instruction Fuzzy Hash: 42B1D0B4E142189BEB05CFA9C5807DDBBF6BFA8304F148429E858A7344D374E946CF91

Function 6094B137 Relevance: 7.7, APIs: 5, Instructions: 204COMMON

Download Yara Rule

APIs

Part of subcall function 6090A0D5: sqlite3_free.SQLITE3 ref: 6090A118

sqlite3_malloc.SQLITE3 ref: 6094B1D1
sqlite3_value_bytes.SQLITE3 ref: 6094B24C
sqlite3_malloc.SQLITE3 ref: 6094B272
sqlite3_value_blob.SQLITE3 ref: 6094B298
sqlite3_free.SQLITE3 ref: 6094B2C8

Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_freesqlite3_malloc$sqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
String ID:
API String ID: 683514883-0
Opcode ID: a6abbae8c6e8f2e89577a489a37bdbe998ef9662ada317e1813a59820f6ee2b0
Instruction ID: 83940ce9cf0a2bab7a741171fc95cc3a005d2848f59039768723a80715f2adcb
Opcode Fuzzy Hash: a6abbae8c6e8f2e89577a489a37bdbe998ef9662ada317e1813a59820f6ee2b0
Instruction Fuzzy Hash: E19133B1A052099FCB04CFA9D490B9EBBF6FF68314F108569E855AB341DB34ED81CB91

Function 6093A1DD Relevance: 7.7, APIs: 5, Instructions: 157COMMON

Download Yara Rule

APIs

sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A200
sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A391
sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A3A3
sqlite3_free.SQLITE3 ref: 6093A3BA
sqlite3_free.SQLITE3 ref: 6093A3C2

Part of subcall function 6093A0C5: sqlite3_mutex_enter.SQLITE3 ref: 6093A114
Part of subcall function 6093A0C5: sqlite3_mutex_free.SQLITE3 ref: 6093A152
Part of subcall function 6093A0C5: sqlite3_mutex_leave.SQLITE3 ref: 6093A162
Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1A4
Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1C3

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_free$sqlite3_mutex_enter
String ID:
API String ID: 1903298374-0
Opcode ID: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
Instruction ID: f6c450fbbadf2e04ab128defb7df19fdb2a161b4e6cf4e71623f80625393026f
Opcode Fuzzy Hash: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
Instruction Fuzzy Hash: EB513870A047218BDB58DF69C8C074AB7A6BF65318F05896CECA69B305D735EC41CF91

Function 6093A0C5 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8

sqlite3_mutex_enter.SQLITE3 ref: 6093A114
sqlite3_mutex_free.SQLITE3 ref: 6093A152
sqlite3_mutex_leave.SQLITE3 ref: 6093A162
sqlite3_free.SQLITE3 ref: 6093A1A4
sqlite3_free.SQLITE3 ref: 6093A1C3

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
String ID:
API String ID: 1894464702-0
Opcode ID: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
Instruction ID: 8ebadd1dc7ee404a0f141fd21885e91e0aa1156a5a6df10951b92a0b718128ce
Opcode Fuzzy Hash: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
Instruction Fuzzy Hash: CF313C70B086118BDB18DF79C8C1A1A7BFBBFB2704F148468E8418B219EB35DC419F91

Function 6092535E Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 60925326: sqlite3_log.SQLITE3 ref: 60925352

sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,609254CC), ref: 6092538E
sqlite3_mutex_leave.SQLITE3 ref: 609253C4
sqlite3_log.SQLITE3 ref: 609253E2
sqlite3_log.SQLITE3 ref: 60925406
sqlite3_mutex_leave.SQLITE3 ref: 60925443

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_log$sqlite3_mutex_leave$sqlite3_mutex_enter
String ID:
API String ID: 3336957480-0
Opcode ID: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
Instruction ID: a100dd02d465b32589d57b5b9efe4db3cd483c3b5de54de748c9b161d5d001e2
Opcode Fuzzy Hash: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
Instruction Fuzzy Hash: D3315A70228704DBDB00EF28D49575ABBE6AFA1358F00886DE9948F36DD778C885DB02

Function 60961389 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

sqlite3_result_blob.SQLITE3 ref: 609613D0
sqlite3_column_int.SQLITE3 ref: 6096143A
sqlite3_data_count.SQLITE3 ref: 60961465
sqlite3_column_value.SQLITE3 ref: 60961476
sqlite3_result_value.SQLITE3 ref: 60961482

