Edit tour

Windows Analysis Report
Setup_DigiSignerOne_x86.exe

Overview

General Information

Sample name:	Setup_DigiSignerOne_x86.exe
Analysis ID:	1544225
MD5:	f719502fa0580f2cfa1a6b799c4bd28d
SHA1:	63449f28a29129c23b16c7496c5748b2c1c1eb3f
SHA256:	4a6f4f683ba2d306c83c8690488332ef95f9682b1f129aed07d3512131a76dc9
Infos:

Detection

Havoc

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Havoc

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Setup_DigiSignerOne_x86.exe (PID: 3852 cmdline: "C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe" MD5: F719502FA0580F2CFA1A6B799C4BD28D)

Setup_DigiSignerOne_x86.tmp (PID: 5252 cmdline: "C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp" /SL5="$203D4,33657605,58368,C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe" MD5: B94E2647AD7D4E5AC3FEA70870F1DD05)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Havoc	First released in October 2022, the Havoc C2 Framework is a flexible post-exploitation framework written in Golang, C++, and Qt, with agents called 'Demons' written in C and ASM, created by @C5pider. Designed to support red team engagements and adversary emulation, it offers a robust set of capabilities tailored for offensive security operations. The framework, which is under active development, utilizes HTTP(s) and SMB as communication protocols for its implants. Havoc can generate implants, known as Demons, in several formats including EXE, DLL, and Shellcode. A notable feature of Havoc is its ability to bypass EDR by employing advanced evasion techniques such as sleep obfuscation, return address stack spoofing, and indirect syscalls. This capability enhances its effectiveness in evading detection and circumventing security measures.	No Attribution	https://4pfsec.com/havoc-c2-first-look/ https://checkmarx.com/blog/first-known-targeted-oss-supply-chain-attacks-against-the-banking-sector/ https://github.com/HavocFramework/Havoc https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf	https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Setup_DigiSignerOne_x86.exe	JoeSecurity_Havoc_1	Yara detected Havoc	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: Setup_DigiSignerOne_x86.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: Setup_DigiSignerOne_x86.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: f:\mydev\inno-download-plugin\ansi\idp.pdb source: Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380817518.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380227053.000000000018F000.00000004.00000010.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmp, idp.dll.2.dr

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00453238 FindFirstFileA,GetLastError,	2_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00476F44 FindFirstFileA,FindNextFileA,FindClose,	2_2_00476F44
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	2_2_0049AF28
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	2_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	2_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00463B44 FindFirstFileA,FindNextFileA,FindClose,	2_2_00463B44
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_10003AF0 FtpSetCurrentDirectoryA,FtpFindFirstFileA,InternetFindNextFileA,InternetFindNextFileA,InternetCloseHandle,	2_2_10003AF0

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Code function: 2_2_10002AA0 GetTickCount,GetTickCount,GetTickCount,InternetReadFile,_fwrite,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,

2_2_10002AA0

Source: Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380817518.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmp, idp.dll.2.dr	String found in binary or memory: http://bitbucket.org/mitrich_k/inno-download-plugin
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380817518.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380227053.000000000018F000.00000004.00000010.00020000.00000000.sdmp, idp.dll.2.dr	String found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Setup_DigiSignerOne_x86.tmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000000.2124626293.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: Setup_DigiSignerOne_x86.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: Setup_DigiSignerOne_x86.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000000.2124626293.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000000.2124626293.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/psU

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00424014 NtdllDefWindowProc_A,	2_2_00424014
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00412A68 NtdllDefWindowProc_A,	2_2_00412A68
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0047AC34 NtdllDefWindowProc_A,	2_2_0047AC34
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0042FA00 NtdllDefWindowProc_A,	2_2_0042FA00
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00457E24 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	2_2_00457E24

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Code function: 2_2_0042EDC4: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

2_2_0042EDC4

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Code function: 0_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		2_2_00455E14

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Code function: 0_2_004088C0	0_2_004088C0
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00490830	2_2_00490830
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_004688B8	2_2_004688B8
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00482CD8	2_2_00482CD8
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_004357B8	2_2_004357B8
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00472090	2_2_00472090
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00452194	2_2_00452194
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0043E240	2_2_0043E240
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0043083C	2_2_0043083C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0046A974	2_2_0046A974
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_004449B8	2_2_004449B8
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00434AB4	2_2_00434AB4
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00444F60	2_2_00444F60
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0048908C	2_2_0048908C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_004313C8	2_2_004313C8
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00445658	2_2_00445658
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0045F954	2_2_0045F954
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00445A64	2_2_00445A64
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0045BA04	2_2_0045BA04
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00489FEC	2_2_00489FEC
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_1001B312	2_2_1001B312
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_10025393	2_2_10025393
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_1001D3C6	2_2_1001D3C6
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_100195AB	2_2_100195AB
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_1001D899	2_2_1001D899
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_100258D5	2_2_100258D5
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_1001DC6D	2_2_1001DC6D
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_10025F99	2_2_10025F99
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_1001E079	2_2_1001E079
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_1001A0D2	2_2_1001A0D2
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_1001E499	2_2_1001E499
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_10018980	2_2_10018980
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_10002AA0	2_2_10002AA0
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_10026C92	2_2_10026C92
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_10024E51	2_2_10024E51

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 00453B40 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 10005410 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 10018920 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 004462C4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 00407D84 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 0040909C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 004587AC appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 004585A0 appears 124 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 00406F54 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 00446594 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 0040357C appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 004349CC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: String function: 00403684 appears 233 times

Source: Setup_DigiSignerOne_x86.exe

Static PE information: invalid certificate

Source: Setup_DigiSignerOne_x86.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup_DigiSignerOne_x86.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: Setup_DigiSignerOne_x86.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup_DigiSignerOne_x86.exe
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup_DigiSignerOne_x86.exe

Source: Setup_DigiSignerOne_x86.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal48.troj.winEXE@3/4@0/0

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Code function: 0_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		2_2_00455E14

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Code function: 2_2_0045663C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

2_2_0045663C

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Code function: 2_2_00456E68 CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString,

2_2_00456E68

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe

Code function: 0_2_0040A10C FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_0040A10C

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe

File created: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: Setup_DigiSignerOne_x86.exe	String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: Setup_DigiSignerOne_x86.exe	String found in binary or memory: /LOADINF="filename"
Source: Setup_DigiSignerOne_x86.exe	String found in binary or memory: q-aDD

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe

File read: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe "C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe"
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Process created: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp "C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp" /SL5="$203D4,33657605,58368,C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe"
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Process created: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp "C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp" /SL5="$203D4,33657605,58368,C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Setup_DigiSignerOne_x86.exe

Static file information: File size 33922936 > 1048576

Source: Setup_DigiSignerOne_x86.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Code function: 2_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00450A28

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Code function: 0_2_00406A50 push 00406A8Dh; ret	0_2_00406A85
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Code function: 0_2_004093EC push 0040941Fh; ret	0_2_00409417
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Code function: 0_2_004085B8 push ecx; mov dword ptr [esp], eax	0_2_004085BD
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00409DDC push 00409E19h; ret	2_2_00409E11
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0041A0B8 push ecx; mov dword ptr [esp], ecx	2_2_0041A0BD
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00452194 push ecx; mov dword ptr [esp], eax	2_2_00452199
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_004062CC push ecx; mov dword ptr [esp], eax	2_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0040A2DF push ds; ret	2_2_0040A2E0
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_004605AC push ecx; mov dword ptr [esp], ecx	2_2_004605B0
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00458848 push 00458880h; ret	2_2_00458878
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00410970 push ecx; mov dword ptr [esp], edx	2_2_00410975
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00412DB8 push 00412E1Bh; ret	2_2_00412E13
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0040D2C8 push ecx; mov dword ptr [esp], edx	2_2_0040D2CA
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0040546D push eax; ret	2_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0040553D push 00405749h; ret	2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_004055BE push 00405749h; ret	2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0040563B push 00405749h; ret	2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_004056A0 push 00405749h; ret	2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0040F828 push ecx; mov dword ptr [esp], edx	2_2_0040F82A
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00443930 push ecx; mov dword ptr [esp], ecx	2_2_00443934
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00487AF0 push ecx; mov dword ptr [esp], ecx	2_2_00487AF5
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00459B60 push 00459BA4h; ret	2_2_00459B9C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00497B18 push ecx; mov dword ptr [esp], ecx	2_2_00497B1D
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00479C7C push ecx; mov dword ptr [esp], edx	2_2_00479C7D
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00451FD0 push 00452003h; ret	2_2_00451FFB
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_10016695 push ecx; ret	2_2_100166A8

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	File created: C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	File created: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	File created: C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\idp.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	2_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	2_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00422CEC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	2_2_00422CEC
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0041815E IsIconic,SetWindowPos,	2_2_0041815E
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00418160 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	2_2_00418160
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0042466C IsIconic,SetActiveWindow,SetFocus,	2_2_0042466C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00424624 IsIconic,SetActiveWindow,	2_2_00424624
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00418814 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	2_2_00418814
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0042F75C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	2_2_0042F75C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00417A28 IsIconic,GetCapture,	2_2_00417A28
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00485CFC IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	2_2_00485CFC

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Code function: 2_2_0041F5A8 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

2_2_0041F5A8

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\_isetup\_setup64.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\idp.dll			Jump to dropped file

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-5926

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00453238 FindFirstFileA,GetLastError,	2_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00476F44 FindFirstFileA,FindNextFileA,FindClose,	2_2_00476F44
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	2_2_0049AF28
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	2_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	2_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_00463B44 FindFirstFileA,FindNextFileA,FindClose,	2_2_00463B44
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_10003AF0 FtpSetCurrentDirectoryA,FtpFindFirstFileA,InternetFindNextFileA,InternetFindNextFileA,InternetCloseHandle,	2_2_10003AF0

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe

Code function: 0_2_0040A050 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_0040A050

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	API call chain: ExitProcess graph end node			graph_0-6946
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	API call chain: ExitProcess graph end node			graph_2-73641

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Code function: 2_2_100140F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_100140F3

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Code function: 2_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00450A28

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Code function: 2_2_1001F23F GetProcessHeap,___initmbctable,GetModuleFileNameA,_parse_cmdline,__malloc_crt,_parse_cmdline,

2_2_1001F23F

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_10017458 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_10017458
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_1001F575 SetUnhandledExceptionFilter,__encode_pointer,	2_2_1001F575
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_1001F597 __decode_pointer,SetUnhandledExceptionFilter,	2_2_1001F597
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_100140F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_100140F3
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: 2_2_1001449E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_1001449E

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Code function: 2_2_0047A678 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

2_2_0047A678

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Code function: 2_2_0042F294 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,

2_2_0042F294

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Code function: 2_2_0042E52C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

2_2_0042E52C

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Code function: 2_2_10023C59 cpuid

2_2_10023C59

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Code function: GetLocaleInfoA,	0_2_00405694
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe	Code function: GetLocaleInfoA,	0_2_004056E0
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: GetLocaleInfoA,	2_2_004089F8
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: GetLocaleInfoA,	2_2_00408A44
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	2_2_1001D1E3
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: GetLocaleInfoA,	2_2_1001CCC9
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	2_2_1001D083
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_1001D142
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_1001D1A7
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	2_2_10023622
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: GetLocaleInfoA,_xtoa_s@20,	2_2_10023849
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,	2_2_1002391B
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,	2_2_10023A56
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	2_2_10023A91
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_10023BCE
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_1001BF7D
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: GetLocaleInfoA,	2_2_1002032C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	2_2_1001C5D9
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,	2_2_10020612
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	2_2_1001C82A
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	2_2_10016C3A
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: _LcidFromHexString,GetLocaleInfoA,	2_2_1001CDAB
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	2_2_1001CE41
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	2_2_1001CEB3

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Code function: 2_2_00458E58 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

2_2_00458E58

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Code function: 2_2_00455DCC GetUserNameA,

2_2_00455DCC

Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe

Code function: 0_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

0_2_00404654

Stealing of Sensitive Information

Yara detected Havoc

Source: Yara match

File source: Setup_DigiSignerOne_x86.exe, type: SAMPLE

Remote Access Functionality

Yara detected Havoc

Source: Yara match

File source: Setup_DigiSignerOne_x86.exe, type: SAMPLE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Access Token Manipulation	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Process Injection	2 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	3 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	25 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup_DigiSignerOne_x86.exe	0%	ReversingLabs
Setup_DigiSignerOne_x86.exe	1%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\idp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp	3%	ReversingLabs

Source	Detection	Scanner	Label
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.remobjects.com/psU	0%	URL Reputation	safe
http://www.remobjects.com/psU	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	Setup_DigiSignerOne_x86.tmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000000.2124626293.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr	false	URL Reputation: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	Setup_DigiSignerOne_x86.exe	false		unknown
http://www.remobjects.com/psU	Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000000.2124626293.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://bitbucket.org/mitrich_k/inno-download-plugin	Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380817518.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmp, idp.dll.2.dr	false		unknown
http://www.remobjects.com/ps	Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000000.2124626293.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr	false	URL Reputation: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	Setup_DigiSignerOne_x86.exe	false		unknown
http://mitrichsoftware.wordpress.comB	Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380817518.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380227053.000000000018F000.00000004.00000010.00020000.00000000.sdmp, idp.dll.2.dr	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544225
Start date and time:	2024-10-29 04:11:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup_DigiSignerOne_x86.exe
Detection:	MAL
Classification:	mal48.troj.winEXE@3/4@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 117 Number of non-executed functions: 225
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\idp.dll	66BF743BABAD7405D2426B25BF8D1BB493F6D9048B55E.exe	Get hash	malicious	Raccoon Stealer v2, RedLine, SmokeLoader, Socelars, onlyLogger	Browse
	wXPMoK0v34.exe	Get hash	malicious	Crypto Miner, Diablo Miner, GMiner, Njrat, Xmrig	Browse
	wXPMoK0v34.exe	Get hash	malicious	Crypto Miner, Diablo Miner, GMiner, Njrat, Xmrig	Browse
	273F433BA1CEBFAD830E52490A04CA744351FC4624928.exe	Get hash	malicious	PrivateLoader, RedLine, Socelars	Browse
	https://files.jalinga.com/builds/releases/jalinga_studio.4.0.2040.0.exe	Get hash	malicious	Unknown	Browse
	B07BE8360DD11E81F6830AE467BEC71CB6058523B3594.exe	Get hash	malicious	Nymaim, RedLine, Socelars, onlyLogger	Browse
	DvuGZ73eK1.exe	Get hash	malicious	Fabookie, Nymaim, RedLine, SmokeLoader, Socelars, onlyLogger	Browse
	https://innov8site.com/kcs/pub/speid_setup_10_head_11-07-2022-4-00-PM_signed.exe	Get hash	malicious	Unknown	Browse
	https://innov8site.com/kcs/pub/speid_setup_10_head_11-07-2022-4-00-PM_signed.exe	Get hash	malicious	Unknown	Browse
	0CC82EBA0F92824807ACFEC362E96C2933CB894E9A220.exe	Get hash	malicious	Nymaim, Raccoon, RedLine, Socelars, onlyLogger	Browse
C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\_isetup\_setup64.tmp	XS_Trade_AI-newest_release_.exe	Get hash	malicious	LummaC	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
	yM3BrI8G1E	Get hash	malicious	Unknown	Browse
	MDE_File_Sample_7046d0b264f80a016ec10158377c7e76c395cffb.zip	Get hash	malicious	Xmrig	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://s3.us-east-2.amazonaws.com/revealedgceconomies/vdiq197yvi/ImgBurn_822881.exe?	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: XS_Trade_AI-newest_release_.exe, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: yM3BrI8G1E, Detection: malicious, Browse Filename: MDE_File_Sample_7046d0b264f80a016ec10158377c7e76c395cffb.zip, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\idp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	221184
Entropy (8bit):	6.433227377923997
Encrypted:	false
SSDEEP:	3072:3kdYM0KYqpvmSM0IKNDe/zmNDNRpGFRMlCP7mYYY5Qt1reJbTg/knAD:UsKFrM7CNocNNreJb0/F
MD5:	B37377D34C8262A90FF95A9A92B65ED8
SHA1:	FAEEF415BD0BC2A08CF9FE1E987007BF28E7218D
SHA-256:	E5A0AD2E37DDE043A0DD4AD7634961FF3F0D70E87D2DB49761EB4C1F468BB02F
SHA-512:	69D8DA5B45D9B4B996D32328D3402FA37A3D710564D47C474BF9E15C1E45BC15B2858DBAB446E6BAEC0C099D99007FF1099E9C4E66CFD1597F28C420BB50FDCC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 66BF743BABAD7405D2426B25BF8D1BB493F6D9048B55E.exe, Detection: malicious, Browse Filename: wXPMoK0v34.exe, Detection: malicious, Browse Filename: wXPMoK0v34.exe, Detection: malicious, Browse Filename: 273F433BA1CEBFAD830E52490A04CA744351FC4624928.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: B07BE8360DD11E81F6830AE467BEC71CB6058523B3594.exe, Detection: malicious, Browse Filename: DvuGZ73eK1.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 0CC82EBA0F92824807ACFEC362E96C2933CB894E9A220.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;...;...;....B.......B.......B.........2...;.......B..7....B..:....B..:....B..:...Rich;...........PE..L.....W...........!................ea..............................................@.......................................0...d....@.......................P......p..................................@............................................text...y}.......................... ..`.rdata..Jl.......p..................@..@.data...`9....... ..................@....rsrc........@....... ..............@..@.reloc...+...P...0...0..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\logo_digisign_nou.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp
File Type:	PC bitmap, Windows 3.x format, 40 x 33 x 24, image size 3962, resolution 11811 x 11811 px/m, cbSize 4016, bits offset 54
Category:	dropped
Size (bytes):	4016
Entropy (8bit):	4.162987726623242
Encrypted:	false
SSDEEP:	48:XOjDD6IQs0ganRAwa5dDkKEUSs+Daymn51rOXxYSziPk6QBn:ejrQjgaRfidDkKAs+DaymvrOXGQBn
MD5:	ED546799773B5C9DFDEEF22A5F847B4D
SHA1:	B19108C9B3F5113E022D7B0D0314E90B74EE0096
SHA-256:	1E5FCFEA56F8EEB6889B2A748BC3946BA8D550D78C2D7902F7FBEEE207F163A9
SHA-512:	68DDCDF3288ED61C76A76C1CB217E55917ECB995F4567FF42B63E63AF1DEC7F931029AE2DD176F24FB138A52F2FDD7BA75036DA6C431E4420781A4218C1A9E57
Malicious:	false
Reputation:	low
Preview:	BM........6...(...(...!...........z...#...#......................................................................................................................................................................................................................................................................................................xm.]O.L=.M>.^Q.zo.............................................................................................RE.%.....!..1!.=..=..0 . .....&..XK...............................................................................VI....$..<-.@1.?0.?0.?0.?0.?0.?0.@1.<,.!.....^Q......................................................................%.....?0.A2.?0.?0.?0.?0.?0.?0.?0.?0.?0.?0.A2.>/....'......................................................................@1.<-.<-.<-.<-.<-.<-.<-.<-.<-.=..?0.?0.?0.?0.C4.).................................................................3#.8).'..'..'..'..'..'..'..'..'..'..$.....#..9.B3.?0.C4.+........................

C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Download File

Process:	C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	723944
Entropy (8bit):	6.530436054106211
Encrypted:	false
SSDEEP:	12288:kqIRz+f+ui8TrPO37fzH4A63RRwDFtuXUZERmhrNh4dT9TaC+IGNbDtQPuFyxyRB:JIZg+uiirPO37fzH4A6haDbcUZEbdT9A
MD5:	B94E2647AD7D4E5AC3FEA70870F1DD05
SHA1:	EC37C4E5A750B3AAFEFDAFD8B18EDF9CA8EA29A1
SHA-256:	83ABBE5AAB75D0E15D099F5BB3BACBF154BFD673B5A93F7762070DD123E19911
SHA-512:	344C67842161430F1F0C9875685EAC5F1E45EE9ED1528BFD0A00AE920087CFC19D4D8A33C54D6955D84EC250D24A239D97B330DBC7BD69650D2132D7DFEE297F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	low
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,.............@.................................o.....@......@..............................2&...........................................................@......................................................CODE....p........................... ..`DATA....D...........................@...BSS......................................idata..2&.......(..................@....tls.........0...........................rdata.......@......................@..P.reloc.. ....P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.99992284931637
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	Setup_DigiSignerOne_x86.exe
File size:	33'922'936 bytes
MD5:	f719502fa0580f2cfa1a6b799c4bd28d
SHA1:	63449f28a29129c23b16c7496c5748b2c1c1eb3f
SHA256:	4a6f4f683ba2d306c83c8690488332ef95f9682b1f129aed07d3512131a76dc9
SHA512:	8f99bf1c2c942fc9f4d0a3e8d46f34e5c6227e8a704ccadf1a108a6a55906ec7303a8c9a093efa09d85802eb50f1a28b6d3cd752ab589e65f80aeb6607b9280c
SSDEEP:	786432:E2eyVvYtzISiojT5PgcZQU059nXLAh7WRinvhyMQA9ieYDkVd:947imQU055XEh7KgQs/YQVd
TLSH:	D7773362902F5AD3E054FAFD3E4ABD724BB7FECF3AE8912AC52815E1159B027744C610
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x40aad0
Entrypoint Section:	CODE
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	2fb819a19fe4dee5c03e8c6a79342f79

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	13/12/2023 01:00:00 13/12/2026 00:59:59
Subject Chain	CN=DigiSign SA, O=DigiSign SA, L=Bucuresti, C=RO, SERIALNUMBER=J40/8069/2005, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=RO
Version:	3
Thumbprint MD5:	A9A7C1378F94F4D1126AAE61B71F4883
Thumbprint SHA-1:	E6919509374FB0BFF0E6A7CB70D6243EFC290A7E
Thumbprint SHA-256:	FCCFBA3B2589EF0CDF9FD20795AD565C185A03F0F4575BE421EAC7B771496E66
Serial:	0D683014108874A2056550C00B18D543

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007F418CFF155Bh
call 00007F418CFF2762h
call 00007F418CFF2AC9h
call 00007F418CFF2F1Ch
call 00007F418CFF4EBBh
call 00007F418CFF7852h
call 00007F418CFF79B9h
xor eax, eax
push ebp
push 0040B1A1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040B16Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040D014h]
call 00007F418CFF848Bh
call 00007F418CFF8076h
cmp byte ptr [0040C234h], 00000000h
je 00007F418CFF8F6Eh
call 00007F418CFF8588h
xor eax, eax
call 00007F418CFF2251h
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007F418CFF54CBh
mov edx, dword ptr [ebp-10h]
mov eax, 0040DE30h
call 00007F418CFF15F2h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040DE30h]
mov dl, 01h
mov eax, 00407840h
call 00007F418CFF5D86h
mov dword ptr [0040DE34h], eax
xor edx, edx
push ebp
push 0040B122h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F418CFF84E6h
mov dword ptr [0040DE3Ch], eax
mov eax, dword ptr [0040DE3Ch]
cmp dword ptr [eax+0Ch], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe000	0x97c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x2c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2058d90	0x11e8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x10000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0xa208	0xa400	49513e676dadfb3919c4b137dd7c6d66	False	0.5959413109756098	data	6.6016742350943245	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xc000	0x250	0x400	0a7b48e75f6b6ef4a087528fee0d185c	False	0.30859375	data	2.771347682604831	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xd000	0xe94	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xe000	0x97c	0xa00	df5f31e62e05c787fd29eed7071bf556	False	0.41796875	data	4.486076246232586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xf000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x10000	0x18	0x200	14dfa4128117e7f94fe2f8d7dea374a0	False	0.05078125	data	0.190488766434666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x11000	0x920	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x2c00	0x2c00	42d669c3f3a7e7ef3ecc53fc09de0caf	False	0.3352272727272727	data	4.6025143205091394	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x12354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0x1247c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0x129e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0x12ccc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0x13574	0x2f2	data			0.35543766578249336
RT_STRING	0x13868	0x30c	data			0.3871794871794872
RT_STRING	0x13b74	0x2ce	data			0.42618384401114207
RT_STRING	0x13e44	0x68	data			0.75
RT_STRING	0x13eac	0xb4	data			0.6277777777777778
RT_STRING	0x13f60	0xae	data			0.5344827586206896
RT_RCDATA	0x14010	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0x1403c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x1407c	0x4f4	data	English	United States	0.2894321766561514
RT_MANIFEST	0x14570	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
Dutch	Netherlands
English	United States

Target ID:	0
Start time:	23:12:27
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe"
Imagebase:	0x400000
File size:	33'922'936 bytes
MD5 hash:	F719502FA0580F2CFA1A6B799C4BD28D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	23:12:28
Start date:	28/10/2024
Path:	C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp" /SL5="$203D4,33657605,58368,C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe"
Imagebase:	0x400000
File size:	723'944 bytes
MD5 hash:	B94E2647AD7D4E5AC3FEA70870F1DD05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	22%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8%
Total number of Nodes:	1571
Total number of Limit Nodes:	16

Executed Functions

Function 00404654 Relevance: 43.9, APIs: 7, Strings: 18, Instructions: 182
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 0040466F
GetVersion.KERNEL32(kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 00404676
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040468B
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004046B3
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004048D8
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004048EE
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 004048F9

Strings

setupapi.dll, xrefs: 00404762
version.dll, xrefs: 00404834
kernel32.dll, xrefs: 0040466A
clbcatq.dll, xrefs: 0040489D
SetProcessDEPPolicy, xrefs: 004048E8
SetDefaultDllDirectories, xrefs: 00404685
propsys.dll, xrefs: 004047A8
dwmapi.dll, xrefs: 004047CB
oleacc.dll, xrefs: 00404811
apphelp.dll, xrefs: 00404785
SetSearchPathMode, xrefs: 004048D2
cryptbase.dll, xrefs: 004047EE
comres.dll, xrefs: 0040487A
uxtheme.dll, xrefs: 0040471C
profapi.dll, xrefs: 00404857
ntmarta.dll, xrefs: 004048C0
userenv.dll, xrefs: 0040473F
SetDllDirectoryW, xrefs: 004046AD

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 3297890031-1119018034
Opcode ID: cc6ab64b48d02d140d73cec505fdc132eff82ff6553fc21a046d343f04ece132
Instruction ID: 8135fb14ee81180893b1f543c3a29e932c16cf19254b5bff3906bd7e71ea8aa3
Opcode Fuzzy Hash: cc6ab64b48d02d140d73cec505fdc132eff82ff6553fc21a046d343f04ece132
Instruction Fuzzy Hash: 9D611270600159AFDB00FBF6DA8398E77A89F80305B2045BBA604772D6D778EF059B5D

Function 0040A050 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 0040A062
VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 0040A06D
VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0AE
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0E0
VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 0040A0F0

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: e53a58f787b0994d942b1301a25b776e5790cc469dae4f0c0141b44a09a1105d
Instruction ID: d22f8a83843956dcd0f1bd3c30f31cd8ee5be065fb893754064b45e2edc0d12d
Opcode Fuzzy Hash: e53a58f787b0994d942b1301a25b776e5790cc469dae4f0c0141b44a09a1105d
Instruction Fuzzy Hash: 8921AEB12003086BD630DE998D85E6BB3D8DF85354F04483AF685E33C2D77DE864966A