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_column_intsqlite3_column_valuesqlite3_data_countsqlite3_result_blobsqlite3_result_value
String ID:
API String ID: 3091402450-0
Opcode ID: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
Instruction ID: 8b12398a3b1f37ca0d2e1a8d549e1f0529ecbd38da511dd0edd3444da8e5cc4d
Opcode Fuzzy Hash: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
Instruction Fuzzy Hash: 72314DB19082058FDB00DF29C48064EB7F6FF65354F19856AE8999B361EB34E886CF81

Function 60939097 Relevance: 7.6, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 609390AC
sqlite3_mutex_enter.SQLITE3 ref: 609390B7
sqlite3_free.SQLITE3 ref: 60939120
sqlite3_mutex_leave.SQLITE3 ref: 6093912D
sqlite3_mutex_leave.SQLITE3 ref: 60939138

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
String ID:
API String ID: 251237202-0
Opcode ID: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
Instruction ID: 8e14962182cb4ba31828fc05f1b37fa5954e33605a362b2e641de35f96add61e
Opcode Fuzzy Hash: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
Instruction Fuzzy Hash: 022137B46087158BC709AF68C48570ABBF6FFA5318F10895DEC958B345DB74E940CB82

Function 6091A2E8 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

sqlite3_aggregate_context.SQLITE3 ref: 6091A31E
sqlite3_value_text.SQLITE3 ref: 6091A349
sqlite3_value_bytes.SQLITE3 ref: 6091A356
sqlite3_value_text.SQLITE3 ref: 6091A37B
sqlite3_value_bytes.SQLITE3 ref: 6091A387

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_context
String ID:
API String ID: 4225432645-0
Opcode ID: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
Instruction ID: 24a20a1669ecabf1c8c9e0f75de4e20f6480f0c3e20d7f4799920e66bb4c3c2a
Opcode Fuzzy Hash: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
Instruction Fuzzy Hash: 3F21CF71B086588FDB009F29C48075E7BE7AFA4254F0484A8E894CF305EB34DC86CB91

Function 60903571 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 6090359D
sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 609035E0
sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 609035F9
sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 60903614
sqlite3_free.SQLITE3(?,-00000200,?), ref: 6090361C

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
String ID:
API String ID: 251237202-0
Opcode ID: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
Instruction ID: 98a7ce7f1ce2ff6a0e5ca4ca87ec4bf20a5c319c62b2fc6798152503390b0136
Opcode Fuzzy Hash: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
Instruction Fuzzy Hash: B211FE725186218BCB00EF7DC8C16197FE7FB66358F01491DE866D7362D73AD480AB42

Function 609441F6 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 262COMMON

Download Yara Rule

APIs

sqlite3_log.SQLITE3 ref: 609498F5

Strings

string or blob too big, xrefs: 60949978
|, xrefs: 609499CF
(, xrefs: 6094449C

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_log
String ID: ($string or blob too big$|
API String ID: 632333372-2398534278
Opcode ID: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
Instruction ID: 3c3a64a58f66130c0c9aec06ea77be0954bd7b4098f3428da06b6372deec6608
Opcode Fuzzy Hash: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
Instruction Fuzzy Hash: 5DC10CB5A043288FCB66CF28C981789B7BABB59304F1085D9E958A7345C775EF81CF40

Function 6092362D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

sqlite3_stricmp.SQLITE3(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6094E8D4), ref: 60923675

Strings

BINARY, xrefs: 6092372C

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_stricmp
String ID: BINARY
API String ID: 912767213-907554435
Opcode ID: 3d1fa6dfa686e47e8cf6a82fec0319180f7cc9a55e66fae3459e63466e3d3e47
Instruction ID: 142a1e9d4f1e8552d2c1f4074703eb5ae9f1e70d76b7ded3e689f9c37387bea1
Opcode Fuzzy Hash: 3d1fa6dfa686e47e8cf6a82fec0319180f7cc9a55e66fae3459e63466e3d3e47
Instruction Fuzzy Hash: 11512AB8A142159FCF05CF68D580A9EBBFBBFA9314F208569D855AB318D335EC41CB90

Function 6096D170 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6096D1A1
VirtualProtect.KERNEL32 ref: 6096D1E3
VirtualProtect.KERNEL32 ref: 6096D21E

Strings

@, xrefs: 6096D1C8

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: Virtual$Protect$Query
String ID: @
API String ID: 3618607426-2766056989
Opcode ID: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
Instruction ID: 11fd3fd6c91f2e29dbdaed7331fdf7a08ef8f1da01c53322037319a40d79a89e
Opcode Fuzzy Hash: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
Instruction Fuzzy Hash: 003141B5E15208AFEB14DFA9D48158EFFF5EF99254F10852AE868E3310E371D940CB52

Function 60928335 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

sqlite3_malloc.SQLITE3 ref: 60928353

Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4

sqlite3_realloc.SQLITE3 ref: 609283A0
sqlite3_free.SQLITE3 ref: 609283B6

Strings

d, xrefs: 6092836D

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
String ID: d
API String ID: 211589378-2564639436
Opcode ID: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
Instruction ID: 0830c2115c9ea807631a831f7f1165b0ee40d8a8a94356aa67113494a68d5982
Opcode Fuzzy Hash: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
Instruction Fuzzy Hash: 222137B0A04205CFDB14DF59D4C078ABBF6FF69314F158469D8889B309E3B8E841CBA1

Function 60901184 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6090119B
GetProcAddress.KERNEL32 ref: 609011B0

Strings

_Jv_RegisterClasses, xrefs: 609011A5
libgcj-11.dll, xrefs: 60901194

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _Jv_RegisterClasses$libgcj-11.dll
API String ID: 1646373207-2713375476
Opcode ID: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
Instruction ID: e6822cb61b404b68644b44a252d8259deade1a358cfa59fcc717d95409d4d83a
Opcode Fuzzy Hash: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
Instruction Fuzzy Hash: 0DE04F7062D30586FB443F794D923297AEB5F72549F00081CD9929B240EBB4D440D753

Function 60922538 Relevance: 6.3, APIs: 4, Instructions: 317COMMON

Download Yara Rule

APIs

sqlite3_free.SQLITE3 ref: 609225EA
sqlite3_free.SQLITE3 ref: 60922697
sqlite3_free.SQLITE3 ref: 609228D2
sqlite3_free.SQLITE3 ref: 60922905

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_free
String ID:
API String ID: 2313487548-0
Opcode ID: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
Instruction ID: 4e09bb13dd5a3c3c1d339de95b14bc5918580ae4e3dbdcf066e72e084d482625
Opcode Fuzzy Hash: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
Instruction Fuzzy Hash: 15E14674928209EFDB04CF94D184B9EBBB2FF69304F208558D8956B259D774EC86CF81

Function 6094D584 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 285COMMON

Download Yara Rule

Strings

sqlite_sequence, xrefs: 6094D77D
sqlite_temp_master, xrefs: 6094D63B
sqlite_master, xrefs: 6094D630

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID:
String ID: sqlite_master$sqlite_sequence$sqlite_temp_master
API String ID: 0-1177837799
Opcode ID: 220fba3a2fb3ab4d5034cb0a2e8c7e996f73753fd556fb076663e5e6b14f60a3
Instruction ID: e5240d50caebec33bd4ce83d4b9fb982fe545a794019e3d400788b6e3ec19482
Opcode Fuzzy Hash: 220fba3a2fb3ab4d5034cb0a2e8c7e996f73753fd556fb076663e5e6b14f60a3
Instruction Fuzzy Hash: F7C13974B062089BDB05DF68D49179EBBF3AFA8308F14C42DE8899B345DB39D841CB41

Function 609292DA Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

sqlite3_free.SQLITE3 ref: 60929311
sqlite3_value_text.SQLITE3 ref: 60929358
sqlite3_value_bytes.SQLITE3 ref: 60929364
sqlite3_malloc.SQLITE3 ref: 60929374

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_freesqlite3_mallocsqlite3_value_bytessqlite3_value_text
String ID:
API String ID: 1648232842-0
Opcode ID: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
Instruction ID: a01add595a6c287de5924383f0ed77e5cc34082cd65fcd393cbe5beac3228527
Opcode Fuzzy Hash: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
Instruction Fuzzy Hash: 4531C0B4A042058FDB04DF29C094B5ABBE2FF98354F1484A9EC498F349D779E846CBA0