Function 00405694 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 1c8cef5e7bc5498290c3f938cca84698e8f49793df951a569bfd97285a3601f8
Instruction ID: 16534491fad4532095b25154bcfa4eb159586e841354a195c3175f568a425c49
Opcode Fuzzy Hash: 1c8cef5e7bc5498290c3f938cca84698e8f49793df951a569bfd97285a3601f8
Instruction Fuzzy Hash: 4DE0D87170021827D710A9699C86EFB725CE758310F4006BFB908E73C2EDB59E8046ED

Function 0040AF8D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32 ref: 0040AF99

Part of subcall function 00409B20: GetLastError.KERNEL32(00000000,00409BC3,?,0040C244,?,02071DF0), ref: 00409B44

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AFD6
SetWindowLongA.USER32(000203D4,000000FC,00409E38), ref: 0040AFED
RemoveDirectoryA.KERNEL32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0D9
DestroyWindow.USER32(000203D4,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0ED

Strings

STATIC, xrefs: 0040AFCF
/SL5="$%x,%d,%d,, xrefs: 0040B02D
InnoSetupLdrWindow, xrefs: 0040AFCA

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3757039580-3001827809
Opcode ID: 779aa3cc042d1ecda5eecd5a957243857221684a4f0e841bdcf92309e10b5571
Instruction ID: e11106d591c480187276ddc099787e7d0131364ad6526c401ab361da32b03a0a
Opcode Fuzzy Hash: 779aa3cc042d1ecda5eecd5a957243857221684a4f0e841bdcf92309e10b5571
Instruction Fuzzy Hash: AB412F70E006049BD711EBE9EE86B6937A4EB58304F10417BF114BB2E2C7B89C05CB9D

Function 00409558 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616,?,?,?,?,00000000,00000000,?,0040AB04), ref: 0040957A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409580
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616,?,?,?,?,00000000,00000000,?,0040AB04), ref: 00409594
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040959A

Strings

Wow64DisableWow64FsRedirection, xrefs: 00409570
Wow64RevertWow64FsRedirection, xrefs: 0040958A
kernel32.dll, xrefs: 00409575, 0040958F
shell32.dll, xrefs: 004095D7

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: a877c76c9fc41a234e825ecf500836d7dc2a3ebdee614a9ba8f5c15843239161
Instruction ID: a26a6a73124c26f393fcd3150f7a0ae21a729c0721f3e308dc05a8b68c4216e4
Opcode Fuzzy Hash: a877c76c9fc41a234e825ecf500836d7dc2a3ebdee614a9ba8f5c15843239161
Instruction Fuzzy Hash: AD119170908244BEDB00FBA6CD02B497BA8DB85704F20447BB500762D3CA7D5D08DA2D

Function 0040AF7A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AFD6
SetWindowLongA.USER32(000203D4,000000FC,00409E38), ref: 0040AFED

Part of subcall function 00407004: GetCommandLineA.KERNEL32(00000000,00407048,?,?,?,?,00000000,?,0040B05E,?), ref: 0040701C

Part of subcall function 00409EC4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02071DF0,00409FB0,00000000,00409F97), ref: 00409F34
Part of subcall function 00409EC4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02071DF0,00409FB0,00000000), ref: 00409F48
Part of subcall function 00409EC4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F61
Part of subcall function 00409EC4: GetExitCodeProcess.KERNEL32(?,0040C244), ref: 00409F73
Part of subcall function 00409EC4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02071DF0,00409FB0), ref: 00409F7C

RemoveDirectoryA.KERNEL32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0D9
DestroyWindow.USER32(000203D4,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0ED

Strings

STATIC, xrefs: 0040AFCF
/SL5="$%x,%d,%d,, xrefs: 0040B02D
InnoSetupLdrWindow, xrefs: 0040AFCA

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3001827809
Opcode ID: 2e3aa86d138e90c5b86658206792da66739f20ef7896738f1a5b938c9a18691c
Instruction ID: 2c50bf805cbcaae07aef26e9318175051bf4a01897437c95b2245b611fc910e4
Opcode Fuzzy Hash: 2e3aa86d138e90c5b86658206792da66739f20ef7896738f1a5b938c9a18691c
Instruction Fuzzy Hash: A6413B71A106049FD710EBE9EE96B6937E4EB58304F10427AF514BB2E1D7B89C04CB9C

Function 00409EC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02071DF0,00409FB0,00000000,00409F97), ref: 00409F34
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02071DF0,00409FB0,00000000), ref: 00409F48
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F61
GetExitCodeProcess.KERNEL32(?,0040C244), ref: 00409F73
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02071DF0,00409FB0), ref: 00409F7C

Part of subcall function 00409B20: GetLastError.KERNEL32(00000000,00409BC3,?,0040C244,?,02071DF0), ref: 00409B44

Strings

D, xrefs: 00409F0E

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: 38633e948b603c813f450b03e218898c53e69348259ca8204e0d5802e89edcbc
Instruction ID: 5612ed86ad08d4bddb5d15266d7073179e0372755be9feb1331a68d3317c9ad6
Opcode Fuzzy Hash: 38633e948b603c813f450b03e218898c53e69348259ca8204e0d5802e89edcbc
Instruction Fuzzy Hash: 57114FB16442096EDB00EBE6CC52F9FB7ACEF49718F50007BB604F72C6DA789D048669

Function 00401918 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Strings

|SC, xrefs: 0040195A

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: |SC
API String ID: 730355536-3706279579
Opcode ID: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
Instruction ID: ca3d82fa79822ebb621977d4c6345e30539334a4bf25a92a69ec079a2ec9ab95
Opcode Fuzzy Hash: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
Instruction Fuzzy Hash: F20192B4E442405EE715ABFA9A56B253BA4D789704F1080BFF044F72F2C67C6458C75D

Function 0040ACEC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD50

Strings

.tmp, xrefs: 0040AD96
xz@, xrefs: 0040AE04

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Message
String ID: .tmp$xz@
API String ID: 2030045667-184514067
Opcode ID: 73bde8918a24a77bea396c0e21e9449f08e0d1092fa56e2cd179e8c652837428
Instruction ID: cd6e40cb12cf75a94289ddc930eeb34ae46a26edf5cb602d02798e23291f977e
Opcode Fuzzy Hash: 73bde8918a24a77bea396c0e21e9449f08e0d1092fa56e2cd179e8c652837428
Instruction Fuzzy Hash: B641C574B006009FD301EFA5DE92A6A77A5EB59704B10443BF800BB7E1CA79AC14CBAD

Function 0040AD07 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD50

Strings

.tmp, xrefs: 0040AD96
xz@, xrefs: 0040AE04

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Message
String ID: .tmp$xz@
API String ID: 2030045667-184514067
Opcode ID: 245864c1a257ed0c967638b67db9bb329bbae4f50c3bb27b4eac2111c384816e
Instruction ID: 53719d66007282c5495c6098f99a266dc5e357c3cd51cf55fd0a3e0a4036c937
Opcode Fuzzy Hash: 245864c1a257ed0c967638b67db9bb329bbae4f50c3bb27b4eac2111c384816e
Instruction Fuzzy Hash: B441C974B006009FC701EFA5DE92A5A77A5EB59704B10443BF800BB3E1CBB9AC04CBAD

Function 00409808 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,004098F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040984E
GetLastError.KERNEL32(00000000,00000000,?,00000000,004098F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409857

Strings

.tmp, xrefs: 00409837

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 960547cf70513a17951bf964015fc0181e1b4ea2f4ac03f8a12b0497a0fc638c
Instruction ID: 99036c105fdce8595ace9a271e3c35a9b263f9a60d6b8e91bf220d2a738da6a3
Opcode Fuzzy Hash: 960547cf70513a17951bf964015fc0181e1b4ea2f4ac03f8a12b0497a0fc638c
Instruction Fuzzy Hash: 9F216775A10208ABDB00FFA5C8529DFB7B8EF84304F50457BE501B7382DA7C9E058BA9

Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00402148), ref: 00402017

Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID:
API String ID: 296031713-0
Opcode ID: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
Instruction ID: 72c497f3d878e3d6a4a9583ee00a9bb41c235ef620702b970aaba137d6b92855
Opcode Fuzzy Hash: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
Instruction Fuzzy Hash: 2341C2B2E007019FD710CFA9DE8561A7BA0EB58314B15817BD549B73E1D378A849CB48

Function 00407454 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008000), ref: 0040745E
LoadLibraryA.KERNEL32(00000000,00000000,004074A8,?,00000000,004074C6,?,00008000), ref: 0040748D

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: d48a79d8ee70c80f60c93aacfed67c0ad6e199761e735f170a71233113bd88e2
Instruction ID: a630936203178071a9ee71a4306d19d7bf0886e547c0eed2c6a3f5d1fd0b17c9
Opcode Fuzzy Hash: d48a79d8ee70c80f60c93aacfed67c0ad6e199761e735f170a71233113bd88e2
Instruction Fuzzy Hash: B9F08270A14704BEDB125F768C5282ABEACEB49B1475388B6F900A26D2E53C5820C569

Function 00407AE0 Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407AF7
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407B06

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 5c17caa541fddce76649cc04805944c392fc8533b1365d2e374aefba6a6f009b
Instruction ID: e6678645df70ceda1296de0698669a3f17118b423087409050d1bdfb176b5629
Opcode Fuzzy Hash: 5c17caa541fddce76649cc04805944c392fc8533b1365d2e374aefba6a6f009b
Instruction Fuzzy Hash: 33E092B17081106AEB20A65E9884F6767ECCBC5368F04457BF608DB286D678EC008377

Function 00407B20 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00407B3F
GetLastError.KERNEL32(?,?,?,00000000), ref: 00407B47

Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,020703AC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 5d72a474d6866116df7c50e7d91214adeba9db5fc19ecb02cee2fd0cbf9ab777
Instruction ID: e41e806bfeb234626b87b501edff7cf6b7d3219fcc40cd55b05b53632260e4a9
Opcode Fuzzy Hash: 5d72a474d6866116df7c50e7d91214adeba9db5fc19ecb02cee2fd0cbf9ab777
Instruction Fuzzy Hash: BDE092767082005BD610E55EC881F9B33DCDFC5368F004137B658EB1D1DA75A8008366

Function 00407A78 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 00407A8F
GetLastError.KERNEL32(?,00000000,?,00000001), ref: 00407A9B

Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,020703AC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 376b7221faa1d9c8226b04aa14be382687234a7c39477bd240d3c8d17531cd0a
Instruction ID: 5d7889b2766bb560f48239758183442fe2ff1acd2572488175a49b0c159bb46e
Opcode Fuzzy Hash: 376b7221faa1d9c8226b04aa14be382687234a7c39477bd240d3c8d17531cd0a
Instruction Fuzzy Hash: 57E04FB16002109FEB20EEB98981B5673D89F44364F048576E614DF2C6D378DC008B66

Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 316f7b9c70f66dec2db539bfa6b5d1d13d5c84c791c458a80c61312b1b31133c
Instruction ID: 66c3474f10fe082fedccbde799efe3bb5b58ff080b56d2e089ed954f0af67306
Opcode Fuzzy Hash: 316f7b9c70f66dec2db539bfa6b5d1d13d5c84c791c458a80c61312b1b31133c
Instruction Fuzzy Hash: DAF02772B0032017DB2069AA0CC1B536AC59F85B90F1540BBFA4CFF3F9D2B98C0442A9

Function 00407BD6 Relevance: 1.8, APIs: 1, Instructions: 279fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407B93

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: dc8f9862481319be3bdbd5661d3fcc7de93382422b7ff2ce1cd8379c78404356
Instruction ID: 1ffe8940fb0bba7a1c466ab1a63027f62bf18732910125c6c2e91df4c90979d7
Opcode Fuzzy Hash: dc8f9862481319be3bdbd5661d3fcc7de93382422b7ff2ce1cd8379c78404356
Instruction Fuzzy Hash: 7351B12084E2910FDB125B7459A85A13FA1FF5331532A52FBC4D2AB1E3D27CA847835F

Function 00405708 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,0040583E), ref: 00405727

Part of subcall function 00405164: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00405181

Part of subcall function 00405694: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: 9ba8296990a72112227324fa3ee9fcc0b1e9336ed56d3b895413b02212f8560e
Instruction ID: c7d7bdc64998b5a50f072f8a8ba779086e7d05f386a85bc6535a333606642bb6
Opcode Fuzzy Hash: 9ba8296990a72112227324fa3ee9fcc0b1e9336ed56d3b895413b02212f8560e
Instruction Fuzzy Hash: 05315075E00509ABCF00DF95C8819EEB379FF84304F548977E815BB285E739AE068B94

Function 00407A2A Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A6C

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d70932e6098281890bada4fb0cb49f00060c997d215399a4c6e17c77cbc25981
Instruction ID: 042ae40820150c0b4851109f40d588701a9899a67d40570aa5757512981d293a
Opcode Fuzzy Hash: d70932e6098281890bada4fb0cb49f00060c997d215399a4c6e17c77cbc25981
Instruction Fuzzy Hash: 6FE0ED753442586EE340DAED6D81FA677DC974A714F008132B998DB382D4719D118BA8

Function 00406E64 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00406EAC,?,?,?,?,00000000,?,00406EC1,0040721B,00000000,00407260,?,?,?), ref: 00406E8F

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 24e4b9a91e1daf3bf67ed32386f94fc4a36e54d9486d967fbff76b5f6006ff24
Instruction ID: 7ab40f028fd3c5f14a353e55118c7c81c89abefc65ec3810316971f178424404
Opcode Fuzzy Hash: 24e4b9a91e1daf3bf67ed32386f94fc4a36e54d9486d967fbff76b5f6006ff24
Instruction Fuzzy Hash: 21E06D35204704BFD701EEA2DD52A5ABBACDB89B04BA24476F501A6682D6796E1084A8

Function 00407A2C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A6C

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9c11b2a4cf94016adbe46f41987ce67f399dd20175b5552a4b2bfc50b96cd780
Instruction ID: 8ced2eed2e357b00b36525f681a949bcf9e14530d7ff6951507f50c56b932d1f
Opcode Fuzzy Hash: 9c11b2a4cf94016adbe46f41987ce67f399dd20175b5552a4b2bfc50b96cd780
Instruction Fuzzy Hash: 95E0ED753442586EE240DAED6D81F96779C974A714F008122B998DB382D4719D118BA8

Function 00407B7C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407B93

Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,020703AC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: c995ec0617991e2e94a6585707192c72dfa586fe6c201feb7b9ef6767feef1e5
Instruction ID: 9cacba7c6654c632647ec303d4b17c56949909c1fcff6adca1bc3dcca5067dcb
Opcode Fuzzy Hash: c995ec0617991e2e94a6585707192c72dfa586fe6c201feb7b9ef6767feef1e5
Instruction Fuzzy Hash: 52E0ED726081106BEB10E65A9984E9777ECDFC5364F00407BB648DB241D578AC058676

Function 00407738 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004095FB,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 00407757

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: ae2211e31bb54872ca0cc89886dd4699aa21f9c9d48a8aafd9a4e38039cc465e
Instruction ID: 444c138c93f6580368b8f7bf76726c6abc5f79d38e46f5c5344eab39dd4d6646
Opcode Fuzzy Hash: ae2211e31bb54872ca0cc89886dd4699aa21f9c9d48a8aafd9a4e38039cc465e
Instruction Fuzzy Hash: 20E0D8A1B8830126F62426144C87F77110E43C0740F60403A7B04EF3D2D6FEB909429F

Function 00407B60 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,02090000,0040AF31,00000000), ref: 00407B67

Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,020703AC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 1909adfb068d84a4c7c509a03c933fc32f464db51ef0452f103150ab7bc1f699
Instruction ID: 97af4fe43c66ae010506ec3d7cd84cb65660405db9abbaf149828d557edbb573
Opcode Fuzzy Hash: 1909adfb068d84a4c7c509a03c933fc32f464db51ef0452f103150ab7bc1f699
Instruction Fuzzy Hash: F3C04CB160410057DB00A6AE85C1E1672D85A4825830040B6B604DB257D678E8108719

Function 004074AF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,004074CD), ref: 004074C0

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b2df83a3f7eadccbe6543f05c1e4b9f9d7ac47d1857bfd650161f3857d5c0035
Instruction ID: 2360f01ce0fe84dc83243c5f87e7f13f8f92df382308918f1fe84dd18a5cd7c9
Opcode Fuzzy Hash: b2df83a3f7eadccbe6543f05c1e4b9f9d7ac47d1857bfd650161f3857d5c0035
Instruction Fuzzy Hash: C8B09B76F1C2006DE705DAD5745153877D4D7C47103A14877F114D25C0D53C94108519

Function 004074CB Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,004074CD), ref: 004074C0

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: eeeb51977643a1c07891125f237145a2d5169de148269e7e0dcbc59e3a378873
Instruction ID: d86a438f0f99301b82867e6a10fbdb03c4267dfb17041a1f22e3924364c889c4
Opcode Fuzzy Hash: eeeb51977643a1c07891125f237145a2d5169de148269e7e0dcbc59e3a378873
Instruction Fuzzy Hash: 55A002A9D08104BACE10EAE58CD5A7D77A86A883047D048AA7215B2181C53DE911963B

Function 00406DF8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,00406DF4,?,00406AD1,?,?,004095D4,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616), ref: 00406DFA

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 1f54fb0d7342efd56636b4bf43ce0ada456b4309ba7930a48c32b3046dc9142d
Instruction ID: 95ac89871b9e49aa2ffc5daef894b278f4bc9d8aafa7dca88aae54a0e9e7edad
Opcode Fuzzy Hash: 1f54fb0d7342efd56636b4bf43ce0ada456b4309ba7930a48c32b3046dc9142d
Instruction Fuzzy Hash:

Function 004083C4 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00408454

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3554af80b116e35b21060cbbc6df44ef5282ed17f45008ec87b0ebbddb4e439e
Instruction ID: f6409c4485ca7bd338f5543af8cc2530bb3769743075a02b7f3240cefa60082b
Opcode Fuzzy Hash: 3554af80b116e35b21060cbbc6df44ef5282ed17f45008ec87b0ebbddb4e439e
Instruction Fuzzy Hash: 3E1181716006059BDB00EF69C981B4B7794EF84359F04847EF998AB2C6DF38DC058B6A

Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 51bc12226ee049d6fe29a1ee76e74a4f55284af631c21770742f8cdc5b2db1cc
Instruction ID: d2bd3e7102ef9204b91f8816383c595cec19663beeae75bd92b4ab4675e4226e
Opcode Fuzzy Hash: 51bc12226ee049d6fe29a1ee76e74a4f55284af631c21770742f8cdc5b2db1cc
Instruction Fuzzy Hash: E401F772A042104BC310AF28DDC092A77D4DB84324F19497ED985B73A1D23B7C0587A8

Function 004079FC Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00407A0C

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 066f784fd68329df4130f6e67c5a0e1de43b19e02d9a5afc60124be3f7097d47
Instruction ID: 317b5c03ede138d5cd26287ffab94a369f1a3233cb4abf22224d679caf67fd96
Opcode Fuzzy Hash: 066f784fd68329df4130f6e67c5a0e1de43b19e02d9a5afc60124be3f7097d47
Instruction Fuzzy Hash: 30D05E91B00A6007E215E6BE598864A92D85F88685B08847AF644E73D1D67CAD018389

Function 0040836C Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,00408351), ref: 00408383

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: da78ddfa397c9e2cdf4956a2ea141b2947b48037f15e72f78cdce16bc7675b7a
Instruction ID: c3f7fe7f71c209b7548f3f70eea4568eea5cceda8148a565dbcaceff9471b988
Opcode Fuzzy Hash: da78ddfa397c9e2cdf4956a2ea141b2947b48037f15e72f78cdce16bc7675b7a
Instruction Fuzzy Hash: 9CD002B1755304AFDB90EEB94DC5B0237D87B48700F14457A6E44EB2C6E775D8108B14

Non-executed Functions

Function 00409920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0040992F
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00409935
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0040994E
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00409975
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040997A
ExitWindowsEx.USER32(00000002,00000000), ref: 0040998B

Strings

SeShutdownPrivilege, xrefs: 00409947

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 179ed9162b652ccf15c6d14b836035b236f42e51fdbed839cad4311b1fc8396b
Instruction ID: 69b49e6867c4070d7a8a5f136f8c55bc3de077f0d280c98028d7d6ae56364c3e
Opcode Fuzzy Hash: 179ed9162b652ccf15c6d14b836035b236f42e51fdbed839cad4311b1fc8396b
Instruction Fuzzy Hash: 21F062F068430275E610ABB68C07F6B61885BC0B48F50193EBA55F52C3D7BCD804866F

Function 0040A10C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 0040A116
SizeofResource.KERNEL32(00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 0040A129
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A,?,00000000), ref: 0040A13B
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A), ref: 0040A14C

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 6d1e58e0e179c15565de9e5b9098d59155bd11748cd142999f7bb8aa7b6e98b6
Instruction ID: 8b92cee28785ce20b64f8d9370ff96c2b68540d1e256e0df05e6767f26cc4d74
Opcode Fuzzy Hash: 6d1e58e0e179c15565de9e5b9098d59155bd11748cd142999f7bb8aa7b6e98b6
Instruction Fuzzy Hash: 10E07EE035830265EA103AFA0DC3B2A00484B6474DF05403FB700B92C7DDBCDC1591AE

Function 004056E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058E2,?,?,?,00000000,00405A94), ref: 004056F3

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c7e217b6e51c096be6b931cb56113e619872b2713a6c7d1a918660c486d4d873
Instruction ID: d144edb85d9c502d4ea0939edf991ab5ce3f28f90927345f3a95d007e4e99129
Opcode Fuzzy Hash: c7e217b6e51c096be6b931cb56113e619872b2713a6c7d1a918660c486d4d873
Instruction Fuzzy Hash: DCD0A7AA31E250BAE310519B2D85EBB4BDCCBC57B4F14443FFA48D7242D2248C06A7B6

Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
Instruction ID: 8398a6df79db6557de4560d78939933842e781e1ed99b38cfbf2fd723ed8f470
Opcode Fuzzy Hash: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
Instruction Fuzzy Hash: 3BE04F21E0010A42C704ABA5CD435FDF7AEAB95604F044172A418E92E0F631C252C748

Function 004088C0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: 3b27ac6c5e0f9a5810868b706c98a54019571903b6d877547466b603179570a7
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: 9E32D674E04219DFCB14CF99CA80A9DBBB2BF88314F24816AD855B7385DB34AE42CF55

Function 004074D8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,004075DD,?,00000000,00409DF0), ref: 00407501
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407507
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004075DD,?,00000000,00409DF0), ref: 00407555

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00407564
kernel32.dll, xrefs: 004074FC
Locale, xrefs: 00407544
GetUserDefaultUILanguage, xrefs: 004074F7
.DEFAULT\Control Panel\International, xrefs: 0040752C

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 0178f007b2e9ce97110c2286f944ebc52b58938adea7bd75e582725685aec29c
Instruction ID: 86f2a6ba799f7653865fc0e2ce0ef1955b98c5cb30eb2cc475413799582f5e83
Opcode Fuzzy Hash: 0178f007b2e9ce97110c2286f944ebc52b58938adea7bd75e582725685aec29c
Instruction Fuzzy Hash: 27215570E48205BBDB00EAA5CC55BDF77A8AB44354F50887BA501F76C1DB7CBA04865E

Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
GetLastError.KERNEL32(000000F5), ref: 00403C1E

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D

Function 004019DC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00401AB4), ref: 00401A09
LocalFree.KERNEL32(00433D88,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(?,00000000,00008000,00433D88,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(00434D88,?,00000000,00008000,00433D88,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AAE

Strings

|SC, xrefs: 00401A5D

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: |SC
API String ID: 3782394904-3706279579
Opcode ID: 11cd0e1b4d10db7b8e02ae656c4499af271f9fd0eb7f0a46b5c3575f739066d3
Instruction ID: 2a1e8c518b16d72ac75c21d19d034316e64e92064156904d4596c6339aa50fda
Opcode Fuzzy Hash: 11cd0e1b4d10db7b8e02ae656c4499af271f9fd0eb7f0a46b5c3575f739066d3
Instruction Fuzzy Hash: 65114274B422805ADB11EBE99EC6F5276689785708F44407FF448B62F2C67CA848CB6D

Function 0040584C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00405A94,?,?,?,?,00000000,00000000,00000000,?,00406A73,00000000,00406A86), ref: 00405866

Part of subcall function 00405694: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2

Part of subcall function 004056E0: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058E2,?,?,?,00000000,00405A94), ref: 004056F3

Strings

:mm, xrefs: 00405A48
AMPM, xrefs: 00405A31
mmmm d, yyyy, xrefs: 00405957
m/d/yy, xrefs: 00405935
:mm:ss, xrefs: 00405A62

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 5a553179c7555abcfcf22225c6a629e87a34c3027ea7095babbe5e1ef45f2de3
Instruction ID: 6fbfddc16810fcf353c8d16d6476d0df8e1e1129542ac215d571de96c8bf2126
Opcode Fuzzy Hash: 5a553179c7555abcfcf22225c6a629e87a34c3027ea7095babbe5e1ef45f2de3
Instruction Fuzzy Hash: A8512034B005486BDB00EBA59891A8F7769DB98304F50D87BB505BB3C6DA3DDE098F5C

Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
ExitProcess.KERNEL32 ref: 00403DE5

Strings

Error, xrefs: 00403D91
Runtime error at 00000000, xrefs: 00403D96, 00403DA9
9@, xrefs: 00403D29, 00403D34

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000$9@
API String ID: 1220098344-1503883590
Opcode ID: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
Instruction ID: 19c161ad1fd1f445befe0ff666437f64548d8e35ccd3b0abec794ae5707e41c3
Opcode Fuzzy Hash: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
Instruction Fuzzy Hash: 0421C834E152418AE714EFE59A817153E989B5930DF04817BD504B73E3C67C9A4EC36E

Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
Opcode Fuzzy Hash: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD

Function 00403018 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

RtlUnwind.KERNEL32(?,0040303C,00000000,00000000), ref: 00403037

Strings

,`@, xrefs: 0040304E
a@, xrefs: 00403070

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Unwind
String ID: a@$,`@
API String ID: 3419175465-3299659662
Opcode ID: 74c36dcaebc9beb569fc9a652e38c4b91acfc0ad3c1c730ca21132f2aeeaf1ad
Instruction ID: e18fd8dce0ff00c2f0e26d0eabb8ee8c5bb09bfe6675b42a72717897def5721e
Opcode Fuzzy Hash: 74c36dcaebc9beb569fc9a652e38c4b91acfc0ad3c1c730ca21132f2aeeaf1ad
Instruction Fuzzy Hash: 951182352042029BD724DE18CA89B2777B5AB44744F24C13AA404AB3DAC77CDC81A769

Function 0040A160 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 0040A195

Strings

Setup, xrefs: 0040A185
The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 0040A179

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Message
String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
API String ID: 2030045667-3271211647
Opcode ID: 2fcb4469882f519d07bdc4c54c2b2bf709aeffd752a3b32377c5605777b8a92b
Instruction ID: 75c34cc78b7437cb0ca87fafc7654258806437370cb031ed823535619a0dd887
Opcode Fuzzy Hash: 2fcb4469882f519d07bdc4c54c2b2bf709aeffd752a3b32377c5605777b8a92b
Instruction Fuzzy Hash: 8BE0E5302043087EE301EA629C03F5A7BACE7CAB04F600477F900B55C1C6786E10842D

Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0040AAE6), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,0040AAE6), ref: 004030EE

Strings

U1hd.@, xrefs: 00403103

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: U1hd.@
API String ID: 2123368496-2904493091
Opcode ID: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
Instruction ID: daea45a2aa12e23edc1a75ca5ccfa9dec32d0aab9986280789c112b27ba3568a
Opcode Fuzzy Hash: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
Instruction Fuzzy Hash: 3AC0027894134055D764AFF69E497047594A74930DF40443FA20C7A1F1D67C460A6BDD

Function 004099B0 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099CF
Sleep.KERNEL32(?,?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099DF
GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099F2
GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099FC

Memory Dump Source

Source File: 00000000.00000002.3380259838.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3380241123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380278836.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3380294230.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: c7bd6a21121ddb9efccb4cc95de40b345340be1ee537211c691cca6293df28a9
Instruction ID: eb7512966d821cc35779f37d74516ce45850f6d6c39c5245c2e713911e3afcfa
Opcode Fuzzy Hash: c7bd6a21121ddb9efccb4cc95de40b345340be1ee537211c691cca6293df28a9
Instruction Fuzzy Hash: F9F0BBB27012986BCB24A5AE8C86A6FB348EAD1358710403FF504F7393D439DC0156A9

Analysis Process: Setup_DigiSignerOne_x86.tmpPID: 5252, Parent PID: 3852COMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	103

Executed Functions

Function 00490830 Relevance: 141.9, APIs: 22, Strings: 58, Instructions: 1920COMMON

Download Yara Rule

Strings

REGQUERYBINARYVALUE, xrefs: 00491747
ADDPERIOD, xrefs: 00491DAB
REGQUERYSTRINGVALUE, xrefs: 004914E6
GETSYSNATIVEDIR, xrefs: 00490F7A
REGVALUEEXISTS, xrefs: 0049120F
REGKEYEXISTS, xrefs: 00491192
REGDELETEKEYINCLUDINGSUBKEYS, xrefs: 004912B1
SETINIINT, xrefs: 00490B99
FONTEXISTS, xrefs: 00491D52
FILECOPY, xrefs: 004910CE
FILEORDIREXISTS, xrefs: 004908E9
ISINISECTIONEMPTY, xrefs: 00490AE2
DELETEINISECTION, xrefs: 00490CBD
REGWRITEBINARYVALUE, xrefs: 00491C2A
REGQUERYMULTISTRINGVALUE, xrefs: 004915A8
GETINIINT, xrefs: 00490996
SETNTFSCOMPRESSION, xrefs: 00491E27
REGGETSUBKEYNAMES, xrefs: 0049140C
USINGWINNT, xrefs: 004910AA
REGGETVALUENAMES, xrefs: 00491479
REGQUERYDWORDVALUE, xrefs: 0049166A
DIREXISTS, xrefs: 004908B0
REGWRITEMULTISTRINGVALUE, xrefs: 00491A4C
REGDELETEVALUE, xrefs: 00491367
GETCMDTAIL, xrefs: 00490D2F
REMOVEBACKSLASH, xrefs: 00490DE5
FILEEXISTS, xrefs: 00490877
GETUILANGUAGE, xrefs: 00491D86
INIKEYEXISTS, xrefs: 00490A86
GETINISTRING, xrefs: 00490922
REGDELETEKEYIFEMPTY, xrefs: 0049130C
GETWINDIR, xrefs: 00490F02
GETENV, xrefs: 00490CF7
REMOVEBACKSLASHUNLESSROOT, xrefs: 00490E1D
ISWILDCARD, xrefs: 00491E70
ADDBACKSLASH, xrefs: 00490DAD
CONVERTPERCENTSTR, xrefs: 00491151
GETSYSTEMDIR, xrefs: 00490F2A
STRINGCHANGEEX, xrefs: 00491036
GETINIBOOL, xrefs: 00490A1B
WILDCARDMATCH, xrefs: 00491EA1
PARAMCOUNT, xrefs: 00490D57
GETSHORTNAME, xrefs: 00490EC5
CHARLENGTH, xrefs: 00491DE3
ISADMINLOGGEDON, xrefs: 00491D0A
REGWRITEEXPANDSTRINGVALUE, xrefs: 0049196B
ADDQUOTES, xrefs: 00490E55
PARAMSTR, xrefs: 00490D7B
ISPOWERUSERLOGGEDON, xrefs: 00491D2E
SETINIBOOL, xrefs: 00490C04
GETSYSWOW64DIR, xrefs: 00490F52
REMOVEQUOTES, xrefs: 00490E8D
STRINGCHANGE, xrefs: 00490FCF
REGWRITESTRINGVALUE, xrefs: 00491854
REGWRITEDWORDVALUE, xrefs: 00491B56
GETTEMPDIR, xrefs: 00490FA7
DELETEINIENTRY, xrefs: 00490C6F
SETINISTRING, xrefs: 00490B2A

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID:
String ID: ADDBACKSLASH$ADDPERIOD$ADDQUOTES$CHARLENGTH$CONVERTPERCENTSTR$DELETEINIENTRY$DELETEINISECTION$DIREXISTS$FILECOPY$FILEEXISTS$FILEORDIREXISTS$FONTEXISTS$GETCMDTAIL$GETENV$GETINIBOOL$GETINIINT$GETINISTRING$GETSHORTNAME$GETSYSNATIVEDIR$GETSYSTEMDIR$GETSYSWOW64DIR$GETTEMPDIR$GETUILANGUAGE$GETWINDIR$INIKEYEXISTS$ISADMINLOGGEDON$ISINISECTIONEMPTY$ISPOWERUSERLOGGEDON$ISWILDCARD$PARAMCOUNT$PARAMSTR$REGDELETEKEYIFEMPTY$REGDELETEKEYINCLUDINGSUBKEYS$REGDELETEVALUE$REGGETSUBKEYNAMES$REGGETVALUENAMES$REGKEYEXISTS$REGQUERYBINARYVALUE$REGQUERYDWORDVALUE$REGQUERYMULTISTRINGVALUE$REGQUERYSTRINGVALUE$REGVALUEEXISTS$REGWRITEBINARYVALUE$REGWRITEDWORDVALUE$REGWRITEEXPANDSTRINGVALUE$REGWRITEMULTISTRINGVALUE$REGWRITESTRINGVALUE$REMOVEBACKSLASH$REMOVEBACKSLASHUNLESSROOT$REMOVEQUOTES$SETINIBOOL$SETINIINT$SETINISTRING$SETNTFSCOMPRESSION$STRINGCHANGE$STRINGCHANGEEX$USINGWINNT$WILDCARDMATCH
API String ID: 0-2995905506
Opcode ID: 47379c65e18803ed89a8cb35dcf6b416a7c6d2a64b8f1ea418acd2a03b84abc0
Instruction ID: 531e8d64222ffae2c249fa443d2387929f23501f78df198fe4c1f2eaeed2c77d
Opcode Fuzzy Hash: 47379c65e18803ed89a8cb35dcf6b416a7c6d2a64b8f1ea418acd2a03b84abc0
Instruction Fuzzy Hash: 8FD25270B041055BDF10EB79CD829AEBAA5AF48314F50943FB802AB796DF3CDD068799

Function 0042E52C Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E566
GetVersion.KERNEL32(00000000,0042E710,?,0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E583
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E710,?,0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E59C
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E5A2
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E710,?,0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E5B7
FreeSid.ADVAPI32(00000000,0042E717,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E70A

Strings

CheckTokenMembership, xrefs: 0042E592
advapi32.dll, xrefs: 0042E597

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2252812187-1888249752
Opcode ID: 00703ec5bc4e6a7ae9ebf93987a9797f0e4118df6b513f3cea44931636ca7d1c
Instruction ID: bd7b6b299922f244852f5898a9d4d4a5ef1c154b8f3e5ea1adaf5ad24a825e41
Opcode Fuzzy Hash: 00703ec5bc4e6a7ae9ebf93987a9797f0e4118df6b513f3cea44931636ca7d1c
Instruction Fuzzy Hash: 36519471B44315AEEB11EAE69C42B7F77ACDB19304F94047BB500EB282D57CDD048B69

Function 00450A28 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 76
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,00450B45,?,?,?,?,00000000,00000000,?,00482E33), ref: 00450A53

Part of subcall function 004509F8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00450A10

LoadLibraryA.KERNEL32(00000000,00000000,00450B45,?,?,?,?,00000000,00000000,?,00482E33), ref: 00450A8F
GetProcAddress.KERNEL32(6EA40000,RmStartSession), ref: 00450AAD
GetProcAddress.KERNEL32(6EA40000,RmRegisterResources), ref: 00450AC2
GetProcAddress.KERNEL32(6EA40000,RmGetList), ref: 00450AD7
GetProcAddress.KERNEL32(6EA40000,RmShutdown), ref: 00450AEC
GetProcAddress.KERNEL32(6EA40000,RmRestart), ref: 00450B01
GetProcAddress.KERNEL32(6EA40000,RmEndSession), ref: 00450B16

Strings

RmRestart, xrefs: 00450AF6
RmGetList, xrefs: 00450ACC
Rstrtmgr.dll, xrefs: 00450A7C
RmEndSession, xrefs: 00450B0B
RmShutdown, xrefs: 00450AE1
RmStartSession, xrefs: 00450AA2
RmRegisterResources, xrefs: 00450AB7

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystemVersion
String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
API String ID: 2754715182-3419246398
Opcode ID: 69ff123684ebd81fb8406be45396341c47124d95e1b8311954c188464bf28ffd
Instruction ID: 2841e6775defb51719e30d1654eee8915289afef741f041a49b247766738df14
Opcode Fuzzy Hash: 69ff123684ebd81fb8406be45396341c47124d95e1b8311954c188464bf28ffd
Instruction Fuzzy Hash: 8F212EB4510204BFE710FBE2DC86B6E77E8E714759F540537B840A71A2E678A949CB1C

Function 0042409C Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886bf65537a03716d8ce79b5c17bbfcd13e2fd4527009e8f92f9ab5e14d3b16d
Instruction ID: 825bfe9503c2e42b9fb69ea357955289e6132b3f8b751ff356745ab72a8b0ef1
Opcode Fuzzy Hash: 886bf65537a03716d8ce79b5c17bbfcd13e2fd4527009e8f92f9ab5e14d3b16d
Instruction Fuzzy Hash: F0E18C34700124EFD710DB69E585A5EB7B4FB88304FA440A6FA85EB356C738EE81DB19

Function 00422CEC Relevance: 18.3, APIs: 12, Instructions: 255
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422E84
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,0042304E), ref: 00422E94

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: fee8d02af05d41bac173c1050129a49de0b4046ad33b8f8baa5915edb3818267
Instruction ID: 26a98208f56e96a8b9863cf96f01cb8393c818091eec428a2aa80c5483449fd4
Opcode Fuzzy Hash: fee8d02af05d41bac173c1050129a49de0b4046ad33b8f8baa5915edb3818267
Instruction Fuzzy Hash: 82915270B04254EFD711DFA9DA86F9E77F4AB04304F5600BAF504AB392C779AE40AB58

Function 004688B8 Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1679windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004988F0: MulDiv.KERNEL32(?,?,00000006), ref: 00498967
Part of subcall function 004988F0: MulDiv.KERNEL32(?,?,0000000D), ref: 0049897C

Part of subcall function 00498738: GetWindowRect.USER32(00000000), ref: 0049874E

LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00468CC8

Part of subcall function 004989BC: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 004989C6

Part of subcall function 0042F1C8: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042F224
Part of subcall function 0042F1C8: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042F241

Part of subcall function 00498688: GetDC.USER32(00000000), ref: 004986AA
Part of subcall function 00498688: SelectObject.GDI32(?,00000000), ref: 004986D0
Part of subcall function 00498688: ReleaseDC.USER32(00000000,?), ref: 00498721

Part of subcall function 004989AC: MulDiv.KERNEL32(0000004B,?,00000006), ref: 004989B6

GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,023189C8,0231A964,?,?,0231A994,?,?,0231A9F0,?), ref: 0046996B
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046997C
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00469994

Strings

, xrefs: 00468D89
(Default), xrefs: 00469F7D
STOPIMAGE, xrefs: 00468CBD

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Menu$Append$AddressAutoBitmapCompleteLoadObjectProcRectReleaseSelectSystemWindow
String ID: $(Default)$STOPIMAGE
API String ID: 2472569012-770201673
Opcode ID: 8946f81524f9d19275f7abce38fb92794786ad1c9579238aa5d491563488633e
Instruction ID: f09852cb7729e2bbd5cbdd1f7d0006831e648923f53a2056fc505b03d658ebd5
Opcode Fuzzy Hash: 8946f81524f9d19275f7abce38fb92794786ad1c9579238aa5d491563488633e
Instruction Fuzzy Hash: E5F2C7386005148FCB00EB69D8D9F9977F5BF89304F1542BAE5049B36AD778AC4ACB4A

Function 00453238 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0045329B,?,?,-00000001,00000000), ref: 00453275
GetLastError.KERNEL32(00000000,?,00000000,0045329B,?,?,-00000001,00000000), ref: 0045327D

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: eb4a1247d762527b0f95a072588846a86ffca63a133cb8b0ffbf18bb37ace285
Instruction ID: 01611b9c15ef78b160da910fd5818d9ac2674b067f1b6166a22c9a12ef003207
Opcode Fuzzy Hash: eb4a1247d762527b0f95a072588846a86ffca63a133cb8b0ffbf18bb37ace285
Instruction Fuzzy Hash: CAF02D72A04704AB8B10DF76AC0149EF7BCEB8637672046BBFC14E3692DB794F058558

Function 004089F8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049E4C4,00000001,?,00408AC3,?,00000000,00408BA2), ref: 00408A16

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6517a6df1027816fea4addc753f432335232e8d46b8be6dc802d5a2abbf08fa6
Instruction ID: 256e1aeba2a9af0ec73989512e647111dc5dc60b4a8a7c740aeb84942aea65fa
Opcode Fuzzy Hash: 6517a6df1027816fea4addc753f432335232e8d46b8be6dc802d5a2abbf08fa6
Instruction Fuzzy Hash: 61E0683170021457C311A91A8C82AFBB34CDB18354F40427FBD44E73C2EDB89E4146EC

Function 00424014 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,004245E1,?,00000000,004245EC), ref: 0042403E

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 3c6509642d3bb9f27e5e83e23d7c94f2c76b3e04732c449b11ab7c6176b5423f
Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
Opcode Fuzzy Hash: 3c6509642d3bb9f27e5e83e23d7c94f2c76b3e04732c449b11ab7c6176b5423f
Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94

Function 004063FC Relevance: 43.9, APIs: 7, Strings: 18, Instructions: 182
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 00406417
GetVersion.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 0040641E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00406433
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040645B
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406680
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406696
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 004066A1

Strings

userenv.dll, xrefs: 004064E7
dwmapi.dll, xrefs: 00406573
kernel32.dll, xrefs: 00406412
SetDefaultDllDirectories, xrefs: 0040642D
clbcatq.dll, xrefs: 00406645
SetDllDirectoryW, xrefs: 00406455
SetProcessDEPPolicy, xrefs: 00406690
cryptbase.dll, xrefs: 00406596
apphelp.dll, xrefs: 0040652D
ntmarta.dll, xrefs: 00406668
setupapi.dll, xrefs: 0040650A
profapi.dll, xrefs: 004065FF
SetSearchPathMode, xrefs: 0040667A
oleacc.dll, xrefs: 004065B9
propsys.dll, xrefs: 00406550
version.dll, xrefs: 004065DC
comres.dll, xrefs: 00406622
uxtheme.dll, xrefs: 004064C4

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 3297890031-1119018034
Opcode ID: aa2224054af9e2cdb85ff1d97acc07dc748637bf55eb8aa36b25b3eca2d85656
Instruction ID: 7e21cf5f117f2e3abcec30b6674fd8076a5a40f26409e7412662737288cf0c05
Opcode Fuzzy Hash: aa2224054af9e2cdb85ff1d97acc07dc748637bf55eb8aa36b25b3eca2d85656
Instruction Fuzzy Hash: 5C612030A00009EBDB01FBAAD982D8D7BB89B45749B214077A405772F6DB3CEF199B5D

Function 00485E3C Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 72
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00485E4D
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00485E5A
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00485E68
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00485E70
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00485E7C
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00485E9D
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00485EB0
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00485EB6
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00485ECD

Strings

advapi32.dll, xrefs: 00485EAB
GetSystemWow64DirectoryA, xrefs: 00485E97
RegDeleteKeyExA, xrefs: 00485EA6
IsWow64Process, xrefs: 00485E6A
GetNativeSystemInfo, xrefs: 00485E54
kernel32.dll, xrefs: 00485E48

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 2230631259-2623177817
Opcode ID: 9d291c22a71a0cf1a9fee4c4184e10d43f1fae15fdb33576c9d22a7be2dcaa12
Instruction ID: 52726a1ce108b2e1205f78178c8bd3673f5dc6952592f7a0a7a67ab458256f91
Opcode Fuzzy Hash: 9d291c22a71a0cf1a9fee4c4184e10d43f1fae15fdb33576c9d22a7be2dcaa12
Instruction Fuzzy Hash: FD118465148F8195DE1273794C8A77F2A888B10718F2C0C3B7B847A6D2DBBC8D85972F

Function 0046A2F8 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(?,0046A512,?,?,00000001,00000000,00000000,0046A52D,?,00000000,00000000,?), ref: 0046A4FB

Strings

Inno Setup: Setup Type, xrefs: 0046A40A
Inno Setup: User Info: Name, xrefs: 0046A4B7
Inno Setup: User Info: Organization, xrefs: 0046A4CA
Inno Setup: Icon Group, xrefs: 0046A3D6
Inno Setup: Selected Components, xrefs: 0046A41A
Inno Setup: No Icons, xrefs: 0046A3E3
Inno Setup: Selected Tasks, xrefs: 0046A467
Inno Setup: Deselected Tasks, xrefs: 0046A489
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0046A357
Inno Setup: User Info: Serial, xrefs: 0046A4DD
Inno Setup: Deselected Components, xrefs: 0046A43C
Inno Setup: App Path, xrefs: 0046A3BA
%s\%s_is1, xrefs: 0046A375

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1093091907
Opcode ID: 55465f8b1ecb84598e1fa3f417a1a599462ef7b6c0253ef331ed16acccad8cce
Instruction ID: bc3733d3a6311be72aa26145a3a6b26ae63bc40f30ab818c77ebdc0ae002d22e
Opcode Fuzzy Hash: 55465f8b1ecb84598e1fa3f417a1a599462ef7b6c0253ef331ed16acccad8cce
Instruction Fuzzy Hash: 2F518170600A049FCB11DB65D952BEEB7B4EF49304F5084BAE841B7391E738AE15CF5A

Function 0047E8A8 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042DD28: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,004545B0,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229), ref: 0042DD3B

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67

Part of subcall function 0042DD80: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00454356,00000000,004543F9,?,?,00000000,00000000,00000000,00000000,00000000,?,004547E9,00000000), ref: 0042DD9A
Part of subcall function 0042DD80: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DDA0

SHGetKnownFolderPath.SHELL32(0049CD48,00008000,00000000,?,00000000,0047EB7C), ref: 0047EA82
CoTaskMemFree.OLE32(?,0047EAC5), ref: 0047EAB8

Part of subcall function 0042D698: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DECE,00000000,0042DF60,?,?,?,0049E62C,00000000,00000000), ref: 0042D6C3

Strings

Common Files, xrefs: 0047E9E1
CommonFilesDir, xrefs: 0047E9AA, 0047EA26
\Program Files, xrefs: 0047E997
ProgramFilesDir, xrefs: 0047E970, 0047E9F7
Failed to get path of 64-bit Program Files directory, xrefs: 0047EA19
SystemDrive, xrefs: 0047E90F
COMMAND.COM, xrefs: 0047EB57
Failed to get path of 64-bit Common Files directory, xrefs: 0047EA48
cmd.exe, xrefs: 0047EB36

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 3771764029-544719455
Opcode ID: f8969b8c83ddcc016eba2be8046c2e4320b88b0f19ff27ae1324c962e61ddc41
Instruction ID: 78e7a351989074df20a48af568640fcf9ae091c764a67f88943fd453c39c20c9
Opcode Fuzzy Hash: f8969b8c83ddcc016eba2be8046c2e4320b88b0f19ff27ae1324c962e61ddc41
Instruction Fuzzy Hash: D4616034610104DFDB10EBA6D84269E7F69EB48319F60C6BBE404E7395C73CAE49CA9D

Function 0047F0B4 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 104
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67

GetProcAddress.KERNEL32(74A90000,SHGetFolderPathA), ref: 0047F1E1

Strings

shfolder.dll, xrefs: 0047F0EF
Failed to get address of SHGetFolderPath function, xrefs: 0047F1F2
2, xrefs: 0047F123
shell32.dll, xrefs: 0047F17F
SHGetFolderPathA, xrefs: 0047F1D6
_isetup\_shfoldr.dll, xrefs: 0047F152
Failed to load DLL "%s", xrefs: 0047F1C4
SHFOLDERDLL, xrefs: 0047F15F

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressDirectoryProcSystem
String ID: 2$Failed to get address of SHGetFolderPath function$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
API String ID: 996212319-3422985891
Opcode ID: bc52ae8ca97decd057a22e62308b2ca98b91365db34e2635b6964e716f063628
Instruction ID: 162927b5a2cba69edd54960eab9b72e157ae6c4c2e5edd016ae03b58ced20ba2
Opcode Fuzzy Hash: bc52ae8ca97decd057a22e62308b2ca98b91365db34e2635b6964e716f063628
Instruction Fuzzy Hash: C1413034A0020ADFCB10EFA5D9819EEB7B5EF44309F90847BE518A7252D7389E09CB59

Function 00423D04 Relevance: 15.1, APIs: 10, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041F854: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F234,?,00423D1F,0042409C,0041F234), ref: 0041F872

GetClassInfoA.USER32(00400000,00423B0C), ref: 00423D2F
RegisterClassA.USER32(0049C630), ref: 00423D47
GetSystemMetrics.USER32(00000000), ref: 00423D69
GetSystemMetrics.USER32(00000001), ref: 00423D78
SetWindowLongA.USER32(004108F0,000000FC,00423B1C), ref: 00423DD4
SendMessageA.USER32(004108F0,00000080,00000001,00000000), ref: 00423DF5
GetSystemMenu.USER32(004108F0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C,0041F234), ref: 00423E00
DeleteMenu.USER32(00000000,0000F030,00000000,004108F0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C,0041F234), ref: 00423E0F
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004108F0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423E1C
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004108F0,00000000,00000000,00400000,00000000,00000000,00000000), ref: 00423E32

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID:
API String ID: 183575631-0
Opcode ID: aeea6ed96da726cf0390846aab0a070c3404cae578d0716d11b5eb43d210982e
Instruction ID: 3c08988f126546789c3863b6090fce38962bc241f8b01a8198fec2671c318d21
Opcode Fuzzy Hash: aeea6ed96da726cf0390846aab0a070c3404cae578d0716d11b5eb43d210982e
Instruction Fuzzy Hash: B73173B17402506AEB10AF69EC82F6736989714709F60017BFA44EE2D7D6BDED00876D

Function 004539C8 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 004539EA
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004539F0
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 00453A04
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453A0A

Strings

Wow64DisableWow64FsRedirection, xrefs: 004539E0
kernel32.dll, xrefs: 004539E5, 004539FF
Wow64RevertWow64FsRedirection, xrefs: 004539FA
shell32.dll, xrefs: 00453A47

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 1e37e0ab1df9e757d704b947a29f50b329146a292bd817b3065b294340fa9558
Instruction ID: 18891d3ceb8887e2f5320c13b89f4eae329e81661ad9de64afed935a1ef9114c
Opcode Fuzzy Hash: 1e37e0ab1df9e757d704b947a29f50b329146a292bd817b3065b294340fa9558
Instruction Fuzzy Hash: EA119130644255BEEB00EF72D802B5E77A8D74479AF60447BF88066292D67C9E4C8A2D

Function 00468610 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004686B3
ExtractIconA.SHELL32(00400000,00000000,?), ref: 004686D9

Part of subcall function 0046854C: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 004685E7
Part of subcall function 0046854C: DestroyCursor.USER32(00000000), ref: 004685FD

ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00468730
SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00468791
ExtractIconA.SHELL32(00400000,00000000,?), ref: 004687B7

Strings

shell32.dll, xrefs: 00468714
c:\directory, xrefs: 004686AE

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Icon$Extract$FileInfo$CursorDestroyDraw
String ID: c:\directory$shell32.dll
API String ID: 3376378930-1375355148
Opcode ID: 7a772aa265c91b1f74206593db125e0d1db5563dad8a39a26a2e33cb98cd9a9c
Instruction ID: 811d36ee9d093b3b0276aa4c13663b10f9457e770bee0cd4c871c76846c3392c
Opcode Fuzzy Hash: 7a772aa265c91b1f74206593db125e0d1db5563dad8a39a26a2e33cb98cd9a9c
Instruction Fuzzy Hash: D2515070600244AFD710EF55CC8AFDAB7E8AB48305F5082BAF4049B751DA799E81CA59

Function 00430E20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23
registryclipboardthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430E28
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430E37
GetCurrentThreadId.KERNEL32 ref: 00430E51
GlobalAddAtomA.KERNEL32(00000000), ref: 00430E72

Strings

commdlg_help, xrefs: 00430E23
commdlg_FindReplace, xrefs: 00430E32
WndProcPtr%.8X%.8X, xrefs: 00430E63

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: 18e0ea013f721cf9d0855e1711e424e1ec4dc69dbdb3ee4d586f10aea4099809
Instruction ID: 010e98d13399693fc9d497d8664f6f2789eb24ebecb377ca83b09cc51ba55008
Opcode Fuzzy Hash: 18e0ea013f721cf9d0855e1711e424e1ec4dc69dbdb3ee4d586f10aea4099809
Instruction Fuzzy Hash: 58F082B09483408ED300EB768842B1E7BE4AB58718F404A3FB498A62A1D77A9910CB1F

Function 004232E0 Relevance: 12.1, APIs: 8, Instructions: 119
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCapture.USER32 ref: 00423334
GetCapture.USER32 ref: 00423343
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00423349
ReleaseCapture.USER32 ref: 0042334E
GetActiveWindow.USER32 ref: 0042335D
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 004233DC
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00423440
GetActiveWindow.USER32 ref: 0042344F

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: f69812db9b2b79ec794c9b8766cda1920263d90c5a2084de5f9108f08cb6d884
Instruction ID: 18bdd7e577e3521af934e8bbd68e58ee55e38e107d312ae6febd14bbc8fb8244
Opcode Fuzzy Hash: f69812db9b2b79ec794c9b8766cda1920263d90c5a2084de5f9108f08cb6d884
Instruction Fuzzy Hash: 07414D30B00254AFDB10EF6AD982B9E77F1AF04704F5440BAE440AB2A2DB7D9F40CB58