Function 60961492 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

sqlite3_step.SQLITE3 ref: 609614AB
sqlite3_reset.SQLITE3 ref: 609614BF

Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE

sqlite3_column_int64.SQLITE3 ref: 609614D4

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_column_int64sqlite3_mutex_entersqlite3_mutex_leavesqlite3_resetsqlite3_step
String ID:
API String ID: 3429445273-0
Opcode ID: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
Instruction ID: 62863439de2fabb71fd3664abc4fbfc11ff04353a6e6e3e42574d1c19fb7889d
Opcode Fuzzy Hash: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
Instruction Fuzzy Hash: AE316470A183408BEF15CF69C1C5749FBA6AFA7348F188599DC864F30AD375D884C752

Function 6093A57B Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

sqlite3_value_text.SQLITE3 ref: 6093A58F
sqlite3_stricmp.SQLITE3 ref: 6093A5C6
sqlite3_snprintf.SQLITE3 ref: 6093A60B
sqlite3_snprintf.SQLITE3 ref: 6093A631

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_snprintf$sqlite3_stricmpsqlite3_value_text
String ID:
API String ID: 1035992805-0
Opcode ID: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
Instruction ID: 84d28b158f1a11e063f70be148de9c7b2eff514b3bcf7808f17aa895500be78a
Opcode Fuzzy Hash: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
Instruction Fuzzy Hash: 8C3178B0A08324DFEB24CF28C481B4ABBF6FBA5318F04C499E4888B251C775D885DF42

Function 609034B2 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 609034D8
sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903521
sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 6090354A
sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903563

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave
String ID:
API String ID: 1477753154-0
Opcode ID: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
Instruction ID: 848dca46e936c6e01d33e08870ae11aa620bd8b24bdb606da7ea596206f2e213
Opcode Fuzzy Hash: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
Instruction Fuzzy Hash: 44111F726186218FDB00EF7DC8817597FEAFB66308F00842DE865E7362E779D8819741

Function 6092A43E Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

sqlite3_initialize.SQLITE3 ref: 6092A450

Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1

sqlite3_mutex_enter.SQLITE3 ref: 6092A466
sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
sqlite3_memory_used.SQLITE3 ref: 6092A4BA

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_leave
String ID:
API String ID: 2673540737-0
Opcode ID: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
Instruction ID: c4988029ba64cfb2248a7cf0c790324acf4c13eb0f9cd3f15fdedc175ef3c91a
Opcode Fuzzy Hash: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
Instruction Fuzzy Hash: F9019276E143148BCB00EF79D88561ABFE7FBA5324F008528EC9497364E735DC408B81

Function 6092A3C4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

sqlite3_value_text.SQLITE3 ref: 6092A3D8
sqlite3_value_text.SQLITE3 ref: 6092A3FA
sqlite3_load_extension.SQLITE3 ref: 6092A418
sqlite3_free.SQLITE3 ref: 6092A431

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_value_text$sqlite3_freesqlite3_load_extension
String ID:
API String ID: 3526213481-0
Opcode ID: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
Instruction ID: 98199466554994e62e20ad809be6129e3c08b78dd6d8c38fc18f61524e73aad2
Opcode Fuzzy Hash: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
Instruction Fuzzy Hash: 4101E9B5A043059BCB00EF69D485AAFBBF5EF68654F10C529EC9497304E774D841CF91

Function 60969133 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

sqlite3_prepare.SQLITE3 ref: 60969166
sqlite3_errmsg.SQLITE3 ref: 60969172

Part of subcall function 609258A8: sqlite3_log.SQLITE3 ref: 609258E5

sqlite3_errcode.SQLITE3 ref: 6096918A

Part of subcall function 609251AA: sqlite3_log.SQLITE3 ref: 609251E8

sqlite3_step.SQLITE3 ref: 60969197

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_log$sqlite3_errcodesqlite3_errmsgsqlite3_preparesqlite3_step
String ID:
API String ID: 2877408194-0
Opcode ID: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
Instruction ID: d4ebd4c9a05a553e526e78eaaf80584f3afcfe73b3175c4c6dada352db343273
Opcode Fuzzy Hash: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
Instruction Fuzzy Hash: 9F0186B091C3059BE700EF29C88525DFBE9EFA5314F11892DA89987384E734C940CB86

Function 609296D1 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

sqlite3_value_bytes.SQLITE3 ref: 609296F3
sqlite3_mprintf.SQLITE3 ref: 60929708
sqlite3_free.SQLITE3 ref: 6092971B
sqlite3_value_blob.SQLITE3 ref: 6092972A

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_freesqlite3_mprintfsqlite3_value_blobsqlite3_value_bytes
String ID:
API String ID: 1163609955-0
Opcode ID: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
Instruction ID: 8e0d1a1b7fe9adeaf330fda5a565ce202833de3a42fcd494fa905fee92021967
Opcode Fuzzy Hash: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
Instruction Fuzzy Hash: F6F0C8716282145FC3106F3994816697BE6DFA6758F0144A9F584CB314DB75CC82C742

Function 60961580 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

sqlite3_prepare_v2.SQLITE3 ref: 609615BA
sqlite3_step.SQLITE3 ref: 609615C9
sqlite3_column_int.SQLITE3 ref: 609615E1

Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C

sqlite3_finalize.SQLITE3 ref: 609615EE

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_column_intsqlite3_finalizesqlite3_prepare_v2sqlite3_stepsqlite3_value_int
String ID:
API String ID: 4265739436-0
Opcode ID: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
Instruction ID: 970f7a8085286b868af170b9ae73916577c28f03d50975cfa6e3c5bd991c66ad
Opcode Fuzzy Hash: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
Instruction Fuzzy Hash: BE01E4B0D083049BEB10EF69C58575EFBF9EFA5314F00896DE8A997380E775D9408B82

Function 6092A62C Relevance: 6.0, APIs: 4, Instructions: 38stringCOMMON

Download Yara Rule

APIs

sqlite3_initialize.SQLITE3 ref: 6092A638

Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1

sqlite3_mutex_enter.SQLITE3 ref: 6092A64F
strcmp.MSVCRT ref: 6092A66A
sqlite3_mutex_leave.SQLITE3 ref: 6092A67D

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_mutex_leavestrcmp
String ID:
API String ID: 1894734062-0
Opcode ID: 1480f87154849f1cdf239baa72c9ff1b5e3c835899009c68b4affe8256d9fce5
Instruction ID: 0dacd04717b96a229033e5bf385d74358d6efc238696297f04088f4a0acd15ee
Opcode Fuzzy Hash: 1480f87154849f1cdf239baa72c9ff1b5e3c835899009c68b4affe8256d9fce5
Instruction Fuzzy Hash: EBF0B4726243044BC7006F799CC164A7FAEEEB1298B05802CEC548B319EB35DC0297A1

Function 609084D1 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 609084E9
sqlite3_mutex_leave.SQLITE3 ref: 60908518
sqlite3_mutex_enter.SQLITE3 ref: 60908528
sqlite3_mutex_leave.SQLITE3 ref: 6090855B

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave
String ID:
API String ID: 1477753154-0
Opcode ID: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
Instruction ID: c41a4d3f3efa942db11cbd34a9101edfe28f26dd6f673ba1da0d5803e4a0adbd
Opcode Fuzzy Hash: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
Instruction Fuzzy Hash: FD01A4B05093048BDB40AF25C5D97CABBA5EF15718F0884BDEC894F34AD7B9D5448BA1

Function 609481BF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

sqlite3_log.SQLITE3 ref: 609498F5

Strings

into, xrefs: 60948285
out of, xrefs: 60948277

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_log
String ID: into$out of
API String ID: 632333372-1114767565
Opcode ID: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
Instruction ID: de20b162988cb891a2f8fbcf22309076e3e21d241eadb06c465d82de9f0e8d92
Opcode Fuzzy Hash: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
Instruction Fuzzy Hash: 91910170A043149BDB26CF28C88175EBBBABF65308F0481E9E858AB355D7B5DE85CF41

Function 60919123 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 60918408: sqlite3_value_text.SQLITE3 ref: 60918426

sqlite3_free.SQLITE3 ref: 609193A3

Strings

NULL, xrefs: 60919165
(NULL), xrefs: 60919157

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_freesqlite3_value_text
String ID: (NULL)$NULL
API String ID: 2175239460-873412390
Opcode ID: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
Instruction ID: 63658e955800b40111a930d2026d12727b3b294c4be858d68b3f7c51d7abf176
Opcode Fuzzy Hash: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
Instruction Fuzzy Hash: E3514B31F0825A8EEB258A68C89479DBBB6BF66304F1441E9C4A9AB241D7309DC6CF01