Function 00478DC4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00478E1D
SetWindowLongW.USER32(00000000,000000FC,00478D78), ref: 00478E44
GetACP.KERNEL32(00000000,0047905C,?,00000000,00479086), ref: 00478E81
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00478EC7

Strings

COMBOBOX, xrefs: 00478E16
Inno Setup: Language, xrefs: 00478F4F

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ClassInfoLongMessageSendWindow
String ID: COMBOBOX$Inno Setup: Language
API String ID: 3391662889-4234151509
Opcode ID: 64aed83d7cd5fc135e30750f8cb7816a0e0a0640c1f8587c76686a23d2846c44
Instruction ID: 9a1e1fbd3c649eeeadcf20bc1b1a007eb45d24132bb8eba9a2a930841c17950d
Opcode Fuzzy Hash: 64aed83d7cd5fc135e30750f8cb7816a0e0a0640c1f8587c76686a23d2846c44
Instruction Fuzzy Hash: 64814E34A40605DFC710DF69C889AAAB7F5FB49304F1081BAE808DB762DB78AD45CB59

Function 00423B1C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00423BAC
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,?,00000001), ref: 00423BD9
OemToCharA.USER32(?,?), ref: 00423BEC
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,?,00000001), ref: 00423C2C

Strings

MAINICON, xrefs: 00423BA1
2, xrefs: 00423B7A

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: 1f82f7cb80c34b9ff5c46231264fdecee05270e1fe5ff3a7350c32b1cef790c9
Instruction ID: 9510fd107b4d1d478bc251de40ec4f21bd31917ac71a3749b9d0f73c54ce2f3c
Opcode Fuzzy Hash: 1f82f7cb80c34b9ff5c46231264fdecee05270e1fe5ff3a7350c32b1cef790c9
Instruction Fuzzy Hash: 1031C271A042549EDB10EF69D8C47C67BE8AF14308F4441BAE844DB293D7BEDA88CB55

Function 004193C8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 004193CD
GlobalAddAtomA.KERNEL32(00000000), ref: 004193EE
GetCurrentThreadId.KERNEL32 ref: 00419409
GlobalAddAtomA.KERNEL32(00000000), ref: 0041942A

Part of subcall function 00423558: GetDC.USER32(00000000), ref: 004235AE
Part of subcall function 00423558: EnumFontsA.GDI32(00000000,00000000,004234F8,004108F0,00000000,?,?,00000000,?,00419463,00000000,?,?,?,00000001), ref: 004235C1
Part of subcall function 00423558: GetDeviceCaps.GDI32(00000000,0000005A), ref: 004235C9
Part of subcall function 00423558: ReleaseDC.USER32(00000000,00000000), ref: 004235D4

Part of subcall function 00423B1C: LoadIconA.USER32(00400000,MAINICON), ref: 00423BAC
Part of subcall function 00423B1C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,?,00000001), ref: 00423BD9
Part of subcall function 00423B1C: OemToCharA.USER32(?,?), ref: 00423BEC
Part of subcall function 00423B1C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,?,00000001), ref: 00423C2C

Part of subcall function 0041F5A8: GetVersion.KERNEL32(?,00419480,00000000,?,?,?,00000001), ref: 0041F5B6
Part of subcall function 0041F5A8: SetErrorMode.KERNEL32(00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5D2
Part of subcall function 0041F5A8: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5DE
Part of subcall function 0041F5A8: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5EC
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F61C
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F645
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F65A
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F66F
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F684
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F699
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F6AE
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F6C3
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F6D8
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6ED

Strings

Delphi%.8X, xrefs: 004193DF
ControlOfs%.8X%.8X, xrefs: 0041941B

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 316262546-2767913252
Opcode ID: 01010ffcc25770325181b3a7c3472aaf3562720f676c53cb12d5d492de89c379
Instruction ID: 70937e91f797630ba3b8911ce9801afdb7ec3901755c8c3c4a5a11a92c11164f
Opcode Fuzzy Hash: 01010ffcc25770325181b3a7c3472aaf3562720f676c53cb12d5d492de89c379
Instruction Fuzzy Hash: 92111A706182409AC300FF76D94279E3BE09B64309F80953FF449A72A2DB3DAD458B5F

Function 00413ACC Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00413AF4
GetWindowLongA.USER32(?,000000F0), ref: 00413AFF
GetWindowLongA.USER32(?,000000F4), ref: 00413B11
SetWindowLongA.USER32(?,000000F4,?), ref: 00413B24
SetPropA.USER32(?,00000000,00000000), ref: 00413B3B
SetPropA.USER32(?,00000000,00000000), ref: 00413B52

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 7ce4dc3fc8e6c19e22986d13dd13120370638c3e9722ee2c323b47d3b17dffc8
Instruction ID: ae8f1583d3b1519aebe57cde2a9c9bb5e562c2388428f51edfa5c09d84851558
Opcode Fuzzy Hash: 7ce4dc3fc8e6c19e22986d13dd13120370638c3e9722ee2c323b47d3b17dffc8
Instruction Fuzzy Hash: 8B11FC75500204BFCB00DFD9DC84E9A3BE8EB19364F104266B918DB2A2D738E990CB94

Function 0047EDD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047EF26,?,?,00000000,0049E62C,00000000,00000000,?,0049B3BD,00000000,0049B566,?,00000000), ref: 0047EE63
GetLastError.KERNEL32(00000000,00000000,00000000,0047EF26,?,?,00000000,0049E62C,00000000,00000000,?,0049B3BD,00000000,0049B566,?,00000000), ref: 0047EE6C

Strings

Created temporary directory: , xrefs: 0047EE05
_isetup, xrefs: 0047EE4E
\_setup64.tmp, xrefs: 0047EEDE

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup
API String ID: 1375471231-2952887711
Opcode ID: 5f75c24b460723fcdfba9950ec6282d6ab576ec79b10eebf27e30941102b1c05
Instruction ID: 86bef283ce988d733661aa3151468cc82572962b3dbe771d766a2fd360a5d677
Opcode Fuzzy Hash: 5f75c24b460723fcdfba9950ec6282d6ab576ec79b10eebf27e30941102b1c05
Instruction Fuzzy Hash: C6415674A001099BCB11FFA2D881ADEB7B9FF48305F50457BE404B7792DB38AE058B98

Function 00423F14 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00423EAC), ref: 00423F38
GetWindow.USER32(?,00000003), ref: 00423F4D
GetWindowLongA.USER32(?,000000EC), ref: 00423F5C
SetWindowPos.USER32(00000000,EB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042463B,?,?,00424203), ref: 00423F92

Strings

EB, xrefs: 00423F82, 00423F86

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID: EB
API String ID: 4191631535-4058845024
Opcode ID: 7748721dd5b0c1bbec3d319649027a89b4350bc13e845d744e86a3b3b16a9e4e
Instruction ID: d60c47438ca5cb8406b8c3c26f1ac59805b97d32456ef5cb908caaf585e7f615
Opcode Fuzzy Hash: 7748721dd5b0c1bbec3d319649027a89b4350bc13e845d744e86a3b3b16a9e4e
Instruction Fuzzy Hash: E5115E71B04610AFDB109F28E989F5677F4EB08719F61066AF9649B2E2C378DC40CB58

Function 00448A1C Relevance: 7.7, APIs: 5, Instructions: 160libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448C1C), ref: 00448B48
GetLastError.KERNEL32(00000000,?,?,00000000,00448C1C), ref: 00448B6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 00448BD6
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00448C1C), ref: 00448BF1

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: 63cc74ccd02df5d1501b917637fd563c114fed944347ce56eb0fb2cf20442c69
Instruction ID: 86cd10a4b754a346bbb6b93b1800c6189756eba4f25aae068f18fd67d3000257
Opcode Fuzzy Hash: 63cc74ccd02df5d1501b917637fd563c114fed944347ce56eb0fb2cf20442c69
Instruction Fuzzy Hash: B35146B0A001459FDB00EF95C481AAFB7F8EF45315F10817EE414BB396CA789E458B59

Function 0042F1C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042F241

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67

Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D

GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042F224

Strings

shlwapi.dll, xrefs: 0042F201
SHAutoComplete, xrefs: 0042F21E

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
String ID: SHAutoComplete$shlwapi.dll
API String ID: 395431579-1506664499
Opcode ID: 10e85ac42e3d5d72963f54dd94e2667e767766e27aca82d6749a6d4de36c3baa
Instruction ID: 6fa00d493cbbc8796123fe1d0635de5045be30c1a8ceda1a87749c26dfdb7117
Opcode Fuzzy Hash: 10e85ac42e3d5d72963f54dd94e2667e767766e27aca82d6749a6d4de36c3baa
Instruction Fuzzy Hash: 6501C434700758FBE711DB62EC42B5A7AF8DB56704FD000B7B00062691C6BA9D48862D

Function 00481F4C Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497,?,?,00000000), ref: 00481FF2
FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497,?,?), ref: 00481FFF
FindNextFileA.KERNEL32(000000FF,?,00000000,00482118,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497), ref: 004820F4
FindClose.KERNEL32(000000FF,0048211F,00482118,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497,?), ref: 00482112

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: bdfb6e2b1c87897b3a9af8a5dc7d12f2e58d8891e161b502f6e8fba4fadf01fa
Instruction ID: 08b9d9e684fed8dea23f8f184a6a28fa9329586f58159be8e4499552dc0984e9
Opcode Fuzzy Hash: bdfb6e2b1c87897b3a9af8a5dc7d12f2e58d8891e161b502f6e8fba4fadf01fa
Instruction Fuzzy Hash: A8518F70A00648AFCB11EFA5CD45ADEB7B8EB49315F1084AAA908F7351D7389F85CF54

Function 00421704 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 004217F1
SetMenu.USER32(00000000,00000000), ref: 0042180E
SetMenu.USER32(00000000,00000000), ref: 00421843
SetMenu.USER32(00000000,00000000), ref: 0042185F

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: 4f4a6720c0d4240df17a752d101e3e079c79ea095c8752a38fea6d697220fe84
Instruction ID: cda4d875d1f608ccb0f244f9e48059a425efb766f93e731c33a2d40a56ce0a72
Opcode Fuzzy Hash: 4f4a6720c0d4240df17a752d101e3e079c79ea095c8752a38fea6d697220fe84
Instruction Fuzzy Hash: 4641B230B002604BDB20BE3A98857DB36959FA1708F48047FB8408F3A7CA7DCC8587AD

Function 00416FD2 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 00417014
SetTextColor.GDI32(?,00000000), ref: 0041702E
SetBkColor.GDI32(?,00000000), ref: 00417048
CallWindowProcA.USER32(?,?,?,?,?), ref: 00417070

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: 9e3e2694ee45dac8d31a23f67f82d5f08d8b2d5533639d352c95bf2745043790
Instruction ID: 80572e548b46958a0d24f1498dfa195ce4484893cdd9813db9ff7b95e026d91f
Opcode Fuzzy Hash: 9e3e2694ee45dac8d31a23f67f82d5f08d8b2d5533639d352c95bf2745043790
Instruction Fuzzy Hash: A71151B5604700AFD710EE6ECD84E8B77EDDF49310B14882BB599DB612C62CEC418B79

Function 00423558 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004235AE
EnumFontsA.GDI32(00000000,00000000,004234F8,004108F0,00000000,?,?,00000000,?,00419463,00000000,?,?,?,00000001), ref: 004235C1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004235C9
ReleaseDC.USER32(00000000,00000000), ref: 004235D4

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CapsDeviceEnumFontsRelease
String ID:
API String ID: 2698912916-0
Opcode ID: e97f28f260114bd4b50ee825155fd8757a5a43882207122cecfc92cdae6cf7ce
Instruction ID: e37963186075478de4bf5b94465d182e7684c730ebf482ac601e72b604436184
Opcode Fuzzy Hash: e97f28f260114bd4b50ee825155fd8757a5a43882207122cecfc92cdae6cf7ce
Instruction Fuzzy Hash: B301D2A17043006AE700BF795D82B9B37649F00309F04467BF808AF3C2D67E9805476E

Function 0049BA2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049BA3A), ref: 0040334B
Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049BA3A), ref: 00403356

Part of subcall function 004063FC: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 00406417
Part of subcall function 004063FC: GetVersion.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 0040641E
Part of subcall function 004063FC: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00406433
Part of subcall function 004063FC: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040645B

Part of subcall function 00406854: 6FBE1CD0.COMCTL32(0049BA49), ref: 00406854

Part of subcall function 00410BF4: GetCurrentThreadId.KERNEL32 ref: 00410C42

Part of subcall function 004194D0: GetVersion.KERNEL32(0049BA62), ref: 004194D0

Part of subcall function 0044FDB0: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049BA76), ref: 0044FDEB
Part of subcall function 0044FDB0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FDF1

Part of subcall function 0045027C: GetVersionExA.KERNEL32(0049E794,0049BA7B), ref: 0045028B

Part of subcall function 004539C8: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 004539EA
Part of subcall function 004539C8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004539F0
Part of subcall function 004539C8: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 00453A04
Part of subcall function 004539C8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453A0A

Part of subcall function 004578E4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 0045793E

Part of subcall function 00465A14: LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,00465A8A,?,?,?,?,00000000,00000000,?,0049BA9E), ref: 00465A5F
Part of subcall function 00465A14: GetProcAddress.KERNEL32(00000000,00000000), ref: 00465A65

Part of subcall function 0046E39C: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046E3E7

Part of subcall function 0047AD94: GetModuleHandleA.KERNEL32(kernel32.dll,?,0049BAA8), ref: 0047AD9A
Part of subcall function 0047AD94: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047ADA7
Part of subcall function 0047AD94: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 0047ADB7

Part of subcall function 004863AC: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 004864DF

Part of subcall function 00498A20: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00498A39

SetErrorMode.KERNEL32(00000001,00000000,0049BAF0), ref: 0049BAC2

Part of subcall function 0049B7EC: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049BACC,00000001,00000000,0049BAF0), ref: 0049B7F6
Part of subcall function 0049B7EC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049B7FC

Part of subcall function 00424964: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424983

Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C

ShowWindow.USER32(?,00000005,00000000,0049BAF0), ref: 0049BB23

Part of subcall function 00484988: SetActiveWindow.USER32(?), ref: 00484A36

Strings

Setup, xrefs: 0049BB09

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc$HandleModule$VersionWindow$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModeRegisterSendShowTextThread
String ID: Setup
API String ID: 56708735-3839654196
Opcode ID: 2217903e9f2865072847906a57765d3fb0d568c696a06ecb9b42a467f31b905f
Instruction ID: 45436910a3e38556774c512443cf6fe356218821253e756f5799c0333a1408c1
Opcode Fuzzy Hash: 2217903e9f2865072847906a57765d3fb0d568c696a06ecb9b42a467f31b905f
Instruction Fuzzy Hash: 5F31D2752046009EC601BBB7F95391D3BA8EB99708BA2443FF804D6663DF3D6814CA7E

Function 00478520 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON

Download Yara Rule

APIs

LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,00478653,?,00000000,00478664,?,00000000,004786AD), ref: 00478624
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,00478653,?,00000000,00478664,?,00000000,004786AD), ref: 00478638

Strings

Extracting temporary file: , xrefs: 00478560

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FileTime$Local
String ID: Extracting temporary file:
API String ID: 791338737-4171118009
Opcode ID: 9a443946346554f5f699f38ec1ba9ea7c8e6c3b6831cef0b8485c7e82be0b504
Instruction ID: 383de906be10c9968b5e8a45eec8df85735b502e1e4fcc0ad11d623c1d954b10
Opcode Fuzzy Hash: 9a443946346554f5f699f38ec1ba9ea7c8e6c3b6831cef0b8485c7e82be0b504
Instruction Fuzzy Hash: FA41A670A00249AFCB01DFA5CC92EDFBBB8EB09304F51847AF914A7291D7789905CB58

Function 004863AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00485E3C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00485E4D
Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00485E5A
Part of subcall function 00485E3C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00485E68
Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00485E70
Part of subcall function 00485E3C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00485E7C
Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00485E9D
Part of subcall function 00485E3C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00485EB0
Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00485EB6

Part of subcall function 00486178: GetVersionExA.KERNEL32(?,004863E2,00000000,00486504,?,?,?,?,00000000,00000000,?,0049BAAD), ref: 00486186
Part of subcall function 00486178: GetVersionExA.KERNEL32(0000009C,?,004863E2,00000000,00486504,?,?,?,?,00000000,00000000,?,0049BAAD), ref: 004861D8

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67

Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D

GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 004864DF

Strings

shell32.dll, xrefs: 004864C7
SHGetKnownFolderPath, xrefs: 004864AC

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc$HandleModuleSystemVersion$CurrentDirectoryErrorInfoLibraryLoadModeNativeProcess
String ID: SHGetKnownFolderPath$shell32.dll
API String ID: 1303913335-2936008475
Opcode ID: 908d6e67ee5bab08ebaef87692d62277a9194b68cfc666c248f8018bed7f5e16
Instruction ID: 0a3b8753df86b64a0abe51da698ff3945e27f94a4f66e9c257dfb1cfa232dc74
Opcode Fuzzy Hash: 908d6e67ee5bab08ebaef87692d62277a9194b68cfc666c248f8018bed7f5e16
Instruction Fuzzy Hash: 2A315EB06002019EC740FFBA999674A3BA4DB5430CB91897BF400FB3D2D77DA8099B5E

Function 0047B00C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(?,0047B0F2,?,?,00000001,00000000,00000000,0047B10D), ref: 0047B0DB

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047B066
%s\%s_is1, xrefs: 0047B084

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1598650737
Opcode ID: 065378d35833d496f10a5c42d9e6932571d79af8682fa40a96d658d7fa4ed314
Instruction ID: 72e7e3a815698905cf2a8865a6f5f2f162ab337690929d3c45f1fbd164993866
Opcode Fuzzy Hash: 065378d35833d496f10a5c42d9e6932571d79af8682fa40a96d658d7fa4ed314
Instruction Fuzzy Hash: 46214370B042545FDB01DF66C8527DEBBE8EB49704F90847AE408E7381D77899018B95

Function 00454220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0045430F,?,?,00000000,0049E62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00454266
GetLastError.KERNEL32(00000000,00000000,?,00000000,0045430F,?,?,00000000,0049E62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045426F

Strings

.tmp, xrefs: 0045424F

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: a088e9ad1ac8c859f830a6b38babd2e41a4a9b8bfeab7a1983125dd9a2918e27
Instruction ID: 415d91b16f05740ba1416afe7bf5adb9ba5615b539517dd81add0c9acb6d8760
Opcode Fuzzy Hash: a088e9ad1ac8c859f830a6b38babd2e41a4a9b8bfeab7a1983125dd9a2918e27
Instruction Fuzzy Hash: C9216775A002189BDB01EFA1C8429DFB7B8EB84309F50457BFC01BB342D63C9E458B65

Function 004578E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00457874: CoInitialize.OLE32(00000000), ref: 0045787A

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67

Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D

GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 0045793E

Strings

SHCreateItemFromParsingName, xrefs: 0045790B
shell32.dll, xrefs: 00457926

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressDirectoryErrorInitializeLibraryLoadModeProcSystem
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 1013667774-2320870614
Opcode ID: 77c59d3b40fdf16789a6f1b6c398cc8a4dcbb3a6b410720b7a14e3a082a16fe9
Instruction ID: 883c9a478e7d65875247b88054ead2603694175a92ab65d05d339cd7b334e9d1
Opcode Fuzzy Hash: 77c59d3b40fdf16789a6f1b6c398cc8a4dcbb3a6b410720b7a14e3a082a16fe9
Instruction Fuzzy Hash: F7F03670604608ABE700EBA6E842F5D77ACDB45759F604077B800B2692D67CAE08C96D

Function 0046E39C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67

Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D

GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046E3E7

Strings

SHPathPrepareForWriteA, xrefs: 0046E3B4
shell32.dll, xrefs: 0046E3CF

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressDirectoryErrorLibraryLoadModeProcSystem
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2552568031-2683653824
Opcode ID: 3f0d3514a23c37851456d116febb2af5c8ca922eb4f10ed87c397e76bc5b7ffd
Instruction ID: 1520e6e4c9beca3123f98d7cbe6aabbef4d784ad694bed30d21e1b99286f75d0
Opcode Fuzzy Hash: 3f0d3514a23c37851456d116febb2af5c8ca922eb4f10ed87c397e76bc5b7ffd
Instruction Fuzzy Hash: 48F04434604618BBDB00EB63DC42F5E7BECD745754FA14076F400A6591EA78AE048969

Function 0047E814 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047EB66,00000000,0047EB7C), ref: 0047E876

Strings

RegisteredOrganization, xrefs: 0047E865
RegisteredOwner, xrefs: 0047E853

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: 5252ed743ca1506dfec4bf7763c13d87116031bf2e865ad439b10f43f09a7791
Instruction ID: 7230bcb305953dbfdc536c8ede0a4f62da6dd01636a6d4693cd9d102c919f290
Opcode Fuzzy Hash: 5252ed743ca1506dfec4bf7763c13d87116031bf2e865ad439b10f43f09a7791
Instruction Fuzzy Hash: F7F0B430B04104AFEB04E6A6ED82BEB379DC715308F2095BBE505DB392D678ED05979E

Function 00484014 Relevance: 4.6, APIs: 3, Instructions: 108windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,00000000,00484171), ref: 00484109
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0048411A
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00484132

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Menu$Append$System
String ID:
API String ID: 1489644407-0
Opcode ID: dc8b36ddd18fed80e840ee8cbe9b889ef4cf18149991e537b86b896238235e1c
Instruction ID: ab56d251ed543ba42b2362adab02e381b7ffec43a0f0b9b6508873944b2238f1
Opcode Fuzzy Hash: dc8b36ddd18fed80e840ee8cbe9b889ef4cf18149991e537b86b896238235e1c
Instruction Fuzzy Hash: DD3104707043455AD711FB369C86BAF3A549BA2308F50493FF900AB3D3DA7C9849879D

Function 00452CE8 Relevance: 4.6, APIs: 3, Instructions: 75COMMON

Download Yara Rule

APIs

751C1520.VERSION(00000000,?,?,?,?), ref: 00452D08
751C1500.VERSION(00000000,?,00000000,?,00000000,00452D83,?,00000000,?,?,?,?), ref: 00452D35
751C1540.VERSION(?,00452DAC,?,?,00000000,?,00000000,?,00000000,00452D83,?,00000000,?,?,?,?), ref: 00452D4F

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: C1500C1520C1540
String ID:
API String ID: 1315064709-0
Opcode ID: 0b168feaf9c1533958fb5e02aa9a5501c5ad47ec3a54fa228dfedbb3323d7179
Instruction ID: ddd73f9b83f47df12750701182fb86573bb1adbd0e7288047a879799487d3de5
Opcode Fuzzy Hash: 0b168feaf9c1533958fb5e02aa9a5501c5ad47ec3a54fa228dfedbb3323d7179
Instruction Fuzzy Hash: EE216871A005086FD701DAA98D41DAFB7FCDB46711F554477FC04E3242D6799E08C769

Function 0044B8C0 Relevance: 4.6, APIs: 3, Instructions: 74COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0044B935
SelectObject.GDI32(?,00000000), ref: 0044B958
ReleaseDC.USER32(00000000,?), ref: 0044B98B

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ObjectReleaseSelect
String ID:
API String ID: 1831053106-0
Opcode ID: e4822f2f27a90c0759968424fd043719417fa313c55766f7b6e2e713107b7c51
Instruction ID: 5f6416779418d586cf190573f7bf4a7bb4d400156242e88c08e8c7aea5cbb268
Opcode Fuzzy Hash: e4822f2f27a90c0759968424fd043719417fa313c55766f7b6e2e713107b7c51
Instruction Fuzzy Hash: C62177B0E04308AFEB11DFA5C881B9EBBB8EB49304F5184BAF500A7291D77CD940CB59

Function 0044B5F4 Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B680,?,004849A3,?,?), ref: 0044B652
DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B665
DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B699

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: DrawText$ByteCharMultiWide
String ID:
API String ID: 65125430-0
Opcode ID: 63c04f90603744f798e42aba6243c37eae4be5ab149869f7acaebc15ddea55e3
Instruction ID: 1ea4d790d63f24178cbae964d575408221d26853f0f73c11de666758b6730ab2
Opcode Fuzzy Hash: 63c04f90603744f798e42aba6243c37eae4be5ab149869f7acaebc15ddea55e3
Instruction Fuzzy Hash: D111B6B27046047FE710DAAA9C82D6FB7ECDB49724F10457AF504E7290DA399E018A69

Function 0042488C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004248A2
TranslateMessage.USER32(?), ref: 0042491F
DispatchMessageA.USER32(?), ref: 00424929

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 217a056534c9592df3de3b745a25b010ee0154ab168cb63c5ecf066f178eda2d
Instruction ID: 2fd165f6649a427b3319829ae0df7e0e74220d275175f78bf4976128ec8e280a
Opcode Fuzzy Hash: 217a056534c9592df3de3b745a25b010ee0154ab168cb63c5ecf066f178eda2d
Instruction Fuzzy Hash: 9711C4703053605ADA20E634A9417ABB7C4CFC3704F82481EF9D987392D37D9D89879A

Function 00416AD4 Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

SetPropA.USER32(00000000,00000000), ref: 00416AFA
SetPropA.USER32(00000000,00000000), ref: 00416B0F
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 00416B36

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Prop$Window
String ID:
API String ID: 3363284559-0
Opcode ID: d713cafafaca0930c04d6cb39f3c322ae331ae37b9587890123c67b5c3bff97d
Instruction ID: f49ac21c72ec4198518a05967b53ec16f1ca927682628d76ec8ffae5e4f9a687
Opcode Fuzzy Hash: d713cafafaca0930c04d6cb39f3c322ae331ae37b9587890123c67b5c3bff97d
Instruction Fuzzy Hash: 75F0B271741220AFD710AB9A8C85FA633DCAB19715F160176BD09EF286C678DC41C7A8

Function 0041F2E4 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0041F2F4
IsWindowEnabled.USER32(?), ref: 0041F2FE
EnableWindow.USER32(?,00000000), ref: 0041F324

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$EnableEnabledVisible
String ID:
API String ID: 3234591441-0
Opcode ID: 75da7560ddbcbd352d2b263d7a30c73b5df1f70394dc16e5d6cfb5f5cdd4f04a
Instruction ID: 461c9e3a5a3bf819d65056d8b2c697f5f692a305fcbbe48695acf38c0ff2848d
Opcode Fuzzy Hash: 75da7560ddbcbd352d2b263d7a30c73b5df1f70394dc16e5d6cfb5f5cdd4f04a
Instruction Fuzzy Hash: E1E0EDB4101204AAE710AB76DCC1A56779CFB54354F818437AC159B293DA3DE8459A78

Function 00484988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00484A36

Strings

InitializeWizard, xrefs: 004849CF

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ActiveWindow
String ID: InitializeWizard
API String ID: 2558294473-2356795471
Opcode ID: 63f8521eac833f62b5623e19a9cfdc6d6819e24bf70f1f364691b0772a1e9880
Instruction ID: 9663d0bfca85fd8d9c68d73251753a4714549ba788b257aa0fdf1999294ad1b6
Opcode Fuzzy Hash: 63f8521eac833f62b5623e19a9cfdc6d6819e24bf70f1f364691b0772a1e9880
Instruction Fuzzy Hash: D9116D30644144DFD304FB2AFC46A5A77E8E765718F61843BE404CB7A2EA39EC048B6D

Function 0047E730 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047E97C,00000000,0047EB7C), ref: 0047E775

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0047E745

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: ca07cc273c2b46f61372ca569078a001357472d08ce3e20ae14c980e0cb804ec
Instruction ID: a9f283cd3a80185a7eeae6af9f057f4917a41fcfe10abca868fc5e90a7391123
Opcode Fuzzy Hash: ca07cc273c2b46f61372ca569078a001357472d08ce3e20ae14c980e0cb804ec
Instruction Fuzzy Hash: 7CF082357042146BDA04A65F5C42BAEA79D8B88758F2041BBF908DB342DAB99E0203AD

Function 0042E2AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0042E2C6

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Open
String ID: System\CurrentControlSet\Control\Windows
API String ID: 71445658-1109719901
Opcode ID: ed255555a649cb1171c21319c526f46fc311307b4f4854cf2574364da4ece07e
Instruction ID: 56e59db3f123c5f73e455ef79faaa31902e81261c81f50e50b595f428ef93046
Opcode Fuzzy Hash: ed255555a649cb1171c21319c526f46fc311307b4f4854cf2574364da4ece07e
Instruction Fuzzy Hash: 6FD0C772510128BBD701DA89DC41EFB775DDB15760F40401BFD1497141C2B4EC5197F4

Function 004806B8 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,?,00000001,00000000,00480997,?,-0000001A,0048289A,-00000010,?,00000004,0000001C,00000000,00482C37,?,0045E3F8), ref: 0048072E

Part of subcall function 0042E7AC: GetDC.USER32(00000000), ref: 0042E7BB
Part of subcall function 0042E7AC: EnumFontsA.GDI32(?,00000000,0042E798,00000000,00000000,0042E804,?,00000000,00000000,?,00000001,00000000,00000002,00000000,0048361D), ref: 0042E7E6
Part of subcall function 0042E7AC: ReleaseDC.USER32(00000000,?), ref: 0042E7FE

SendNotifyMessageA.USER32(000203D4,00000496,00002711,-00000001), ref: 004808FE

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: EnumFontsMessageNotifyReleaseSend
String ID:
API String ID: 2649214853-0
Opcode ID: 1709ff10a59be4cecabd083e4b30542a8388fbd88fe320f99732743ee2b207fe
Instruction ID: d9213170d9bb76dc80c92ed06a2bbf1e51aab055aabe148a8f981411f3335874
Opcode Fuzzy Hash: 1709ff10a59be4cecabd083e4b30542a8388fbd88fe320f99732743ee2b207fe
Instruction Fuzzy Hash: 925185746101049BDB50FF26D88165E77A9BB54309B50893BE8049B367CB3CED4ECB9D

Function 0042E090 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042E1C8), ref: 0042E0CC
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042E1C8), ref: 0042E13C

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 84705cc745a76f35316d583d44dda58a4a0f4931e2014e09282529c66a3fa9aa
Instruction ID: ac779da0cea268326c2a6d460357836690a2c7bc48c0bb75f71a4d6dd427c8e5
Opcode Fuzzy Hash: 84705cc745a76f35316d583d44dda58a4a0f4931e2014e09282529c66a3fa9aa
Instruction Fuzzy Hash: F6415D71E00129ABDB11DE92D881BBFB7B9AB00704F94447AE804F7281D738AE44CBA5

Function 0040B268 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040B282
FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B3DF,00000000,0040B3F7,?,?,?,00000000), ref: 0040B293

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Resource$FindFree
String ID:
API String ID: 4097029671-0
Opcode ID: 56b5692d0589e69d78817d1186c68a61f8e6556489325b11d82404695b0d2b2e
Instruction ID: 695c6acfda2bd8b41d5000065fdd751145cb6e9c132907bad199632a3a3e20ef
Opcode Fuzzy Hash: 56b5692d0589e69d78817d1186c68a61f8e6556489325b11d82404695b0d2b2e
Instruction Fuzzy Hash: 9701F7717003046FD700EF66DC52D1A77ADDB49758711807BF500EB2D0D6799C01D66D

Function 0041F334 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F383
EnumThreadWindows.USER32(00000000,0041F2E4,00000000), ref: 0041F389

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: 8784a61061ea2f72866c7836b43b9cd2818a747c771340166bb5f43570082ce4
Instruction ID: 69490fc5d8632824c24a89202964c68dfb33a06c8812e8dd8cc51cc2245d12bd
Opcode Fuzzy Hash: 8784a61061ea2f72866c7836b43b9cd2818a747c771340166bb5f43570082ce4
Instruction Fuzzy Hash: E7016D75A04608BFD701CF76EC5195ABBF8E789720B62C877E804D3790E7386811DE18

Function 004236CC Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 004236D9
LoadCursorA.USER32(00000000,00000000), ref: 00423703

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: 435632a159b4ee3f4de27f3f53cb37f8d356402f2aecc44b66926b1db8d28f8a
Instruction ID: 38849c99451a314d8fe435546c8a0ff0f6ed66ecc1deebef06b1f4ec46e3768a
Opcode Fuzzy Hash: 435632a159b4ee3f4de27f3f53cb37f8d356402f2aecc44b66926b1db8d28f8a
Instruction Fuzzy Hash: 5FF0A7617041206BD620593E6CC1D2A76AC8B81B35F61033BFA2BD73D1C66E6D41416D

Function 0042E824 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042E82E
LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 1a6091ce078db88393fc002325d20e82ca7bdc15aaa61f0720148644d5cbec67
Instruction ID: d8a4edba93e6b3564287fdd291ee362a4641d771db482aeeea55453c97403edd
Opcode Fuzzy Hash: 1a6091ce078db88393fc002325d20e82ca7bdc15aaa61f0720148644d5cbec67
Instruction Fuzzy Hash: 49F08270B14744BEDB116F779C6282BBBECE749B1079249B6F800A3691E63C88108928

Function 00478D78 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(6FBA27E0,?,?,?,?), ref: 00478DA5
CallWindowProcW.USER32(FFFF0401,?,?,?,?), ref: 00478DB6

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ce7ea350cd2d8a29d4756030a0e2150e6ff414cb3a27e593d77670a1272721e0
Instruction ID: ec977eba15decb799f6fff92ffb6f57cd97eebcf4dd56cd6945e1ca0977ddd56
Opcode Fuzzy Hash: ce7ea350cd2d8a29d4756030a0e2150e6ff414cb3a27e593d77670a1272721e0
Instruction Fuzzy Hash: A7F01CB21002146BDA109A69DD8DCA77B6CEF99260704862BBD18D7291D578AD008678

Function 1001AB60 Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,10015F4A,00000001,?,?,00000001,?,?,100160C8,00000001,?,?,1002CA38,0000000C), ref: 1001AB71
HeapDestroy.KERNEL32(?,?,00000001,?,?,100160C8,00000001,?,?,1002CA38,0000000C,10016182,?), ref: 1001ABA7

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: d51d877cb5c1f0d5ea29e2820df05733b799c51debb12d39d135f094c57ed51b
Instruction ID: a13ca330b9ee1e04be8b377651445f9444b7b3be721a7336b046ddea287adc12
Opcode Fuzzy Hash: d51d877cb5c1f0d5ea29e2820df05733b799c51debb12d39d135f094c57ed51b
Instruction Fuzzy Hash: 1FE06D35A583A29EFB01EB319DD975636E9E7492D6F118825F801CE0A2E7B5C4C19B00

Function 0047EAC5 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32(0049CD58,00008000,00000000,?), ref: 0047EAD5
CoTaskMemFree.OLE32(?,0047EB18), ref: 0047EB0B

Strings

Common Files, xrefs: 0047E9E1
CommonFilesDir, xrefs: 0047E9AA, 0047EA26
\Program Files, xrefs: 0047E997
ProgramFilesDir, xrefs: 0047E970, 0047E9F7
Failed to get path of 64-bit Program Files directory, xrefs: 0047EA19
SystemDrive, xrefs: 0047E90F
COMMAND.COM, xrefs: 0047EB57
Failed to get path of 64-bit Common Files directory, xrefs: 0047EA48
cmd.exe, xrefs: 0047EB36

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: dcdb464d46d000a45e9e512131e32681938e3456e18d581bde74e904f3b66734
Instruction ID: 165899f7cf3a7d3cc2084f0fc85f54689cbe0ef7c4de0502b74dd13bf0a7d919
Opcode Fuzzy Hash: dcdb464d46d000a45e9e512131e32681938e3456e18d581bde74e904f3b66734
Instruction Fuzzy Hash: C9E06D31340640AEEB11CA629C12B597BA8EB89B14BA184B3F500E6694D679AE009A58

Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: b520bc60e33c723c5354926e54c9cb4ec67acca134fd7c558003b77a2e03234b
Instruction ID: 9ed38fc533d8e4e5af650f240f956f2e356275670cbb68eb90ec247bb51ad9a4
Opcode Fuzzy Hash: b520bc60e33c723c5354926e54c9cb4ec67acca134fd7c558003b77a2e03234b
Instruction Fuzzy Hash: 27F0A772B0073067EB60596A4C81F5359C49FC5794F154076FD0DFF3E9D6B58C0142A9

Function 00408A6C Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408BA2), ref: 00408A8B

Part of subcall function 0040727C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00407299

Part of subcall function 004089F8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049E4C4,00000001,?,00408AC3,?,00000000,00408BA2), ref: 00408A16

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: e3bde22edff9b95fb01644fc2752e12edfd564b8e42cb00d732a26da313984e4
Instruction ID: 1a1ee965da3d5e477180f9d3e1b3e31d3a1d40cbd97d3d5e52e02950362564b9
Opcode Fuzzy Hash: e3bde22edff9b95fb01644fc2752e12edfd564b8e42cb00d732a26da313984e4
Instruction Fuzzy Hash: A7314F75E001099BCF00EB95C8819EEB779EF84314F51857BE814BB286E738AE458B99

Function 0042002C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetScrollInfo.USER32(00000000,?,?,00000001), ref: 004200C9

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: InfoScroll
String ID:
API String ID: 629608716-0
Opcode ID: 4038a9721f8deaf5412c4e17f668d42a633933aac620105991029e29eea6c581
Instruction ID: fb0b6b32162d284d5e4e4472e465846aa9f3b1678ed1a2f027c040ff7edaf6c0
Opcode Fuzzy Hash: 4038a9721f8deaf5412c4e17f668d42a633933aac620105991029e29eea6c581
Instruction Fuzzy Hash: 4E214FB1604755AFD340DF39A44076ABBE4BB48314F04892EE098C3341E779E995CBD6

Function 004169E0 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416A15

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 66225c5018934712ca213f7cbc9da523afb779e1f1452fe3fdaea1241b34de43
Instruction ID: 5ef094d12f7d71e5830b73219e88c414bb2d46ce683ba0b40c209d6d3be90de3
Opcode Fuzzy Hash: 66225c5018934712ca213f7cbc9da523afb779e1f1452fe3fdaea1241b34de43
Instruction Fuzzy Hash: 26F025B2200510AFDB84CF9CD9C0F9373ECEB0C210B0881A6FA08CF24AD261EC108BB1

Function 00414E44 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 00414E7F

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91

Function 00450F9C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450FDC

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3d1f2366c55396597a1dc151834003a825219e09de8a822373c262138b7a9d60
Instruction ID: 0bb8bc98a2ce5191ccdfd632eb20aa7c5cb2b99e9b0e2766e1f3384ce1d09118
Opcode Fuzzy Hash: 3d1f2366c55396597a1dc151834003a825219e09de8a822373c262138b7a9d60
Instruction Fuzzy Hash: 28E092B13401483ED340DFAC7C81F9237CC931A314F008033B948D7241C4619D118BA8

Function 0042D15C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0042D1A4,?,00000001,?,?,00000000,?,0042D1F6,00000000,004531FD,00000000,0045321E,?,00000000), ref: 0042D187

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a944933b7e94ac2da4548c012b878e77f53d3e7fac6ad7ed32738dad81323317
Instruction ID: 90f30b3d4511ddb26d4e54eb5cb5bde7ef97429f4a5987d97ea56347c6c51953
Opcode Fuzzy Hash: a944933b7e94ac2da4548c012b878e77f53d3e7fac6ad7ed32738dad81323317
Instruction Fuzzy Hash: C0E09B71704344BFD701FF62DC53E5ABBECDB49714BA14476B404D7691D5785E10C468

Function 0042ED58 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453A6B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED77

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 1828867668d4f08c7f2c42ac7f7c8b165bd44dc6f1d36d1d73a42743962ef3e6
Instruction ID: e79f09bbc4d4bb3d85d444e79d719d693aec0fec5ee663d6819558c24f001612
Opcode Fuzzy Hash: 1828867668d4f08c7f2c42ac7f7c8b165bd44dc6f1d36d1d73a42743962ef3e6
Instruction Fuzzy Hash: F1E0206179471226F23515566C43B77160E43C0704F94403A7F40DD3D3D6AE9906425E

Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,00423B0C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C), ref: 00406329

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8af83935ca987eeebb979c0a6a94b74e9f9155cd6b79be10dcadafa6e5b8a04f
Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
Opcode Fuzzy Hash: 8af83935ca987eeebb979c0a6a94b74e9f9155cd6b79be10dcadafa6e5b8a04f
Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1

Function 00414B0C Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00498852,?,00498874,?,?,00000000,00498852,?,?), ref: 00414B2B

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0

Function 00407374 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407388

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: eaef3e41fac1cbfa854ddb341d31900aa063179008544f75f8bc420d4d627cb5
Instruction ID: 51cff3a49c81a4b9db3197a4d20e141758e459673e55ef7a77d81eb6c57d9f36
Opcode Fuzzy Hash: eaef3e41fac1cbfa854ddb341d31900aa063179008544f75f8bc420d4d627cb5
Instruction Fuzzy Hash: 3DD012723082106AE220955A9C84DAB5BDCCBCA774F11063ABA58D6181D6308C018675

Function 00407310 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,00000001,00000001,00000000,00000003,00000080,00000000,?,0040AB64,0040D148,?,00000000,?), ref: 00407346

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 92f9b60985cfab35338e5fbfe108bac6fc5448739c65cd2808a9ec2adf1778af
Instruction ID: 4c738d89b53f352080375c7194437b9ec9fb3d9619a7651bf31662f65e46d5c4
Opcode Fuzzy Hash: 92f9b60985cfab35338e5fbfe108bac6fc5448739c65cd2808a9ec2adf1778af
Instruction Fuzzy Hash: E1E017A23D0A1876E620AADCACC3F56128CC718759F048032F600EF2D1D6AC9E1087A8

Function 004073A0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004073B4

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 803a6739d4a2560f638b2739305ab39b64de9ba4a7bf4e405682762548192292
Instruction ID: 517e21fc39e357fcc75414f86969db1bfc0739985e912eef881c3d4632b4c6ac
Opcode Fuzzy Hash: 803a6739d4a2560f638b2739305ab39b64de9ba4a7bf4e405682762548192292
Instruction Fuzzy Hash: 74D012723181506AE220A55A5C44EAB6EDCCBC5770F10063AB958D21C1D6309C01C675

Function 00423ADC Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00423A88: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 00423A9D

ShowWindow.USER32(004108F0,00000009,?,00000000,0041F234,00423DCA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C), ref: 00423AF7

Part of subcall function 00423AB8: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423AD4

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: 6c97eab4d5f35d9e0c4c492f0780e1f33e5a1e11612eb1c0cb2b18762b4c2d00
Instruction ID: a4d1e59934daad15499cd62f29d800d7a8388f589a5efdc182870931650505b7
Opcode Fuzzy Hash: 6c97eab4d5f35d9e0c4c492f0780e1f33e5a1e11612eb1c0cb2b18762b4c2d00
Instruction Fuzzy Hash: 81D05B127411702102107A7B2405A8B45AC4D9225B384047BB48097303D95D4D0552A8

Function 00424754 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 0042476C

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 805f3cc7500933323b9257a6a261a55e12d82397c97f56fe04234c9d564d4e6f
Instruction ID: 9eeed77ebbf23638ebb637759628e88e4fff7ef3ebed755505968d13fb2e7b10
Opcode Fuzzy Hash: 805f3cc7500933323b9257a6a261a55e12d82397c97f56fe04234c9d564d4e6f
Instruction Fuzzy Hash: 44D05EE2B011702BCB01BAAD54C4AC667CC8B8925AB1940BBF904EF257C738CE408398

Function 0042D1B4 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00451DA3,00000000), ref: 0042D1BF

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: edecd2973abb1a87aacb4b7103d0c28639b492f0686a1453dc354fd5429015d1
Instruction ID: de8bff456184001464f3abbdb54ffbc0c147f56bb2634b1a4235557a7056eb2a
Opcode Fuzzy Hash: edecd2973abb1a87aacb4b7103d0c28639b492f0686a1453dc354fd5429015d1
Instruction Fuzzy Hash: 81C08CE0712210169E10A5BD2CC652B02C84A5833A3A40A37B429E66E2D23D88662029

Function 00407350 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040AB64,0040D110,?,00000000,?), ref: 0040736D

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3d8f170739f3a34673bd151ee70ad601a415bf6ca4d09768124c2509aaf33128
Instruction ID: a78e408fffc15bc8d0ee8a54c686fbaa4e2694f5c3f88f37cecd524e454749ad
Opcode Fuzzy Hash: 3d8f170739f3a34673bd151ee70ad601a415bf6ca4d09768124c2509aaf33128
Instruction Fuzzy Hash: ADC048B13C130032F93025A61C87F1604889714B1AE60943AB740BE1C2D8E9A818016C

Function 0041F82C Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,00000000), ref: 0041F840

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50
Instruction ID: 48f25c4fc7afed193c39a16cc91a0304f94a1296cd048c63733264e3b5f0309e
Opcode Fuzzy Hash: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50
Instruction Fuzzy Hash: D2D0C932100108AFDB018E94AC018677B69EB48210B148815FD0485221D633E831AA91

Function 00451104 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,?,0045CBD2,00000000,0045CD5D,?,00000000,00000002,00000002), ref: 0045110B

Part of subcall function 00450E8C: GetLastError.KERNEL32(00450CA8,00450F4E,?,00000000,?,0049ACB0,00000001,00000000,00000002,00000000,0049AE11,?,?,00000005,00000000,0049AE45), ref: 00450E8F

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 2f66420dfdec2ee722637dd7a077e757eb137bea55ce6f4fccac44aeccfb3de3
Instruction ID: b009645766b32297bd0322e78edf4af2955e4b8d8b267255ddd48f13edbe2cec
Opcode Fuzzy Hash: 2f66420dfdec2ee722637dd7a077e757eb137bea55ce6f4fccac44aeccfb3de3
Instruction Fuzzy Hash: 66C04C65300500478F10A6AE89C2A0763E85F4D30631045A6B904DF217D668D8048A18

Function 0042E87F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,0042E89D), ref: 0042E890

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3f5ca8107a421579e24e876ed9f2491131596575bec673942313541f3fe4ade1
Instruction ID: 8695c582b33247a37f73f24666a6b5554d32f9d966171ece6814e81b39e17e84
Opcode Fuzzy Hash: 3f5ca8107a421579e24e876ed9f2491131596575bec673942313541f3fe4ade1
Instruction Fuzzy Hash: 49B09B76F0C6005DF705DAD5745552D67D4D7C57203E14977F150D35C0D53C5800491C

Function 004073CC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,00000000), ref: 004073D1

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7a518271ff9bda85f12b8806651da4c0f96d2c6471cc860e16869bce2b9c9d07
Instruction ID: 8ab35750f3efd4d99fa83ee5673b62d8a6256d966d57501d01fbbdede9c777f2
Opcode Fuzzy Hash: 7a518271ff9bda85f12b8806651da4c0f96d2c6471cc860e16869bce2b9c9d07
Instruction Fuzzy Hash: 459002D465160138F81462614C5BF3B001CD7C0B14FD0465D3100A50C254AC6C000879

Function 00416A7C Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 00416A83

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: 9d6690cf9d3310b1ea67583473288d09d9a8b553081644455fd58860a5b2f519
Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
Opcode Fuzzy Hash: 9d6690cf9d3310b1ea67583473288d09d9a8b553081644455fd58860a5b2f519
Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58

Function 0041F854 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F234,?,00423D1F,0042409C,0041F234), ref: 0041F872

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e9b0f0e9299e17d878422f97f99b00588243c29834ad84fb5cccc8c64114728c
Instruction ID: f08fc093bd3761fae95f56252c9cb4b1dce7b9a4e026fad3115f2fcf1a938b7c
Opcode Fuzzy Hash: e9b0f0e9299e17d878422f97f99b00588243c29834ad84fb5cccc8c64114728c
Instruction Fuzzy Hash: CC115A746007059BDB10EF1AC880B82FBE4EFA9350F10C53AE9588F385D774E849CBA9

Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,00401973), ref: 00401766

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 11f6be92898c399badff9446a2108036f08e0859c2581f6b6d69b6d4b53dce9c
Instruction ID: 4f728963ec5fa8eda03367237536c92bed861ff5ff18aa36a9f69eb769fc07b0
Opcode Fuzzy Hash: 11f6be92898c399badff9446a2108036f08e0859c2581f6b6d69b6d4b53dce9c
Instruction Fuzzy Hash: 9301FC766442148FC310DE29DCC0E2677E8D794378F15453EDA85673A1D37A6C0187D9

Function 0045379C Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00453805), ref: 004537E7

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 544b47dc5bc5d2f2413b2081e143b2f92e92cc70b3939a84da48f96d0e7136c3
Instruction ID: cb4131d2e651d1d846aaeffdd441063052296316b0d396e6bd3d8335f5975378
Opcode Fuzzy Hash: 544b47dc5bc5d2f2413b2081e143b2f92e92cc70b3939a84da48f96d0e7136c3
Instruction Fuzzy Hash: BA012076A04208AF8711DF69AC014EEFBF8EB4D7617208677FC54D3382D7744E0596A4

Function 00401340 Relevance: 1.3, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,0049E450,004013A3,?,?,00401443,?,?,?,00000000,00004003,00401983), ref: 00401353

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 5712d2456a5c70657260606722268c90ba5ea6029e9afae63aaa89408be14ea2
Instruction ID: ffebfc31ce5e110c1853f263bec794d38bcb1f4ca44e5b50064370e0b14d6dc8
Opcode Fuzzy Hash: 5712d2456a5c70657260606722268c90ba5ea6029e9afae63aaa89408be14ea2
Instruction Fuzzy Hash: DEF05E717012018FE724CF29D880656B7E1EBA9365F20807EE5C5D77A0D3358C418B54

Function 004073D8 Relevance: 1.3, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 004073D9

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 99a8de520c349483bc7265182cdae8011696cadbde20a5663af8d01783707c2e
Instruction ID: 6160d783662a008e1f799edb03f3d460fe671c60c73369e1be62f9e55b6485aa
Opcode Fuzzy Hash: 99a8de520c349483bc7265182cdae8011696cadbde20a5663af8d01783707c2e
Instruction Fuzzy Hash:

Non-executed Functions

Function 1001BF7D Relevance: 66.4, APIs: 44, Instructions: 431COMMONLIBRARYCODE

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 1001BFB2
___getlocaleinfo.LIBCMT ref: 1001BFC7
___getlocaleinfo.LIBCMT ref: 1001BFDC
___getlocaleinfo.LIBCMT ref: 1001BFF1
___getlocaleinfo.LIBCMT ref: 1001C009
___getlocaleinfo.LIBCMT ref: 1001C01E
___getlocaleinfo.LIBCMT ref: 1001C030
___getlocaleinfo.LIBCMT ref: 1001C045
___getlocaleinfo.LIBCMT ref: 1001C05D
___getlocaleinfo.LIBCMT ref: 1001C072

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: 44f8d5532b0f190aaf4ab8506964c8f87fb22b21aeb3a983cc09d0452eea174f
Instruction ID: 457d633a20f517a02ccbbc8f910d71abe7744b258feb1cd2265b7f28e46a98cd
Opcode Fuzzy Hash: 44f8d5532b0f190aaf4ab8506964c8f87fb22b21aeb3a983cc09d0452eea174f
Instruction Fuzzy Hash: A0E1D3B290020EBEFF11CAF1DC45DFFB7BEEB44744F04092AB255D2142EA75AA159B60

Function 0041F5A8 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00419480,00000000,?,?,?,00000001), ref: 0041F5B6
SetErrorMode.KERNEL32(00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5D2
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5DE
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5EC
GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F61C
GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F645
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F65A
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F66F
GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F684
GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F699
GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F6AE
GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F6C3
GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F6D8
GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6ED
FreeLibrary.KERNEL32(00000001,?,00419480,00000000,?,?,?,00000001), ref: 0041F6FF

Strings

Ctl3dUnAutoSubclass, xrefs: 0041F6B8
Ctl3dSubclassCtl, xrefs: 0041F64F
Ctl3dDlgFramePaint, xrefs: 0041F679
Ctl3dRegister, xrefs: 0041F611
Ctl3dAutoSubclass, xrefs: 0041F6A3
Ctl3dUnregister, xrefs: 0041F63A
Ctl3DColorChange, xrefs: 0041F6CD
BtnWndProc3d, xrefs: 0041F6E2
Ctl3dSubclassDlgEx, xrefs: 0041F664
CTL3D32.DLL, xrefs: 0041F5D9
Ctl3dCtlColorEx, xrefs: 0041F68E

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 2323315520-3614243559
Opcode ID: 6fb1055e458234a7f9b902a9421b4c6cec01f5c74ead6a35fd10c6f040d197fa
Instruction ID: ada4b9d978a757ba6954df3af716d105719faea7ce3d9b9d26d7a4626bcf7c8a
Opcode Fuzzy Hash: 6fb1055e458234a7f9b902a9421b4c6cec01f5c74ead6a35fd10c6f040d197fa
Instruction Fuzzy Hash: 093112B1600610BBD710EBB1ACC6A653294F76C724795097BF144D71A2E77CA84A8F1C

Function 00458E58 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00458EBF
QueryPerformanceCounter.KERNEL32(022F3858,00000000,00459152,?,?,022F3858,00000000,?,0045984E,?,022F3858,00000000), ref: 00458EC8
GetSystemTimeAsFileTime.KERNEL32(022F3858,022F3858), ref: 00458ED2
GetCurrentProcessId.KERNEL32(?,022F3858,00000000,00459152,?,?,022F3858,00000000,?,0045984E,?,022F3858,00000000), ref: 00458EDB
CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458F51
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,022F3858,022F3858), ref: 00458F5F
CreateFileA.KERNEL32(00000000,C0000000,00000000,0049CB28,00000003,00000000,00000000,00000000,0045910E), ref: 00458FA7
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,004590FD,?,00000000,C0000000,00000000,0049CB28,00000003,00000000,00000000,00000000,0045910E), ref: 00458FE0

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67

CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00459089
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 004590BF
CloseHandle.KERNEL32(000000FF,00459104,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004590F7

Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B

Strings

i, xrefs: 0045903C
CreateNamedPipe, xrefs: 00458F6F
helper %d 0x%x, xrefs: 00459068
SetNamedPipeHandleState, xrefs: 00458FE9
Starting 64-bit helper process., xrefs: 00458E8D
CreateProcess, xrefs: 00459092
Cannot utilize 64-bit features on this version of Windows, xrefs: 00458EA0
CreateFile, xrefs: 00458FB5
D, xrefs: 00459002
64-bit helper EXE wasn't extracted, xrefs: 00458EB3
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00458F27
Helper process PID: %u, xrefs: 004590DC

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: 778ac167b205d419b8cdb1545af7bb0663bda7c35fe02ff7340d7fbbc52b6182
Instruction ID: 040c0b68ca5c8794fa0f134b015e2131507262e67e069d6a1689acc5a442bbd1
Opcode Fuzzy Hash: 778ac167b205d419b8cdb1545af7bb0663bda7c35fe02ff7340d7fbbc52b6182
Instruction Fuzzy Hash: 9C710170A00754AEDB11DF65CC45B9EB7F8AB05705F1084AAF908FB282DB785944CF69

Function 10002AA0 Relevance: 26.8, APIs: 8, Strings: 7, Instructions: 559filenetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 10004B30: std::_String_base::_Xlen.LIBCPMT ref: 10004B7F
Part of subcall function 10004B30: _memcpy_s.LIBCMT ref: 10004BEA

GetTickCount.KERNEL32 ref: 10002E50
GetTickCount.KERNEL32 ref: 10002E5C
InternetReadFile.WININET(?,?,?,?), ref: 10002F39
_fwrite.LIBCMT ref: 10002F67
GetTickCount.KERNEL32 ref: 10002F75
GetTickCount.KERNEL32 ref: 10002FCF
GetTickCount.KERNEL32 ref: 10002FF0
GetTickCount.KERNEL32 ref: 10003008

Part of subcall function 10005410: std::_String_base::_Xlen.LIBCPMT ref: 10005469
Part of subcall function 10005410: _memcpy_s.LIBCMT ref: 100054B1

Part of subcall function 10010450: GetWindowLongA.USER32(?,000000F0), ref: 10010454
Part of subcall function 10010450: SetWindowLongA.USER32(?,000000F0,00000000), ref: 1001046A
Part of subcall function 10010450: SendMessageA.USER32(?,0000040A,00000001,0000001E), ref: 1001047A

Part of subcall function 10003340: GetTickCount.KERNEL32 ref: 10003357

Part of subcall function 100034D0: GetTickCount.KERNEL32 ref: 100034D9

Part of subcall function 100035C0: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 100035DF
Part of subcall function 100035C0: TranslateMessage.USER32(?), ref: 100035F4
Part of subcall function 100035C0: DispatchMessageA.USER32(?), ref: 100035F7
Part of subcall function 100035C0: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 10003602

Strings

Download complete, xrefs: 1000314E
FileProgressBar, xrefs: 10002B5A, 10002EBE
Download failed, xrefs: 100030D0
Cannot create file, xrefs: 10002D0B
Downloading..., xrefs: 10002E7E
Cannot connect, xrefs: 10002C29
Connecting..., xrefs: 10002B30

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CountTick$Message$LongPeekString_base::_WindowXlen_memcpy_sstd::_$DispatchFileInternetReadSendTranslate_fwrite
String ID: Cannot connect$Cannot create file$Connecting...$Download complete$Download failed$Downloading...$FileProgressBar
API String ID: 3515732370-3550608020
Opcode ID: 1e3ae09d4bdcea0fa17985ec82cd69570f3ba5ea2f8165b31817899fc3386900
Instruction ID: 14689875b6b30455679291f07289f33e21ede9343fe2b772b1452d63b4c43b44
Opcode Fuzzy Hash: 1e3ae09d4bdcea0fa17985ec82cd69570f3ba5ea2f8165b31817899fc3386900
Instruction Fuzzy Hash: 3022D571D00254ABEB04DFA8C881B9EBBB9EF44340F14816DF8096B286DB75BD45CBD2

Function 00456E68 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0049CA78,00000000,00000001,0049C774,?,00000000,00457213), ref: 00456EAE
CoCreateInstance.OLE32(0049C764,00000000,00000001,0049C774,?,00000000,00457213), ref: 00456ED4
SysFreeString.OLEAUT32(00000000), ref: 0045708B

Strings

CoCreateInstance, xrefs: 00456EDF
IPersistFile::Save, xrefs: 00457192
{pf32}\, xrefs: 00456F4E
%ProgramFiles(x86)%\, xrefs: 00456F5E
IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004570FA
IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 00456FED
IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00457134
IPropertyStore::Commit, xrefs: 00457113
IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 00457021
IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00457070
IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 004570C2

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CreateInstance$FreeString
String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
API String ID: 308859552-2363233914
Opcode ID: 1a04e3ad86ed443edbec985671ef4627b21a6ac01ec9052fef93741c1d993dd6
Instruction ID: 2e1e526739867e50670bceb89507c71339c1b21d6ee211b494412a744f46fea4
Opcode Fuzzy Hash: 1a04e3ad86ed443edbec985671ef4627b21a6ac01ec9052fef93741c1d993dd6
Instruction Fuzzy Hash: 3DB13C71A04104AFDB10DFA9D885B9E7BF8AF09306F1440A6F804E7362DB38DD49CB69

Function 0047A678 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 0047A4E4: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,022F7A28,?,?,?,022F7A28,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A4FD
Part of subcall function 0047A4E4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047A503
Part of subcall function 0047A4E4: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,022F7A28,?,?,?,022F7A28,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A516
Part of subcall function 0047A4E4: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,022F7A28,?,?,?,022F7A28), ref: 0047A540
Part of subcall function 0047A4E4: CloseHandle.KERNEL32(00000000,?,?,?,022F7A28,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A55E

Part of subcall function 0047A5BC: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,0047A64E,?,?,?,022F7A28,?,0047A6B0,00000000,0047A7C6,?,?,?,?), ref: 0047A5EC

ShellExecuteEx.SHELL32(0000003C), ref: 0047A700
GetLastError.KERNEL32(00000000,0047A7C6,?,?,?,?), ref: 0047A709
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0047A756
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 0047A77A
CloseHandle.KERNEL32(00000000,0047A7AB,00000000,00000000,000000FF,000000FF,00000000,0047A7A4,?,00000000,0047A7C6,?,?,?,?), ref: 0047A79E

Strings

GetExitCodeProcess, xrefs: 0047A783
<, xrefs: 0047A6BF
ShellExecuteEx, xrefs: 0047A71A
MsgWaitForMultipleObjects, xrefs: 0047A763
runas, xrefs: 0047A6CD
ShellExecuteEx returned hProcess=0, xrefs: 0047A72A

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 883996979-221126205
Opcode ID: 3263b303b0c7ec245f52f16ada52d980e86b871b141d71ef7354d9bffc785b3f
Instruction ID: 0d6525aa7dba4a670bafe224496e1c5a7b1f34ed0ce7a0cdec9df710ef63790c
Opcode Fuzzy Hash: 3263b303b0c7ec245f52f16ada52d980e86b871b141d71ef7354d9bffc785b3f
Instruction Fuzzy Hash: 15315871900204AFDB15EFA5C842ADEB7B8EF84318F50843BF518E7282D77C99158B5A

Function 00418814 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00418823
GetWindowPlacement.USER32(?,0000002C), ref: 00418840
GetWindowRect.USER32(?), ref: 0041885C
GetWindowLongA.USER32(?,000000F0), ref: 0041886A
GetWindowLongA.USER32(?,000000F8), ref: 0041887F
ScreenToClient.USER32(00000000), ref: 00418888
ScreenToClient.USER32(00000000,?), ref: 00418893

Strings

,, xrefs: 0041882C

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: dac5a07ef4df856ef257039b4bd7ee432e64e833f517036103e80ee43864890f
Instruction ID: 4677e2b8f0f91e01fbb11cd2367981c379ed87121ba2a99f8ef1be567d42c28b
Opcode Fuzzy Hash: dac5a07ef4df856ef257039b4bd7ee432e64e833f517036103e80ee43864890f
Instruction Fuzzy Hash: 5A11E971505201AFDB00EF69C885F9B77E8AF49314F140A7EB958DB296D738D900CB69

Function 0042F75C Relevance: 13.6, APIs: 9, Instructions: 108windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0042F784
GetWindowLongA.USER32(?,000000F0), ref: 0042F798
GetWindowLongA.USER32(?,000000EC), ref: 0042F7AF
GetActiveWindow.USER32 ref: 0042F7B8
MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F7E5
SetActiveWindow.USER32(?,0042F915,00000000,?), ref: 0042F806

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$ActiveLong$IconicMessage
String ID:
API String ID: 1633107849-0
Opcode ID: 59304190847aac26e0075f57bafe87f7c31a57b7a7a7829f8250f9d0c6767a26
Instruction ID: 13cdee708698089d3899b8003c30923a51aeb8c8037ba69dea4574f539849007
Opcode Fuzzy Hash: 59304190847aac26e0075f57bafe87f7c31a57b7a7a7829f8250f9d0c6767a26
Instruction Fuzzy Hash: C6319371A00614AFDB01EFB6DC52D5EBBF8EB09304B9144BAF804E3292D7389D15CB18

Function 00455E14 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00455E23
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00455E29
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455E42
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455E69
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455E6E
ExitWindowsEx.USER32(00000002,00000000), ref: 00455E7F

Strings

SeShutdownPrivilege, xrefs: 00455E3B

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: f3ce414a9ae8b0176eb463264ebd8cf1f04669fa35e8fb9271cfad6052cd7978
Instruction ID: 6597e5a33764c8e3d598d3dac94519450192e65d962eb3d098ce792c7942ec46
Opcode Fuzzy Hash: f3ce414a9ae8b0176eb463264ebd8cf1f04669fa35e8fb9271cfad6052cd7978
Instruction Fuzzy Hash: 08F06270294B02B9E620A7718C17F3B31CC9B40B59F54092ABD05EA1C3E7BCD6088A7A

Function 0049AF28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0049B066,?,?,00000000,0049E62C,?,0049B1F0,00000000,0049B244,?,?,00000000,0049E62C), ref: 0049AF7F
SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049B002
FindNextFileA.KERNEL32(000000FF,?,00000000,0049B03E,?,00000000,?,00000000,0049B066,?,?,00000000,0049E62C,?,0049B1F0,00000000), ref: 0049B01A
FindClose.KERNEL32(000000FF,0049B045,0049B03E,?,00000000,?,00000000,0049B066,?,?,00000000,0049E62C,?,0049B1F0,00000000,0049B244), ref: 0049B038

Strings

isRS-???.tmp, xrefs: 0049AF69
isRS-, xrefs: 0049AF9F

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: fe521ce0720771f481fb67ad3d7465d0146b5a5166c0e578d16b25d4081f1daf
Instruction ID: 04bf727f3197cccd33fd944652b66e3324626472502a6d6b0206edec7ebcaf7d
Opcode Fuzzy Hash: fe521ce0720771f481fb67ad3d7465d0146b5a5166c0e578d16b25d4081f1daf
Instruction Fuzzy Hash: 49316471901618ABDF10EF65DD41ADFBBBCDB49304F5044B7A818A32A1E7389F45CE98

Function 00457E24 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457EA1
PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457EC8
SetForegroundWindow.USER32(?), ref: 00457ED9
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,004581B1,?,00000000,004581ED), ref: 0045819C

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045801C

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: f0d9271b3600f25c345f7473f4edd4a9770fb5d51f0c8beac7dd56fb421c1a46
Instruction ID: 1e470f9c67850fe58258b166e2de1343f71499e9040d68aaec82a8138f7570a6
Opcode Fuzzy Hash: f0d9271b3600f25c345f7473f4edd4a9770fb5d51f0c8beac7dd56fb421c1a46
Instruction Fuzzy Hash: D491FE34704604EFDB15CF55DD51F5ABBF9EB88704F2184BAE804A7792CA38AE09CB58

Function 0045663C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,0045677B), ref: 0045666C
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00456672

Strings

GetDiskFreeSpaceExA, xrefs: 00456662
kernel32.dll, xrefs: 00456667

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: a26a4e61d10e36191c5b55e3e1f91ca85e589b1de8ffa63c09561c8afc3ad412
Instruction ID: b3c638b06f07771193fa82c07f29861e578aec67d60b7d75356f70af58752f0b
Opcode Fuzzy Hash: a26a4e61d10e36191c5b55e3e1f91ca85e589b1de8ffa63c09561c8afc3ad412
Instruction Fuzzy Hash: 84418271A00249AFCF01EFA5C8829EEB7B8EF4C305F51456AF804F7252D6785E098B68

Function 00476F44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004770AE,?,?,0049F1E4,00000000), ref: 00476F9D
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004770AE,?,?,0049F1E4,00000000), ref: 0047707A
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004770AE,?,?,0049F1E4,00000000), ref: 00477088

Strings

unins, xrefs: 00476FF0
unins???.*, xrefs: 00476F87

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: cdf374b0c86a18aa50ba211f1e372957818ceb5cf0ca2b7e465b76b6baca31cc
Instruction ID: b3651197dbd027c67a28626735fb33018e03d09d0edc3c1e02fba50c739ea7b0
Opcode Fuzzy Hash: cdf374b0c86a18aa50ba211f1e372957818ceb5cf0ca2b7e465b76b6baca31cc
Instruction Fuzzy Hash: C6313E70A04148AFCB10EB65CD81ADEB7BDEB45344F91C0F6A40CA72A2DB79DF458B58

Function 00418160 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0041819F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 004181BD
GetWindowPlacement.USER32(?,0000002C), ref: 004181F3
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0041821A

Strings

,, xrefs: 004181E1

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 94c27d96dae92190053cdadbd09ad202be2508a7be7ad0d7a8ed44e722cc964a
Instruction ID: 3dd2bdadd829011ee7f0b750d59610fe616def585f77d2d2d1cec2b35816d924
Opcode Fuzzy Hash: 94c27d96dae92190053cdadbd09ad202be2508a7be7ad0d7a8ed44e722cc964a
Instruction Fuzzy Hash: 02215172600204ABCF00EFA9CCC1EDA77A8AF49314F55456AFD18EF246CB78D844CB68

Function 10003AF0 Relevance: 8.3, APIs: 5, Instructions: 775networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 10012E30: InternetCrackUrlA.WININET(00000004,00000000,00000000,000000F4), ref: 10012FA8

FtpSetCurrentDirectoryA.WININET(?,?), ref: 10003C1F
FtpFindFirstFileA.WININET(?,?,?,00000000,00000000), ref: 10003C5F
InternetFindNextFileA.WININET(?,?), ref: 10003E88

Part of subcall function 10005320: std::_String_base::_Xlen.LIBCPMT ref: 10005355
Part of subcall function 10005320: std::_String_base::_Xlen.LIBCPMT ref: 1000536C
Part of subcall function 10005320: _memcpy_s.LIBCMT ref: 100053DF

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FileFindInternetString_base::_Xlenstd::_$CrackCurrentDirectoryFirstNext_memcpy_s
String ID:
API String ID: 3415815666-0
Opcode ID: 63a4b9dbb4699b7e5643fa31236d464c7708f1daae40cfe230320836ce58fe97
Instruction ID: 33bd8a9f75b0fd2f600ad8ea2a3b3fba2523996b1ded2731e6a00319637509c5
Opcode Fuzzy Hash: 63a4b9dbb4699b7e5643fa31236d464c7708f1daae40cfe230320836ce58fe97
Instruction Fuzzy Hash: 8C62C7B14083809FE720DF28C841B9BBBE8EF85344F514A5DF59947296DB31E949CBA3

Function 004650D0 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,0046528D), ref: 00465101
FindFirstFileA.KERNEL32(00000000,?,00000000,00465260,?,00000001,00000000,0046528D), ref: 00465190
FindNextFileA.KERNEL32(000000FF,?,00000000,00465242,?,00000000,?,00000000,00465260,?,00000001,00000000,0046528D), ref: 00465222
FindClose.KERNEL32(000000FF,00465249,00465242,?,00000000,?,00000000,00465260,?,00000001,00000000,0046528D), ref: 0046523C

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 78e051bc9a5b3275d56530c4d73a473f7fa706c3420aea37e8f65fd325510d73
Instruction ID: 440dca86ff91bcf92ec396117f9ee2e7eb4a9bd4f86bd55e8ffce81b2904001c
Opcode Fuzzy Hash: 78e051bc9a5b3275d56530c4d73a473f7fa706c3420aea37e8f65fd325510d73
Instruction Fuzzy Hash: 6B41A230A04A589FDB10EF65DC55ADEB7B8EB89309F4044FAF404E7381E63C9E488E59

Function 0046554C Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,00465733), ref: 004655C1
FindFirstFileA.KERNEL32(00000000,?,00000000,004656FE,?,00000001,00000000,00465733), ref: 00465607
FindNextFileA.KERNEL32(000000FF,?,00000000,004656E0,?,00000000,?,00000000,004656FE,?,00000001,00000000,00465733), ref: 004656BC
FindClose.KERNEL32(000000FF,004656E7,004656E0,?,00000000,?,00000000,004656FE,?,00000001,00000000,00465733), ref: 004656DA

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 6483b4de62b7bd3e62c13a203bac68441579369ff222681ede31a7829b514187
Instruction ID: 5fa7a0e481a84f03f33422116c22c7c15fd1db6c0b7bd2f560a0f02907c35907
Opcode Fuzzy Hash: 6483b4de62b7bd3e62c13a203bac68441579369ff222681ede31a7829b514187
Instruction Fuzzy Hash: 82417335A00A18DFCB10EFA5CC85ADEB7B9EB88305F4044AAF804E7341E6389E44CE59

Function 100140F3 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 10017604
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10017619
UnhandledExceptionFilter.KERNEL32(10029C80), ref: 10017624
GetCurrentProcess.KERNEL32(C0000409), ref: 10017640
TerminateProcess.KERNEL32(00000000), ref: 10017647

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f64aada8c6b2405166993955ac8c3e480f0a17a7403cd4dd766f4695cc831951
Instruction ID: 366666a27f9b082e75efa7794b9baa7a4b97cf6223522bf1e4b33ca186309502
Opcode Fuzzy Hash: f64aada8c6b2405166993955ac8c3e480f0a17a7403cd4dd766f4695cc831951
Instruction Fuzzy Hash: 5B21EEB88052289FE302CF68DDC56D4BBB4FB0C351F10841AEA099F662E7B05982CF55

Function 0042EDC4 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453717,00000000,00453738), ref: 0042EDE6
DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042EE11
GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453717,00000000,00453738), ref: 0042EE1E
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453717,00000000,00453738), ref: 0042EE26
SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453717,00000000,00453738), ref: 0042EE2C

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: bac512edfbbbabf362f6dfab870019f28d9faeb2075b71a466509b5389b59c8a
Instruction ID: 70587ef730fcdfb329c4590a56e67438f12b0fd4b2c9556a93668e86dd7922da
Opcode Fuzzy Hash: bac512edfbbbabf362f6dfab870019f28d9faeb2075b71a466509b5389b59c8a
Instruction Fuzzy Hash: 9CF090723917203AF620B17AAC86F7F428CCB89B68F50423AF714FF1D1D9A85D0955AD

Function 00485CFC Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00485D3A
GetWindowLongA.USER32(00000000,000000F0), ref: 00485D58
ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049F0AC,00485216,0048524A,00000000,0048526A,?,?,?,0049F0AC), ref: 00485D7A
ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049F0AC,00485216,0048524A,00000000,0048526A,?,?,?,0049F0AC), ref: 00485D8E

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: 4c308d3b12315672c07ac890770fdfbe74c8bd42f6d9c93706204eed776ff039
Instruction ID: 5af26d4b23032c42014cdd6a7ba96e1f526e5740e281828ed4b475e411d83285
Opcode Fuzzy Hash: 4c308d3b12315672c07ac890770fdfbe74c8bd42f6d9c93706204eed776ff039
Instruction Fuzzy Hash: 60011A716056409AEB10BB7A9C4DB5A33DD5B14304F19887BBC00DF2A3CA6DDC859B6C

Function 00463B44 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00463C18), ref: 00463B9C
FindNextFileA.KERNEL32(000000FF,?,00000000,00463BF8,?,00000000,?,00000000,00463C18), ref: 00463BD8
FindClose.KERNEL32(000000FF,00463BFF,00463BF8,?,00000000,?,00000000,00463C18), ref: 00463BF2

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: e5119b90939d9d572c268ad8b82d55229f907c842cf6c422454299bb1c9d4779
Instruction ID: a0cce92d96e660be0b97b7f28cec8121132c3377f259b36877ec83f4fdc062c8
Opcode Fuzzy Hash: e5119b90939d9d572c268ad8b82d55229f907c842cf6c422454299bb1c9d4779
Instruction Fuzzy Hash: 4C21D8315046886EDB11DF66CC41ADEBBACDB49705F5084FBF808E3661E638DF44CA5A

Function 0042466C Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00424674
SetActiveWindow.USER32(?,?,?,?,0046E2FF), ref: 00424681

Part of subcall function 00423ADC: ShowWindow.USER32(004108F0,00000009,?,00000000,0041F234,00423DCA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C), ref: 00423AF7

Part of subcall function 00423FA4: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,022F25AC,0042469A,?,?,?,?,0046E2FF), ref: 00423FDF

SetFocus.USER32(00000000,?,?,?,?,0046E2FF), ref: 004246AE

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: 6fb5541612255947ef2c91b9d7674ffacd1557a8c948e8d6abd3677b7be11a69
Instruction ID: 41fac251e040b5459bea7d3bbf68ddb82a9bf8d4fdffabeb223ec960e46dc8d5
Opcode Fuzzy Hash: 6fb5541612255947ef2c91b9d7674ffacd1557a8c948e8d6abd3677b7be11a69
Instruction Fuzzy Hash: FCF0D0717001108BDB40FFAAE9C5B9632A4AF49704B55057BBC05DF35BC67CDC458768

Function 0042F294 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationCOMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 0042F2A1
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000001), ref: 0042F2B1
CreateMutexA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042F2D9

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: DescriptorSecurity$CreateDaclInitializeMutex
String ID:
API String ID: 3525989157-0
Opcode ID: 2c808e9d1d2103421bc27e7a9199af7a8a7f53dda2cfff6e3100d803d15f4299
Instruction ID: b330794617a7040f76ad0da05c7b1ee5a1856395dd3e8d048ce20caf316d4231
Opcode Fuzzy Hash: 2c808e9d1d2103421bc27e7a9199af7a8a7f53dda2cfff6e3100d803d15f4299
Instruction Fuzzy Hash: 18E0C0B16443007EE200EE758C82F5F76DCDB48714F00483AB654DB1C1E679D9489B96

Function 0041815E Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0041819F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 004181BD
GetWindowPlacement.USER32(?,0000002C), ref: 004181F3
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0041821A

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: 93123499588309d436321f36bfa17b4aada1e27efe65d07a76ab247a868ec15b
Instruction ID: c40958ec65a3081d6570449c7fa77bc67a6f73258cf3a653cafff2f251148837
Opcode Fuzzy Hash: 93123499588309d436321f36bfa17b4aada1e27efe65d07a76ab247a868ec15b
Instruction Fuzzy Hash: DE018F72240204BBDF10EE69DCC1EEB3398AB55364F15416AFD08DF242DA38EC8187A8

Function 00417A28 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417A53
GetCapture.USER32 ref: 00417A5C

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: e2b62a8e16e158399129b422c839338f97e6c3ad2ac0daa3b8d535a8f81942d9
Instruction ID: 4baae68772761491d2023ced8ce828277fc49fe1aa00b8ecf1210e993849b5ad
Opcode Fuzzy Hash: e2b62a8e16e158399129b422c839338f97e6c3ad2ac0daa3b8d535a8f81942d9
Instruction Fuzzy Hash: AFF0317134460287DB20E66AC885ABF62B99F48395F14443BE515C7356EA6CDD848358

Function 00424624 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0042462B

Part of subcall function 00423F14: EnumWindows.USER32(00423EAC), ref: 00423F38
Part of subcall function 00423F14: GetWindow.USER32(?,00000003), ref: 00423F4D
Part of subcall function 00423F14: GetWindowLongA.USER32(?,000000EC), ref: 00423F5C
Part of subcall function 00423F14: SetWindowPos.USER32(00000000,EB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042463B,?,?,00424203), ref: 00423F92

SetActiveWindow.USER32(?,?,?,00424203,00000000,004245EC), ref: 0042463F

Part of subcall function 00423ADC: ShowWindow.USER32(004108F0,00000009,?,00000000,0041F234,00423DCA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C), ref: 00423AF7

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: 79a778728c02cc4edaf90c7f9b948427ca67b0e60320da5664268fec259b68fe
Instruction ID: d3e93a58e57438a951a07f29fe0797b16f8422c20572e0da7720cbe2ca5f63be
Opcode Fuzzy Hash: 79a778728c02cc4edaf90c7f9b948427ca67b0e60320da5664268fec259b68fe
Instruction Fuzzy Hash: B4E01A60700100C7EF00EFAAE8C4F8662A4BF88304F95017ABC48CF24BD67CDC448724

Function 1001F597 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

__decode_pointer.LIBCMT ref: 1001F5A5

Part of subcall function 10017E6B: TlsGetValue.KERNEL32(?,10017F0D), ref: 10017E78
Part of subcall function 10017E6B: TlsGetValue.KERNEL32(00000007), ref: 10017E8F

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1001F5AC

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Value$ExceptionFilterUnhandled__decode_pointer
String ID:
API String ID: 1958600898-0
Opcode ID: 956e7dc8681365c089192800ddefb62323125870afe30df241c50bcffd2c447a
Instruction ID: 63a62b57154db4244e5e3e7d4dd870a5920f28e733c98ec8365df5da6056edf0
Opcode Fuzzy Hash: 956e7dc8681365c089192800ddefb62323125870afe30df241c50bcffd2c447a
Instruction Fuzzy Hash: 76C08C644092C10EEF0AC3B458CC30D7A80A715402FA0088AE1848C163C86880CEC221

Function 00412A68 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00412C65), ref: 00412C53

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 76210ea955b4234c29723da591833cea603cabc76a58ce7e5be2657fdfd9ecd6
Instruction ID: b726886feaa3cfb0c3c92f2e05cced8293b81fa2aba97a9fc1f2d8d784250eff
Opcode Fuzzy Hash: 76210ea955b4234c29723da591833cea603cabc76a58ce7e5be2657fdfd9ecd6
Instruction Fuzzy Hash: BD51F7317086058FC714DF6AD680A9AF3E5FFA8304B20866BD844C7365E7B8AD91C749

Function 0047AC34 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0047AD82

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: ac3a0e397c45ef836a8712edbd6479a7937f26d08489729a49ce9afc46fadd63
Instruction ID: 72cb5964904ea9acb86450fde6e950c62e8bde0ebf735d0adfbf9209324b5543
Opcode Fuzzy Hash: ac3a0e397c45ef836a8712edbd6479a7937f26d08489729a49ce9afc46fadd63
Instruction Fuzzy Hash: C6415B75604104EFCB20CF59C2908AEB7F6EB88311B74C992E849DB751D338EE51DB96

Function 00455DCC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 00455DE2

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 065d5d2aa7b724ed6289c5adcb70c30f8e9a1dde2e28f2192dd81213443c68fe
Instruction ID: 85d927fa64bde7e0f6bd0e56391a747b52e91616c2131cbf33e1fd207173554c
Opcode Fuzzy Hash: 065d5d2aa7b724ed6289c5adcb70c30f8e9a1dde2e28f2192dd81213443c68fe
Instruction Fuzzy Hash: 91D0C2B230460063C700BA68DC825AA358D8B84305F00483E7CC5DA2C3EABDDA4C5696

Function 0042FA00 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042FA1C

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 9c092c28255bcc30e80686d9f5dffef4909b4cfadbe587d4d40091b81cadcf9b
Instruction ID: e991843b48109e052d0f5957ab47f1130dd67dcde68d8ed9d112e108350b7662
Opcode Fuzzy Hash: 9c092c28255bcc30e80686d9f5dffef4909b4cfadbe587d4d40091b81cadcf9b
Instruction Fuzzy Hash: 02D05E7131010C6B9B00DE98E840C6B33AC9B88700BA08829F908C7201C634ED1097A8

Function 0044BBBC Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 282libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044BB38: GetVersionExA.KERNEL32(00000094), ref: 0044BB55

Part of subcall function 0044BB8C: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0044BBA4

LoadLibraryA.KERNEL32(00000000,00000000,0044BF9F,?,?,?,?,00000000,00000000,?,0044FDE1,0049BA76), ref: 0044BC1E
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BC36
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BC48
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BC5A
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BC6C
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC7E
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC90
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BCA2
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BCB4
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BCC6
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BCD8
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BCEA
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BCFC
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BD0E
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044BD20
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044BD32
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044BD44
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044BD56
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044BD68
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044BD7A
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044BD8C
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044BD9E
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044BDB0
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044BDC2
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044BDD4
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044BDE6
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044BDF8
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044BE0A
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044BE1C
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044BE2E
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044BE40
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044BE52
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044BE64
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044BE76
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044BE88
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044BE9A
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044BEAC
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044BEBE
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044BED0
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044BEE2
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044BEF4
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044BF06
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044BF18
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044BF2A
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044BF3C
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044BF4E
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044BF60
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044BF72

Strings

GetThemeSysFont, xrefs: 0044BE80
GetCurrentThemeName, xrefs: 0044BF34
GetThemeIntList, xrefs: 0044BDF0
GetThemeSysInt, xrefs: 0044BEA4
GetThemeAppProperties, xrefs: 0044BF10
GetWindowTheme, xrefs: 0044BEDA
GetThemeBackgroundRegion, xrefs: 0044BCD0
GetThemeSysColorBrush, xrefs: 0044BE4A
GetThemeColor, xrefs: 0044BD3C
IsAppThemed, xrefs: 0044BEC8
CloseThemeData, xrefs: 0044BC40
IsThemePartDefined, xrefs: 0044BD18
IsThemeBackgroundPartiallyTransparent, xrefs: 0044BD2A
DrawThemeEdge, xrefs: 0044BCF4
uxtheme.dll, xrefs: 0044BC0B
GetThemeSysString, xrefs: 0044BE92
GetThemeSysSize, xrefs: 0044BE6E
GetThemeTextExtent, xrefs: 0044BCAC
SetThemeAppProperties, xrefs: 0044BF22
GetThemePropertyOrigin, xrefs: 0044BE02
GetThemePosition, xrefs: 0044BDA8
SetWindowTheme, xrefs: 0044BE14
GetThemeMargins, xrefs: 0044BDDE
GetThemeRect, xrefs: 0044BDCC
GetThemeSysBool, xrefs: 0044BE5C
DrawThemeIcon, xrefs: 0044BD06
GetThemeSysColor, xrefs: 0044BE38
IsThemeDialogTextureEnabled, xrefs: 0044BEFE
GetThemeDocumentationProperty, xrefs: 0044BF46
DrawThemeParentBackground, xrefs: 0044BF58
HitTestThemeBackground, xrefs: 0044BCE2
GetThemeEnumValue, xrefs: 0044BD96
EnableThemeDialogTexture, xrefs: 0044BEEC
GetThemeBackgroundContentRect, xrefs: 0044BC76, 0044BC88
GetThemeBool, xrefs: 0044BD72
IsThemeActive, xrefs: 0044BEB6
DrawThemeText, xrefs: 0044BC64
OpenThemeData, xrefs: 0044BC2E
DrawThemeBackground, xrefs: 0044BC52
GetThemeFilename, xrefs: 0044BE26
GetThemeFont, xrefs: 0044BDBA
GetThemeString, xrefs: 0044BD60
EnableTheming, xrefs: 0044BF6A
GetThemeMetric, xrefs: 0044BD4E
GetThemePartSize, xrefs: 0044BC9A
GetThemeInt, xrefs: 0044BD84
GetThemeTextMetrics, xrefs: 0044BCBE

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystemVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2754715182-2910565190
Opcode ID: 67b95b5371f249a8e9232e37dcb11037f6e4e7b41a9552869577b47b5d37a655
Instruction ID: ecd7112d65f411c7eccfc6eab1653a3c74b71e6b2ad24da097032ecd241f34bd
Opcode Fuzzy Hash: 67b95b5371f249a8e9232e37dcb11037f6e4e7b41a9552869577b47b5d37a655
Instruction Fuzzy Hash: 3AA14DB0A41710EBEB40EFF6DCC6A2A37A8EB15B1475405BBB440EF295D6789C048F5E

Function 004952EC Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,00000000,004957E1,?,?,?,?,00000000,00000000,00000000), ref: 0049532C
FindWindowA.USER32(00000000,00000000), ref: 0049535D

Strings

SENDBROADCASTNOTIFYMESSAGE, xrefs: 0049559B
OEMTOCHARBUFF, xrefs: 0049573F
FREEDLL, xrefs: 004956D8
REGISTERWINDOWMESSAGE, xrefs: 004954BF
SLEEP, xrefs: 00495316
CREATEMUTEX, xrefs: 0049570D
CHARTOOEMBUFF, xrefs: 00495782
SENDMESSAGE, xrefs: 004953B1
POSTMESSAGE, xrefs: 00495407
FINDWINDOWBYCLASSNAME, xrefs: 00495339
POSTBROADCASTMESSAGE, xrefs: 00495547
CALLDLLPROC, xrefs: 00495651
SENDNOTIFYMESSAGE, xrefs: 00495463
SENDBROADCASTMESSAGE, xrefs: 004954F9
FINDWINDOWBYWINDOWNAME, xrefs: 00495375
LOADDLL, xrefs: 004955EF

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: f8848a1a84b024abead4a61a3e9036c19501452696533f8aaac553cb32939556
Instruction ID: 81b0b0a091168c97ae0ef179256dddc1b1175ea621cc4e7edfbae85d46dbfd27
Opcode Fuzzy Hash: f8848a1a84b024abead4a61a3e9036c19501452696533f8aaac553cb32939556
Instruction Fuzzy Hash: BEC17364B04A006BDB11BA7E8C8252F5D999F98704B21D97FB406EB78BCE3CDD0A435D

Function 10007730 Relevance: 51.1, APIs: 24, Strings: 5, Instructions: 312windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000030,?,00000001), ref: 10007782
GetDlgItem.USER32(?,000003EC), ref: 10007793
SendMessageA.USER32(00000000,?,000003EC,00000030), ref: 1000779A
GetDlgItem.USER32(?,000003ED), ref: 100077AB
SendMessageA.USER32(00000000,?,000003ED,00000030), ref: 100077B2
GetDlgItem.USER32(00000000,000003E9), ref: 100077C3
SendMessageA.USER32(00000000,?,00000001), ref: 100077CA
GetDlgItem.USER32(?,00000005), ref: 100077D8
SendMessageA.USER32(00000000,?,00000005,00000030), ref: 100077DF
GetDlgItem.USER32(?,00000004), ref: 100077ED
SendMessageA.USER32(00000000,?,00000004,00000030), ref: 100077F4
GetDlgItem.USER32(00000000,00000003), ref: 10007802
SendMessageA.USER32(00000000,?,00000001), ref: 10007809
SetWindowTextA.USER32(?,-00000004), ref: 1000785C
GetDlgItem.USER32(?,00000004), ref: 100078BA
SetWindowTextA.USER32(00000000), ref: 100078C1
GetDlgItem.USER32(?,00000005), ref: 1000791F
SetWindowTextA.USER32(00000000), ref: 10007926
GetDlgItem.USER32(?,00000003), ref: 10007984
SetWindowTextA.USER32(00000000), ref: 1000798B
GetDlgItem.USER32(?,000003EC), ref: 10007A27
SetWindowTextA.USER32(00000000), ref: 10007A2E
GetDlgItem.USER32(?,000003ED), ref: 10007AE0
SetWindowTextA.USER32(00000000), ref: 10007AE7

Strings

Download failed, xrefs: 10007824, 100079BD
Retry, xrefs: 1000788A
Cancel, xrefs: 10007954
Ignore, xrefs: 100078EF
The following files were not downloaded:, xrefs: 10007AAD

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Item$MessageSend$TextWindow
String ID: Cancel$Download failed$Ignore$Retry$The following files were not downloaded:
API String ID: 2645603783-2260887806
Opcode ID: bf020de531ff841d831f778a24686d13b9d6e729cae5f44960efe0365974c649
Instruction ID: fc4a234e96a817ade233887837cee60500aee3dd11a4ef03af4566e99fc04ec6
Opcode Fuzzy Hash: bf020de531ff841d831f778a24686d13b9d6e729cae5f44960efe0365974c649
Instruction Fuzzy Hash: 1BC1DEB1914340ABE710DF64CC8AF5BBBA9FF84740F60491DF6885B281CB75E946CB92

Function 1001824B Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,10015F58,?,?,00000001,?,?,100160C8,00000001,?,?,1002CA38,0000000C,10016182,?), ref: 10018251
__mtterm.LIBCMT ref: 1001825D

Part of subcall function 10017F35: __decode_pointer.LIBCMT ref: 10017F46
Part of subcall function 10017F35: TlsFree.KERNEL32(00000028,10015FF4,?,?,00000001,?,?,100160C8,00000001,?,?,1002CA38,0000000C,10016182,?), ref: 10017F60
Part of subcall function 10017F35: DeleteCriticalSection.KERNEL32(00000000,00000000,?,00000001,10015FF4,?,?,00000001,?,?,100160C8,00000001,?,?,1002CA38,0000000C), ref: 1001AC92
Part of subcall function 10017F35: DeleteCriticalSection.KERNEL32(00000028,?,00000001,10015FF4,?,?,00000001,?,?,100160C8,00000001,?,?,1002CA38,0000000C,10016182), ref: 1001ACBC

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 10018273
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 10018280
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 1001828D
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 1001829A
TlsAlloc.KERNEL32(?,?,00000001,?,?,100160C8,00000001,?,?,1002CA38,0000000C,10016182,?), ref: 100182EA
TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,100160C8,00000001,?,?,1002CA38,0000000C,10016182,?), ref: 10018305
__init_pointers.LIBCMT ref: 1001830F
__encode_pointer.LIBCMT ref: 1001831A
__encode_pointer.LIBCMT ref: 1001832A
__encode_pointer.LIBCMT ref: 1001833A
__encode_pointer.LIBCMT ref: 1001834A
__decode_pointer.LIBCMT ref: 1001836B
__calloc_crt.LIBCMT ref: 10018384
__decode_pointer.LIBCMT ref: 1001839E
GetCurrentThreadId.KERNEL32 ref: 100183B4

Strings

FlsSetValue, xrefs: 10018282
KERNEL32.DLL, xrefs: 1001824C
FlsFree, xrefs: 1001828F
FlsAlloc, xrefs: 1001826D
FlsGetValue, xrefs: 10018275

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 4287529916-3819984048
Opcode ID: 091d674f583d12cc8edc3d4086fca9ec23260268bdba0042e7b9fa39495d3bfe
Instruction ID: b59bc52e39c4c573ced7285281f8372ab40e3c3dc34f4e0855858f899626d077
Opcode Fuzzy Hash: 091d674f583d12cc8edc3d4086fca9ec23260268bdba0042e7b9fa39495d3bfe
Instruction Fuzzy Hash: 583153398046219EEB12EF759C895D63AF0FB4A790B21096BF4159E2F2DB31D681CB90

Function 100131F0 Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 352networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 100130C0: InternetConnectA.WININET(?,?,?,?,?,?,?,00000000), ref: 100131C9

FtpOpenFileA.WININET(?,00000000,80000000,80000002,00000000), ref: 10013308
HttpOpenRequestA.WININET(?,HEAD,00000000,00000000,00000000,?,84400000,00000000), ref: 1001340D
HttpSendRequestA.WININET(?,00000000,00000000,00000000,00000000), ref: 10013432
GetLastError.KERNEL32(?,?,?,?,?), ref: 10013440
GetDesktopWindow.USER32 ref: 10013474
InternetErrorDlg.WININET(00000000,?,00000000,00000007,00000000), ref: 10013487

Strings

407, xrefs: 1001361C, 1001368F
Download cancelled, xrefs: 100134A4
HEAD, xrefs: 1001340B

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorHttpInternetOpenRequest$ConnectDesktopFileLastSendWindow
String ID: 407$Download cancelled$HEAD
API String ID: 2567109029-88966343
Opcode ID: db613ec7a51ded2032a35e11870998995a7572edcbba8e55971169fcc0c84d08
Instruction ID: 7f9d410524b28168fcef3deaa09cf2c400fef63c9baa2a67138e087d56acd3c3
Opcode Fuzzy Hash: db613ec7a51ded2032a35e11870998995a7572edcbba8e55971169fcc0c84d08
Instruction Fuzzy Hash: 21D17E715087819FE330DB64C885F9BB7E9EB89740F40891DF59A8B251DB30F988CB62

Function 0041CE9C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0041CED0
CreateCompatibleDC.GDI32(?), ref: 0041CEDC
CreateBitmap.GDI32(0041ADD4,?,00000001,00000001,00000000), ref: 0041CF00
CreateCompatibleBitmap.GDI32(?,0041ADD4,?), ref: 0041CF10
SelectObject.GDI32(0041D2CC,00000000), ref: 0041CF2B
FillRect.USER32(0041D2CC,?,?), ref: 0041CF66
SetTextColor.GDI32(0041D2CC,00000000), ref: 0041CF7B
SetBkColor.GDI32(0041D2CC,00000000), ref: 0041CF92
PatBlt.GDI32(0041D2CC,00000000,00000000,0041ADD4,?,00FF0062), ref: 0041CFA8
CreateCompatibleDC.GDI32(?), ref: 0041CFBB
SelectObject.GDI32(00000000,00000000), ref: 0041CFEC
SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041D004
RealizePalette.GDI32(00000000), ref: 0041D00D
SelectPalette.GDI32(0041D2CC,00000000,00000001), ref: 0041D01C
RealizePalette.GDI32(0041D2CC), ref: 0041D025
SetTextColor.GDI32(00000000,00000000), ref: 0041D03E
SetBkColor.GDI32(00000000,00000000), ref: 0041D055
BitBlt.GDI32(0041D2CC,00000000,00000000,0041ADD4,?,00000000,00000000,00000000,00CC0020), ref: 0041D071
SelectObject.GDI32(00000000,?), ref: 0041D07E
DeleteDC.GDI32(00000000), ref: 0041D094

Part of subcall function 0041A4E8: GetSysColor.USER32(?), ref: 0041A4F2

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
String ID:
API String ID: 269503290-0
Opcode ID: 6fe929e3afe2a13338af335e0b683deee4c25105ce56022b6ded3cf3a3571e5b
Instruction ID: 50a53eb504fbb6e8939598bee840ef50963709612b5229ad76d17b3bfbc4c74e
Opcode Fuzzy Hash: 6fe929e3afe2a13338af335e0b683deee4c25105ce56022b6ded3cf3a3571e5b
Instruction Fuzzy Hash: 8061DD71E44605AFDF10EBA9DC46FAFB7B8EF48704F10446AF504E7281C67CA9418B69

Function 1000E330 Relevance: 31.9, APIs: 1, Strings: 17, Instructions: 400COMMON

Download Yara Rule

APIs

Part of subcall function 10005410: std::_String_base::_Xlen.LIBCPMT ref: 10005469
Part of subcall function 10005410: _memcpy_s.LIBCMT ref: 100054B1

_setlocale.LIBCMT ref: 1000E8EB

Strings

FileProgressBar, xrefs: 1000E425
FileDownloaded, xrefs: 1000E4B8
Speed, xrefs: 1000E54C
WizardForm, xrefs: 1000E708
TotalProgressBar, xrefs: 1000E3DC
ElapsedTime, xrefs: 1000E5E0
BackButton, xrefs: 1000E6BE
GINextButton, xrefs: 1000E7E6
TotalDownloaded, xrefs: 1000E46E
InvisibleButton, xrefs: 1000E879
LabelFont, xrefs: 1000E79C
FileName, xrefs: 1000E502
GIBackButton, xrefs: 1000E830
RemainingTime, xrefs: 1000E62A
WizardPage, xrefs: 1000E752
NextButton, xrefs: 1000E674
Status, xrefs: 1000E596

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: String_base::_Xlen_memcpy_s_setlocalestd::_
String ID: BackButton$ElapsedTime$FileDownloaded$FileName$FileProgressBar$GIBackButton$GINextButton$InvisibleButton$LabelFont$NextButton$RemainingTime$Speed$Status$TotalDownloaded$TotalProgressBar$WizardForm$WizardPage
API String ID: 3520238541-1600669
Opcode ID: 96426a2bb1ba6d23cd6b140db98d2b3b84f626c468df312a0cf19c341bc602dd
Instruction ID: 1acc09cb1054aad71c2b43dffb0aeac1ccb767e2dad10e7c916a6f9bcb7cd872
Opcode Fuzzy Hash: 96426a2bb1ba6d23cd6b140db98d2b3b84f626c468df312a0cf19c341bc602dd
Instruction Fuzzy Hash: 66025BB440C380AFD345CF28C495A4BBBE4FB99B45F84591EF1895B252DB78D488CB63

Function 004744A8 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 341COMMON

Download Yara Rule

APIs

Part of subcall function 0042CC94: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CCB8

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00474660
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0047477B
SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00474791
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004747B6

Strings

{group}\, xrefs: 00474502
Successfully created the icon., xrefs: 00474755
Dest filename: %s, xrefs: 00474602
.pif, xrefs: 00474557, 004746F5
.url, xrefs: 0047457A
Desktop.ini, xrefs: 00474837
.lnk, xrefs: 00474534
target.lnk, xrefs: 00474800
Creating the icon., xrefs: 00474675

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
String ID: .lnk$.pif$.url$Creating the icon.$Desktop.ini$Dest filename: %s$Successfully created the icon.$target.lnk${group}\
API String ID: 971782779-2902529204
Opcode ID: dfedba3bd349ab3b5efeede3455e74f7497f55b16e4a34f5eada44c138dbca6e
Instruction ID: 3ad2e39f7b63c2e1f507bff71cd9103ce15de2bb976d6045025a0d2193d98ff2
Opcode Fuzzy Hash: dfedba3bd349ab3b5efeede3455e74f7497f55b16e4a34f5eada44c138dbca6e
Instruction Fuzzy Hash: A4D14574A00149AFDB01EFA9D581BEEBBF4AF48304F50806AF904B7391D7789D45CB69

Function 0049B254 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000,00000000,?,0049B9A3,00000000,0049B9AD,?,00000000), ref: 0049B2D7
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000,00000000,?,0049B9A3,00000000), ref: 0049B2EA
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000,00000000), ref: 0049B2FA
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0049B31B
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000), ref: 0049B32B

Part of subcall function 0042D8DC: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D96A,?,?,?,00000001,?,004568AE,00000000,00456916), ref: 0042D911

Strings

.msg, xrefs: 0049B34E
/REG, xrefs: 0049B289
.lst, xrefs: 0049B368
Inno-Setup-RegSvr-Mutex, xrefs: 0049B2E1
Setup, xrefs: 0049B2C3
/REGU, xrefs: 0049B2AD

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 2000705611-3672972446
Opcode ID: d6aed2ef425ab0066acebfcb6b2bf30655a38d553d8a2f30e9976cdf2af0e762
Instruction ID: b2f29c3ed6207bb9e160049bb2bddfcad5bd5dcd32a025f4107ba54bac6b8e5f
Opcode Fuzzy Hash: d6aed2ef425ab0066acebfcb6b2bf30655a38d553d8a2f30e9976cdf2af0e762
Instruction Fuzzy Hash: E691D430A04204AFDF11EBA5E952BAE7FB5EB49308F514477F900A7292C77CAC05DB99

Function 0045AF68 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045B224,?,?,?,?,?,00000006,?,00000000,0049A6E1,?,00000000,0049A784), ref: 0045B0D6

Strings

Failed to delete the file; it may be in use (%d)., xrefs: 0045B1C5
.chm, xrefs: 0045B004
The file appears to be in use (%d). Will delete on restart., xrefs: 0045B11F
.hlp, xrefs: 0045AF9F
.lnk, xrefs: 0045B043
Deleting file: %s, xrefs: 0045B075
.gid, xrefs: 0045AFB8
Failed to strip read-only attribute., xrefs: 0045B0BB
Stripped read-only attribute., xrefs: 0045B0AF
.chw, xrefs: 0045B01D
.fts, xrefs: 0045AFDC

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: cba0ce9831f5c6e6fd026f7e19bc4dd06a7e2d2876b7822625a22b0a780a2a35
Instruction ID: 2fb3476e9d017ff0a5902371132bc4733b6d883e7af691887050c1a5ddfae389
Opcode Fuzzy Hash: cba0ce9831f5c6e6fd026f7e19bc4dd06a7e2d2876b7822625a22b0a780a2a35
Instruction Fuzzy Hash: 8E71A0307002486BCB01EB6998867AF7BA5EF48705F50846BFC11DB383DB7C9A49879D

Function 0045D450 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0045D46A
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045D48A
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045D497
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045D4A4
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045D4B2

Part of subcall function 0045D358: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045D3F7,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045D3D1

AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D6A5,?,?,00000000), ref: 0045D56B
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D6A5,?,?,00000000), ref: 0045D574

Strings

advapi32.dll, xrefs: 0045D485
W, xrefs: 0045D582
GetNamedSecurityInfoW, xrefs: 0045D491
SetNamedSecurityInfoW, xrefs: 0045D49E
SetEntriesInAclW, xrefs: 0045D4AC

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
API String ID: 59345061-4263478283
Opcode ID: 0828ca59996f9c66a971ac7fdd8876921b69cb906109572e65858b8da3e68693
Instruction ID: 783a5280d5c6dd2c4afe06b2d07c38c27ed9239d6cb54be80e3f389c0ae86338
Opcode Fuzzy Hash: 0828ca59996f9c66a971ac7fdd8876921b69cb906109572e65858b8da3e68693
Instruction Fuzzy Hash: B75164B1D00608EFDB20DF99C841BAEB7B8EF48315F14806AF915B7381D6789945CF69

Function 10010ED0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 269windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,0000000A,BackButton,0000000A,?,?,?,?,?,?,?,?,0000000A), ref: 10010FA5
EnableWindow.USER32(?), ref: 10011085

Part of subcall function 10005410: std::_String_base::_Xlen.LIBCPMT ref: 10005469
Part of subcall function 10005410: _memcpy_s.LIBCMT ref: 100054B1

EnableWindow.USER32(?,00000001), ref: 10010FCB
ShowWindow.USER32(?,00000005,0000000A,GIBackButton,0000000C,0000000A,GIBackButton,0000000C,0000000A,NextButton,0000000A), ref: 10011146
EnableWindow.USER32(?,00000001), ref: 1001116C
EnableWindow.USER32(?), ref: 10011226
SendMessageA.USER32(?,0000040A,00000000,00000000), ref: 10011284

Strings

NextButton, xrefs: 10010FEE, 10011049
TotalProgressBar, xrefs: 10011248
BackButton, xrefs: 10010F00, 10010F80
GINextButton, xrefs: 1001118F, 100111EA
GIBackButton, xrefs: 100110A8, 1001111D

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$Enable$Show$MessageSendString_base::_Xlen_memcpy_sstd::_
String ID: BackButton$GIBackButton$GINextButton$NextButton$TotalProgressBar
API String ID: 1812101747-114455261
Opcode ID: 23119850460d871dd33f71e22dff35b55c0663435790c4a612ca13e862a306eb
Instruction ID: ed506b060ffed767915349c7c7882e506e0dfa560629d63ae0263cfee80edf1b
Opcode Fuzzy Hash: 23119850460d871dd33f71e22dff35b55c0663435790c4a612ca13e862a306eb
Instruction Fuzzy Hash: B7B199B0508781AFD304CF64C895A5BBBE5EFC8744F404A2DF1A54B291DBB8E588CB93

Function 0041B83C Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0041B853
CreateCompatibleDC.GDI32(00000000), ref: 0041B85D
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B86F
CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B886
GetDC.USER32(00000000), ref: 0041B892
CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B8BF
ReleaseDC.USER32(00000000,00000000), ref: 0041B8E5
SelectObject.GDI32(00000000,?), ref: 0041B900
SelectObject.GDI32(?,00000000), ref: 0041B90F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B93B
SelectObject.GDI32(00000000,00000000), ref: 0041B949
SelectObject.GDI32(?,00000000), ref: 0041B957
DeleteDC.GDI32(00000000), ref: 0041B960
DeleteDC.GDI32(?), ref: 0041B969

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: 73ee91a3acc86688725df9706b2ea354b5f5707f63fbf8f57308390f59fb2a3c
Instruction ID: 5bdd10242b191c11111876c14ee0e8e9a171a3e9253023a3b6fe339c600245b0
Opcode Fuzzy Hash: 73ee91a3acc86688725df9706b2ea354b5f5707f63fbf8f57308390f59fb2a3c
Instruction Fuzzy Hash: F841AC71E40659ABDF10EAE9D846FAFB7BCEB08704F104466F614FB281C77869408BA4

Function 00455070 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegQueryValueExA.ADVAPI32(0045B3FA,00000000,00000000,?,00000000,?,00000000,00455309,?,0045B3FA,00000003,00000000,00000000,00455340), ref: 00455189

Part of subcall function 0042ED58: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453A6B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED77

RegQueryValueExA.ADVAPI32(0045B3FA,00000000,00000000,00000000,?,00000004,00000000,00455253,?,0045B3FA,00000000,00000000,?,00000000,?,00000000), ref: 0045520D
RegQueryValueExA.ADVAPI32(0045B3FA,00000000,00000000,00000000,?,00000004,00000000,00455253,?,0045B3FA,00000000,00000000,?,00000000,?,00000000), ref: 0045523C

Strings

, xrefs: 004550FA
RegOpenKeyEx, xrefs: 0045510C
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004550A7
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004550E0

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: b38089396f9bd1e80361f7f4aec32eb98fbac3fcb49b8dce190468ca970a8865
Instruction ID: a1e8c034b49f6a69a24190b621a186803033118ea706e5513908ccb254d87fbd
Opcode Fuzzy Hash: b38089396f9bd1e80361f7f4aec32eb98fbac3fcb49b8dce190468ca970a8865
Instruction Fuzzy Hash: 30914071D00608ABDB00DBE5D952BEEB7F8EB49305F50406BF904F7282D6789E098B69