Function 60942334 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

sqlite3_log.SQLITE3 ref: 609498F5

Strings

string or blob too big, xrefs: 60949978
|, xrefs: 609499CF

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_log
String ID: string or blob too big$|
API String ID: 632333372-330586046
Opcode ID: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
Instruction ID: 65a9847582dc10a4f4f17f1c4fc8d82f10366072c52f03016cacc5a11d353e3e
Opcode Fuzzy Hash: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
Instruction Fuzzy Hash: 4D51B9749083689BCB22CF28C985789BBF6BF59314F1086D9E49897351C775EE81CF41

Function 609426B3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

sqlite3_log.SQLITE3 ref: 609498F5

Strings

d, xrefs: 60942791
|, xrefs: 609499CF

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_log
String ID: d$|
API String ID: 632333372-415524447
Opcode ID: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
Instruction ID: dac03e427e93f591f5d1737f90c886445feec93ea56e6f6f32424ebbe55d5cce
Opcode Fuzzy Hash: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
Instruction Fuzzy Hash: 50510970A04329DBDB26CF19C981799BBBABF55308F0481D9E958AB341D735EE81CF41

Function 609494A9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

sqlite3_log.SQLITE3 ref: 609498F5

Strings

d, xrefs: 609494E6
-- , xrefs: 60949549

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_log
String ID: -- $d
API String ID: 632333372-777087308
Opcode ID: 04c39e600f9b005651fcb68da317ac4a80b79d2e803021aaf364a84fff9736a0
Instruction ID: 827f605eab188c5b26b82399601ab0ab65c2dc521f736992582695f4996adf34
Opcode Fuzzy Hash: 04c39e600f9b005651fcb68da317ac4a80b79d2e803021aaf364a84fff9736a0
Instruction Fuzzy Hash: 5651F674A042689FDB26CF28C885789BBFABF55304F1081D9E99CAB341C7759E85CF41

Function 609480BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

sqlite3_value_text.SQLITE3 ref: 609480E2
sqlite3_log.SQLITE3 ref: 609498F5

Strings

string or blob too big, xrefs: 60949978

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_logsqlite3_value_text
String ID: string or blob too big
API String ID: 2320820228-2803948771
Opcode ID: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
Instruction ID: 1f8da1134a73d261049fdcd83983d84c916c8a3f87851362e697cdb17b1d2bab
Opcode Fuzzy Hash: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
Instruction Fuzzy Hash: F631D9B0A083249BCB25DF28C881799B7FABF69304F0085DAE898A7301D775DE81CF45

Function 6091407D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

sqlite3_aggregate_context.SQLITE3 ref: 60914096
sqlite3_value_numeric_type.SQLITE3 ref: 609140A2

Strings

, xrefs: 60914088

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
String ID:
API String ID: 3265351223-3916222277
Opcode ID: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
Instruction ID: a3c0f903ff645dd1c5a8146eaa2078e963ad6c1b8d1bbf61d5d4caeb1888773d
Opcode Fuzzy Hash: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
Instruction Fuzzy Hash: 19119EB0A0C6589BDF059F69C4D539A7BF6AF39308F0044E8D8D08B205E771CD94CB81

Function 60956040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

sqlite3_stricmp.SQLITE3 ref: 60956065
sqlite3_stricmp.SQLITE3 ref: 6095607E

Strings

log, xrefs: 609560C0

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_stricmp
String ID: log
API String ID: 912767213-2403297477
Opcode ID: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
Instruction ID: cbf508da25866b0a35bc2ca480d64d7c482f0664b0359b741109bd545b4f9ff5
Opcode Fuzzy Hash: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
Instruction Fuzzy Hash: FD11DAB07087048BE725AF66C49535EBBB3ABA1708F10C42CE4854B784C7BAC986DB42

Function 60902148 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

sqlite3_strnicmp.SQLITE3 ref: 60902167
sqlite3_strnicmp.SQLITE3 ref: 60902193

Strings

SQLITE_, xrefs: 6090215C

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_strnicmp
String ID: SQLITE_
API String ID: 1961171630-787686576
Opcode ID: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
Instruction ID: 6d5ef3c0fd507030b5e8170497320435726bf3f0db30f2d6f2734bcd7f756fb3
Opcode Fuzzy Hash: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
Instruction Fuzzy Hash: 2501D6B190C3505FD7419F29CC8075BBFFAEBA5258F10486DE89687212D374DC81D781