Function 00459CE8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BF4: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459D31,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459C41

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459D8F
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459DF9

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459E60

Strings

v4.0.30319, xrefs: 00459D81
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00459D42
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00459DAC
v1.1.4322, xrefs: 00459E52
.NET Framework not found, xrefs: 00459EAD
v2.0.50727, xrefs: 00459DEB
.NET Framework version %s not found, xrefs: 00459E99
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459E13

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Close$Open
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 2976201327-446240816
Opcode ID: 7b0c25b8646ceea1d37bfb8bee6288df2e7d11155bddc49a46ccef07b9b08108
Instruction ID: 28c73818cd0e0a48a6ea9a4a771bbd3fec88f932accac903083750955a5b2269
Opcode Fuzzy Hash: 7b0c25b8646ceea1d37bfb8bee6288df2e7d11155bddc49a46ccef07b9b08108
Instruction Fuzzy Hash: 6A51C135A041059BCB00DF65D8A2BEE77BADB49305F5444BBA901D7383EB39AE0EC758

Function 004592D4 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0045930B
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00459327
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00459335
GetExitCodeProcess.KERNEL32(?), ref: 00459346
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045938D
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004593A9

Strings

Helper process exited, but failed to get exit code., xrefs: 0045937F
Helper process exited., xrefs: 00459355
Helper isn't responding; killing it., xrefs: 00459317
Stopping 64-bit helper process. (PID: %u), xrefs: 004592FD
Helper process exited with failure code: 0x%x, xrefs: 00459373

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: a28fc19403df96fc00f073a75bee5de3f867f6fb9d8838196cadade5ec61da6c
Instruction ID: e85fc657e119397c97ed97e1faf084f02df15e80d39cea5897c552b80fc28b15
Opcode Fuzzy Hash: a28fc19403df96fc00f073a75bee5de3f867f6fb9d8838196cadade5ec61da6c
Instruction Fuzzy Hash: 1C212A70604740DBC720E779C88575B77D49F48305F04892EBC9ADB292EA78EC489B6A

Function 1001EA46 Relevance: 18.2, APIs: 12, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,10029470,00000001,?,?,?,00000200,?,?,?,1001EC2C,00000001,?,00000001,?,?), ref: 1001EA73
GetLastError.KERNEL32 ref: 1001EA85
MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,00000200,?,?,?,1001EC2C,00000001,?,00000001), ref: 1001EAEA
__alloca_probe_16.LIBCMT ref: 1001EB0B
_malloc.LIBCMT ref: 1001EB1F
_memset.LIBCMT ref: 1001EB3F
MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000), ref: 1001EB54
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 1001EB62
__freea.LIBCMT ref: 1001EB6C
___ansicp.LIBCMT ref: 1001EB96
___convertcp.LIBCMT ref: 1001EBB7

Part of subcall function 10020373: GetCPInfo.KERNEL32(?,00000001,?,00000000,00000000,00000200,?,?,?,1001EC2C,00000001,?,00000001,?,?,?), ref: 100203BC
Part of subcall function 10020373: GetCPInfo.KERNEL32(?,00000001), ref: 100203D5
Part of subcall function 10020373: _strlen.LIBCMT ref: 100203F3
Part of subcall function 10020373: __alloca_probe_16.LIBCMT ref: 10020413
Part of subcall function 10020373: _memset.LIBCMT ref: 1002046B
Part of subcall function 10020373: MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 10020482
Part of subcall function 10020373: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000), ref: 1002049D

GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,00000200,?,?,?,1001EC2C,00000001,?,00000001,?), ref: 1001EBD7

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Info__alloca_probe_16_memset$ErrorLast___ansicp___convertcp__freea_malloc_strlen
String ID:
API String ID: 2971996645-0
Opcode ID: ad2cfcae46f9c40792f6c24997c996c081d28579b3556665eb13a23ddd0f0b2c
Instruction ID: ab33eb8d0cf54a8948ecbb44247258d8e03b166ce1ae19588d734a95c06230af
Opcode Fuzzy Hash: ad2cfcae46f9c40792f6c24997c996c081d28579b3556665eb13a23ddd0f0b2c
Instruction Fuzzy Hash: 5251697150429AAFDF00CF64CCC199F7BE9FB08394B614426F906DB261D730EDA18BA1

Function 10010B50 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 240COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,0000000A,BackButton,0000000A,?,?,?,?,?,?,?,?,0000000A), ref: 10010C24
EnableWindow.USER32(?,00000000), ref: 10010CFD

Part of subcall function 10005410: std::_String_base::_Xlen.LIBCPMT ref: 10005469
Part of subcall function 10005410: _memcpy_s.LIBCMT ref: 100054B1

EnableWindow.USER32(?,00000000), ref: 10010C49
ShowWindow.USER32(?,00000000,0000000A,GIBackButton,0000000C,0000000A,GIBackButton,0000000C,0000000A,NextButton,0000000A), ref: 10010DBD
EnableWindow.USER32(?,00000000), ref: 10010DE2
EnableWindow.USER32(?,00000000), ref: 10010E96

Strings

NextButton, xrefs: 10010C6C, 10010CC7
GINextButton, xrefs: 10010E05, 10010E60
BackButton, xrefs: 10010B80, 10010C00
GIBackButton, xrefs: 10010D20, 10010D95

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$Enable$Show$String_base::_Xlen_memcpy_sstd::_
String ID: BackButton$GIBackButton$GINextButton$NextButton
API String ID: 3471100403-2299138808
Opcode ID: 9ae69a1eca4e9bbefc7a77ebc728263f0cc7256fd4ea9ade0bccfc038f7c6a33
Instruction ID: ec4f8d1dbd3d33f8a4fc2f27fa54487ed9a29d8a23fddd7b9ce27b760d3a6cbe
Opcode Fuzzy Hash: 9ae69a1eca4e9bbefc7a77ebc728263f0cc7256fd4ea9ade0bccfc038f7c6a33
Instruction Fuzzy Hash: F7A179B15087819FD304CF55C894A5BBBE9EBC8744F404A2DF1A54B291CBB9E988CF93

Function 00454D24 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E274: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042E2A0

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00454EFB,?,00000000,00454FBF), ref: 00454E4B
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00454EFB,?,00000000,00454FBF), ref: 00454F87

Part of subcall function 0042ED58: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453A6B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED77

Strings

, xrefs: 00454DAD
RegCreateKeyEx, xrefs: 00454DBF
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454D63
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454D93

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: ad96e2b74533b1f25a57ff52286efab689ec44c2628258f67de485b39b5b3c90
Instruction ID: c7e759269ab329005b5c2b3a4910326777c7a2f104b103968227fab848b04cb9
Opcode Fuzzy Hash: ad96e2b74533b1f25a57ff52286efab689ec44c2628258f67de485b39b5b3c90
Instruction Fuzzy Hash: FB81FE71A00209AFDB10DF95C952BEEB7B8FB48305F50452AF900FB282D7789E45CB69

Function 00499ABC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004540B8: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541A7
Part of subcall function 004540B8: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541B7

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00499B39
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00499C8D), ref: 00499B5A
CreateWindowExA.USER32(00000000,STATIC,00499C9C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00499B81
SetWindowLongA.USER32(?,000000FC,00499314), ref: 00499B94
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00499C60,?,?,000000FC,00499314,00000000,STATIC,00499C9C), ref: 00499BC4
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00499C38
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00499C60,?,?,000000FC,00499314,00000000), ref: 00499C44

Part of subcall function 0045452C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00454613

DestroyWindow.USER32(?,00499C67,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00499C60,?,?,000000FC,00499314,00000000,STATIC), ref: 00499C5A

Strings

STATIC, xrefs: 00499B7A
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 00499BF3

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 1549857992-2312673372
Opcode ID: 6d8643aa58682e844a2661fba7b77c03e51012a98f338dc7a5e1e487ecee0865
Instruction ID: eb5cd57210df4e96fe4a968102c50da815bdab5ab87cf2bc8b3503f8df2cfa0e
Opcode Fuzzy Hash: 6d8643aa58682e844a2661fba7b77c03e51012a98f338dc7a5e1e487ecee0865
Instruction Fuzzy Hash: 36414170A00208AFDF00EBA9DD42F9E7BF8EB09704F11457AF510F7291D6799E008B68

Function 0042F654 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042F660
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F674
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F681
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F68E
GetWindowRect.USER32(?,00000000), ref: 0042F6DA
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F718

Strings

GetMonitorInfoA, xrefs: 0042F688
user32.dll, xrefs: 0042F66F
MonitorFromWindow, xrefs: 0042F67B
(, xrefs: 0042F6B9

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: 5e6605ca9b65c224cfc07a0aeee16f59c7bd4f650269865c0fd0a92bfb0552d7
Instruction ID: 4fddece845ce4b02eeba35f690bf3974305695bca327a465bc6d277b32236c01
Opcode Fuzzy Hash: 5e6605ca9b65c224cfc07a0aeee16f59c7bd4f650269865c0fd0a92bfb0552d7
Instruction Fuzzy Hash: F721C2B67006146BD300EA78EC85F3B77A9DBD4710F98463AF944DB382DA78EC084B59

Function 00463DE4 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00463DF0
GetModuleHandleA.KERNEL32(user32.dll), ref: 00463E04
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00463E11
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00463E1E
GetWindowRect.USER32(?,00000000), ref: 00463E6A
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00463EA8

Strings

(, xrefs: 00463E49
GetMonitorInfoA, xrefs: 00463E18
user32.dll, xrefs: 00463DFF
MonitorFromWindow, xrefs: 00463E0B

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: ed5e1d45ac9973ee0f07f934d57a4fe524cf0ba1ee310df62ebcfe77385b1581
Instruction ID: 5546c7ca55dac75a37d5be63b5862a2b7bf7fa91672d6aed0c393ab4f47302e1
Opcode Fuzzy Hash: ed5e1d45ac9973ee0f07f934d57a4fe524cf0ba1ee310df62ebcfe77385b1581
Instruction Fuzzy Hash: 5821B0B67006146BD300AB68CC41F3B76D9DB84B01F08452EF944DB382EA79ED018B6A

Function 10017F72 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 46libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,1002CA78,0000000C,10018084,00000000,00000000), ref: 10017F83
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 10017FAC
GetProcAddress.KERNEL32(?,DecodePointer), ref: 10017FBC
InterlockedIncrement.KERNEL32(100307F8), ref: 10017FDE
__lock.LIBCMT ref: 10017FE6
___addlocaleref.LIBCMT ref: 10018005

Strings

EncodePointer, xrefs: 10017FA0
KERNEL32.DLL, xrefs: 10017F7E
DecodePointer, xrefs: 10017FB4
"v`"v, xrefs: 10017FDE

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
String ID: DecodePointer$EncodePointer$KERNEL32.DLL$"v`"v
API String ID: 1036688887-692071613
Opcode ID: 3f20a19357eba5985217602ee77d158d2a606d63a4b219b98e3f025795f53c83
Instruction ID: 9060a6127f4207b7e65ad4c3e7cfb46c24e1f6a2e98670233e345eb60a1aaef3
Opcode Fuzzy Hash: 3f20a19357eba5985217602ee77d158d2a606d63a4b219b98e3f025795f53c83
Instruction Fuzzy Hash: CC11AC70800705AFE751CF39C884BAABBE0FF04341F104519F5AA9B250CB75EA80CF50

Function 004594AC Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045968B,?,00000000,004596EE,?,?,022F3858,00000000), ref: 00459509
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,022F3858,?,00000000,00459620,?,00000000,00000001,00000000,00000000,00000000,0045968B), ref: 00459566
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,022F3858,?,00000000,00459620,?,00000000,00000001,00000000,00000000,00000000,0045968B), ref: 00459573
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004595BF
GetOverlappedResult.KERNEL32(?,?,00000000,00000001,004595F9,?,-00000020,0000000C,-00004034,00000014,022F3858,?,00000000,00459620,?,00000000), ref: 004595E5
GetLastError.KERNEL32(?,?,00000000,00000001,004595F9,?,-00000020,0000000C,-00004034,00000014,022F3858,?,00000000,00459620,?,00000000), ref: 004595EC

Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B

Strings

CreateEvent, xrefs: 00459517
TransactNamedPipe, xrefs: 0045957F

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: 94d023d1efa5da9e2e7dcefe1a5b2e09118226f8c9a71aaece0e626b0ff6e101
Instruction ID: 5e3c9d9fc8331b786f0ce76ad2fce8520c17318b204ac54c9f287bbe44ec3061
Opcode Fuzzy Hash: 94d023d1efa5da9e2e7dcefe1a5b2e09118226f8c9a71aaece0e626b0ff6e101
Instruction Fuzzy Hash: 8B418D71A00608FFDB05DFA5C981F9EB7F9EB48714F1140A6F900E7692D6789E54CB28

Function 00457550 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,004576B5,?,?,00000031,?), ref: 00457578
GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 0045757E
LoadTypeLib.OLEAUT32(00000000,?), ref: 004575CB

Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B

Strings

OLEAUT32.DLL, xrefs: 00457573
ITypeLib::GetLibAttr, xrefs: 00457601
UnRegisterTypeLib, xrefs: 00457637
UnRegisterTypeLib, xrefs: 0045756E
LoadTypeLib, xrefs: 004575D6
GetProcAddress, xrefs: 0045758B

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: ff49ab651ffec048b27d6f6959800377bf6d0acb4d7fd8ae53fc314732ae47ad
Instruction ID: 6576a6400b1684fe66b120d0c5268abc33dc5c30e9c8dd9853542a513f4dec10
Opcode Fuzzy Hash: ff49ab651ffec048b27d6f6959800377bf6d0acb4d7fd8ae53fc314732ae47ad
Instruction Fuzzy Hash: 2931B471604A04AFC711EFAADC41E5B77ADEB8C7157108476F804D3652DA38D904C728

Function 100104C0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 100104F2
SelectObject.GDI32(00000000), ref: 10010535
GetTextExtentPoint32A.GDI32(00000000,?,?,?), ref: 1001056D
ReleaseDC.USER32(0000000F,00000000), ref: 10010575
GetWindowRect.USER32(0000000F,EC6CF6C6), ref: 10010581
GetParent.USER32(0000000F), ref: 1001058F
MapWindowPoints.USER32(00000000,00000000,?,?), ref: 10010598
MoveWindow.USER32(0000000F,?,0000000F,?,?,00000000,?,?,LabelFont,00000009), ref: 100105B9

Strings

LabelFont, xrefs: 100104FA

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$ExtentMoveObjectParentPoint32PointsRectReleaseSelectText
String ID: LabelFont
API String ID: 2456833781-2346607873
Opcode ID: 99c668a871bbe5cc709cd7bb5e333109b8f6eb540549ca3f4639c057d6a964e4
Instruction ID: 281e42c5f0357acdef57f98bfcf6bb07947ba3ee88405b598c6744b60f13115c
Opcode Fuzzy Hash: 99c668a871bbe5cc709cd7bb5e333109b8f6eb540549ca3f4639c057d6a964e4
Instruction Fuzzy Hash: E53137B6108344AFE300CB65CC89F6BBBF9FB89740F00491DF69686290DB75E945CB62

Function 0042FA40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90windowregistryCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042FA6F
GetFocus.USER32 ref: 0042FA77
RegisterClassA.USER32(0049C7AC), ref: 0042FA98
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042FB6C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042FAD6
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042FB1C
ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042FB2D
SetFocus.USER32(00000000,00000000,0042FB4F,?,?,?,00000001,00000000,?,00458BE2,00000000,0049E62C), ref: 0042FB34

Strings

,I, xrefs: 0042FB46, 0042FAFF, 0042FB0C
TWindowDisabler-Window, xrefs: 0042FACF, 0042FB15

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$CreateFocus$ActiveClassRegisterShow
String ID: ,I$TWindowDisabler-Window
API String ID: 3167913817-1404624659
Opcode ID: 24ffb5fbcd7dd1ef6c63b7291c4452f377a861dd0971578668a22e4c8ebfd3f1
Instruction ID: a62ceaa4fb40b7d97b276e036e96e71c03e0c95da72a7b9a05d0a528f526b251
Opcode Fuzzy Hash: 24ffb5fbcd7dd1ef6c63b7291c4452f377a861dd0971578668a22e4c8ebfd3f1
Instruction Fuzzy Hash: A9218171B80710BAE210EB66DD13F1A7AA4EB14B04FE1413BF604BB2D1D7B97D0586AD

Function 0042E8A8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E9AD,?,00000000,00480920,00000000), ref: 0042E8D1
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E8D7
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E9AD,?,00000000,00480920,00000000), ref: 0042E925

Strings

kernel32.dll, xrefs: 0042E8CC
GetUserDefaultUILanguage, xrefs: 0042E8C7
.DEFAULT\Control Panel\International, xrefs: 0042E8FC
Locale, xrefs: 0042E914
Control Panel\Desktop\ResourceLocale, xrefs: 0042E934

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 87b4461b7e86ce2d6717f7211101c23f211bba0a86979a7a1627f41e5905d31e
Instruction ID: cdd838938204d4cbb06352ad172040986bb4042bf6ca521554dfda5889237b72
Opcode Fuzzy Hash: 87b4461b7e86ce2d6717f7211101c23f211bba0a86979a7a1627f41e5905d31e
Instruction Fuzzy Hash: 7F212170B00229AFDB50EBA7DC46BAE77A9EB04304F904477A500E7291DB7C9E45DB1C

Function 00417210 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 004172A3
SaveDC.GDI32(?), ref: 004172B7
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004172DA
RestoreDC.GDI32(?,?), ref: 004172F5
CreateSolidBrush.GDI32(00000000), ref: 00417375
FrameRect.USER32(?,?,?), ref: 004173A8
DeleteObject.GDI32(?), ref: 004173B2
CreateSolidBrush.GDI32(00000000), ref: 004173C2
FrameRect.USER32(?,?,?), ref: 004173F5
DeleteObject.GDI32(?), ref: 004173FF

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 7bfe991a36dcdb6d07b2c5d263508ec22064ddef5b3951d7b605cb29af9b978a
Instruction ID: c95a734d2d00aea9c177a3b06cfd5000d642d04c6817e823e80f404ee62f0a93
Opcode Fuzzy Hash: 7bfe991a36dcdb6d07b2c5d263508ec22064ddef5b3951d7b605cb29af9b978a
Instruction Fuzzy Hash: 8B513A716086445FDB51EF69C8C0B9B77E8AF48314F1445AAFD488B287C738EC82CB99

Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
GetFileType.KERNEL32(?,000000F5), ref: 00404C11
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
GetLastError.KERNEL32(000000F5), ref: 00404C46

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D

Function 00422678 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004226C3
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004226E1
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226EE
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226FB
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422708
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422715
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422722
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042272F
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0042274D
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422769

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: b633a805c3dfefc2d241534ae929bcf98399df6f62762c46efeb8f5b5c6a909e
Instruction ID: 3d3520f8b7ec6d74ae20e05d6755b86abcf69838e80cbfb0a1e170c33371412b
Opcode Fuzzy Hash: b633a805c3dfefc2d241534ae929bcf98399df6f62762c46efeb8f5b5c6a909e
Instruction Fuzzy Hash: 4F2124703447047AE720E725DD8BFAB7AD89B04B08F044065B6447F2D3C6F8EA40869C

Function 10010890 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 193windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,?,BackButton,0000000A), ref: 10010955
ShowWindow.USER32(?,00000000,?,GIBackButton,0000000C,?,00000000,?,BackButton,0000000A), ref: 100109AB
EnableWindow.USER32(?,00000001), ref: 10010A5E

Part of subcall function 10005410: std::_String_base::_Xlen.LIBCPMT ref: 10005469
Part of subcall function 10005410: _memcpy_s.LIBCMT ref: 100054B1

SendMessageA.USER32(0000000C,00000111,00000000), ref: 10010AF1

Strings

NextButton, xrefs: 100109CF, 10010A2B, 10010A82
WizardForm, xrefs: 10010AA6
BackButton, xrefs: 10010923
GIBackButton, xrefs: 100108C5, 10010979

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$Show$EnableMessageSendString_base::_Xlen_memcpy_sstd::_
String ID: BackButton$GIBackButton$NextButton$WizardForm
API String ID: 1250478854-632213285
Opcode ID: f518be628fc89083a205aecc11afebb976eae7cab70e9f0e6d992759e14a0fa0
Instruction ID: b5166d1e5549dd6fe6437059c59fad26e7fe04a203249b2ac3f2f1059db3dd5c
Opcode Fuzzy Hash: f518be628fc89083a205aecc11afebb976eae7cab70e9f0e6d992759e14a0fa0
Instruction Fuzzy Hash: A0716CB55187809FE314CF64C895A5BFBE8EB84714F500A1EF2A5472A1CBB4D484CF93

Function 00483BEC Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000), ref: 00483DA9
FreeLibrary.KERNEL32(00000000), ref: 00483DBD
SendNotifyMessageA.USER32(000203D4,00000496,00002710,00000000), ref: 00483E2F

Strings

Restarting Windows., xrefs: 00483E0A
Not restarting Windows because Setup is being run from the debugger., xrefs: 00483DDE
GetCustomSetupExitCode, xrefs: 00483C49
DeinitializeSetup, xrefs: 00483CA5
Deinitializing Setup., xrefs: 00483C0A

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FreeLibrary$MessageNotifySend
String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 3817813901-1884538726
Opcode ID: 186ee2886046f9b43122ab043af96f7ec1ee3d20723b54ac4271aa589e2f1f9d
Instruction ID: eabafc25287b198f6322efd67ece7b763d9c4378165dc3fe8608e6ffeb49dec3
Opcode Fuzzy Hash: 186ee2886046f9b43122ab043af96f7ec1ee3d20723b54ac4271aa589e2f1f9d
Instruction Fuzzy Hash: 4451B030700240AFD710EF79D885B5E77E4EB29B09F50887BE800D72A1DB38AE49CB19

Function 00462974 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004629AF
GetActiveWindow.USER32 ref: 00462A13
CoInitialize.OLE32(00000000), ref: 00462A27
SHBrowseForFolder.SHELL32(?), ref: 00462A3E
CoUninitialize.OLE32(00462A7F,00000000,?,?,?,?,?,00000000,00462B03), ref: 00462A53
SetActiveWindow.USER32(?,00462A7F,00000000,?,?,?,?,?,00000000,00462B03), ref: 00462A69
SetActiveWindow.USER32(?,?,00462A7F,00000000,?,?,?,?,?,00000000,00462B03), ref: 00462A72

Strings

A, xrefs: 004629E7

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
String ID: A
API String ID: 2684663990-3554254475
Opcode ID: 14be21f0889e27b63cff27c6b7920ac038a1d1e6a07f323e9ad5f5bcee8464c4
Instruction ID: 226cd12c2bf5eadadc06a8ace2d3cfe2a2dab59726cbcd1c1d639dda9b16e66d
Opcode Fuzzy Hash: 14be21f0889e27b63cff27c6b7920ac038a1d1e6a07f323e9ad5f5bcee8464c4
Instruction Fuzzy Hash: 2A3130B0E00208AFCB10EFB6D945A9EBBF8EB09304F51447AF414F7251E7789A04CB69

Function 00474358 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00474419,?,?,?,00000008,00000000,00000000,00000000,?,00474675,?,?,00000000,004748F8), ref: 0047437C

Part of subcall function 0042D224: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042D29A

Part of subcall function 004073E0: DeleteFileA.KERNEL32(00000000,0049E62C,0049B575,00000000,0049B5CA,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073EB

SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00474419,?,?,?,00000008,00000000,00000000,00000000,?,00474675), ref: 004743F3
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00474419,?,?,?,00000008,00000000,00000000,00000000), ref: 004743F9

Strings

CLSID2, xrefs: 004743A6
.ShellClassInfo, xrefs: 004743AB
desktop.ini, xrefs: 00474390
{0AFACED1-E828-11D1-9187-B532F1E9575D}, xrefs: 004743B5
target.lnk, xrefs: 004743D1

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
API String ID: 884541143-1710247218
Opcode ID: 147003ba7c3bbf40b2bfbdba997664b3f04ddcc797e79a53afdb41a85b012f1f
Instruction ID: 4e84a14b44ef1bdc1f764160ca150a50166b9b0d2b2f0232ddeafb405eb560a8
Opcode Fuzzy Hash: 147003ba7c3bbf40b2bfbdba997664b3f04ddcc797e79a53afdb41a85b012f1f
Instruction Fuzzy Hash: 2311C8307005147BD711E6659C82BAF73ADDB84758F60C17BF804A72C2DB3C9E02966D

Function 004190E4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000E), ref: 00419100
GetSystemMetrics.USER32(0000000D), ref: 00419108
6FBC2980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 0041910E

Part of subcall function 00410C88: 6FBBC400.COMCTL32(,I,000000FF,00000000,0041913C,00000000,00419198,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00410C8C

6FC2CB00.COMCTL32(,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 0041915E
6FC2C740.COMCTL32(00000000,?,,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00419169
6FC2CB00.COMCTL32(,I,00000001,?,?,00000000,?,,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000), ref: 0041917C
6FBC0860.COMCTL32(,I,0041919F,?,00000000,?,,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000,0000000E), ref: 00419192

Strings

,I, xrefs: 00419134, 0041914C, 0041915A, 00419178, 0041918E, 0041915D, 0041917B, 00419191

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: MetricsSystem$C0860C2980C400C740
String ID: ,I
API String ID: 624341609-3697734810
Opcode ID: 99d237f4e6602aa4adb10bbba9f27b4049ed62bd4d0bb7e82590963255ca77bb
Instruction ID: 6bf9c1d71f03a7720a29bcea3f2ffb204bbf738efc2d09f76f7aaa5da4135df4
Opcode Fuzzy Hash: 99d237f4e6602aa4adb10bbba9f27b4049ed62bd4d0bb7e82590963255ca77bb
Instruction Fuzzy Hash: D0116675744304BBEB14EBA5DC83F9E73A8EB04B04F50456AF604E72D1E6B99D808B58

Function 0045DB44 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045DB4D
GetProcAddress.KERNEL32(00000000,inflate), ref: 0045DB5D
GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045DB6D
GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045DB7D

Strings

inflate, xrefs: 0045DB57
inflateInit_, xrefs: 0045DB47
inflateEnd, xrefs: 0045DB67
inflateReset, xrefs: 0045DB77

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 190572456-3516654456
Opcode ID: 58de473dedc02e4961c84a33a0f5d680adc4af31b5539a839239541ecf730d78
Instruction ID: 6393fdd59b419d4e4f2c5b3e50f991f6d57498fd626e4870853c8bb2a7f4f2ae
Opcode Fuzzy Hash: 58de473dedc02e4961c84a33a0f5d680adc4af31b5539a839239541ecf730d78
Instruction Fuzzy Hash: 1101FFB0D00600DBE724EF369C4672636EAAFA4706F15C43BAD49D66A3E778548CCE1C

Function 0041AD6C Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,00000000), ref: 0041AE49
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041AE83
SetBkColor.GDI32(?,?), ref: 0041AE98
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AEE2
SetTextColor.GDI32(00000000,00000000), ref: 0041AEED
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AEFD
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AF3C
SetTextColor