Function 6091A1B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

sqlite3_value_bytes.SQLITE3 ref: 6091A1DB
sqlite3_value_blob.SQLITE3 ref: 6091A1FA

Strings

Invalid argument to rtreedepth(), xrefs: 6091A1E3

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_value_blobsqlite3_value_bytes
String ID: Invalid argument to rtreedepth()
API String ID: 1063208240-2843521569
Opcode ID: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
Instruction ID: c9489564a96cd83e586e3a08c251b8a8c74d553169181c25a19da25ffef599d7
Opcode Fuzzy Hash: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
Instruction Fuzzy Hash: 0FF0A4B2A0C2589BDB00AF2CC88255577A6FF24258F1045D9E9858F306EB34DDD5C7D1

Function 609561A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

sqlite3_soft_heap_limit64.SQLITE3 ref: 609561D7

Part of subcall function 6092A43E: sqlite3_initialize.SQLITE3 ref: 6092A450
Part of subcall function 6092A43E: sqlite3_mutex_enter.SQLITE3 ref: 6092A466
Part of subcall function 6092A43E: sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
Part of subcall function 6092A43E: sqlite3_memory_used.SQLITE3 ref: 6092A4BA

sqlite3_soft_heap_limit64.SQLITE3 ref: 609561EB

Strings

soft_heap_limit, xrefs: 609561F7

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_soft_heap_limit64$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_entersqlite3_mutex_leave
String ID: soft_heap_limit
API String ID: 1251656441-405162809
Opcode ID: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
Instruction ID: 8891d4bbc0f5aef5547f00e3070395c34840fc2012d087b050684f6162b0ba7d
Opcode Fuzzy Hash: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
Instruction Fuzzy Hash: C2014B71A083188BC710EF98D8417ADB7F2BFA5318F508629E8A49B394D730DC42CF41

Function 60925208 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 6092522A
sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 60925263

Strings

NULL, xrefs: 60925213

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: sqlite3_log
String ID: NULL
API String ID: 632333372-324932091
Opcode ID: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
Instruction ID: 5a36de60e8574ea04015b231464f09686a41744340efbe7a8a869d8181b3dc96
Opcode Fuzzy Hash: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
Instruction Fuzzy Hash: BAF0A070238301DBD7102FA6E44230E7AEBABB0798F48C43C95A84F289D7B5C844CB63

Function 6096D5A0 Relevance: 5.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6096D5C3
free.MSVCRT ref: 6096D609
LeaveCriticalSection.KERNEL32 ref: 6096D615

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
Instruction ID: 980a39aab3b848caec2c27f45d5308e77b440585e3cd6ccd446b63c63d51e1b6
Opcode Fuzzy Hash: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
Instruction Fuzzy Hash: 2D018070B293058BDB10DF28C985919BBFBABB6308B20855CE499D7355D770DC80EB62

Function 6096D4C0 Relevance: 5.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4DF
TlsGetValue.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4F5
GetLastError.KERNEL32(?,?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4FD
LeaveCriticalSection.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D520

Memory Dump Source

Source File: 00000002.00000002.3556638118.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true

Associated: 00000002.00000002.3556625758.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556789250.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556885858.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556907336.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556921582.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.3556934746.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
Instruction ID: 6dd43474153c21470d2d90641e64b96ed0da30414b2d41baa8b5e8831fa3fcb2
Opcode Fuzzy Hash: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
Instruction Fuzzy Hash: 9AF0F972A163104BEB10AF659CC1A5A7BFDEFB1218F100048FC6197354E770DC40D6A2

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EQ5Vcf19u8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe

C:\ProgramData\ClassicHomeCinema\sqlite3.dll

C:\ProgramData\eu1223it56.dat

C:\ProgramData\eu1223rc56.dat

C:\ProgramData\eu1223resa.dat

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.chm (copy)

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.dll (copy)

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\gdiplus.dll (copy)

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-0BQ7F.tmp

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-1OQ1J.tmp

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-7MGOG.tmp

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-E3J5R.tmp

C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-PL42V.tmp

Windows Analysis Report
EQ5Vcf19u8.exe

Function 00409B78 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27
libraryloaderCOMMON

Function 0040AAB4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109
COMMON

Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Function 0040AAA2 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Function 004099EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Function 0040A814 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
windowCOMMON

Function 0040A82F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
windowCOMMON

Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre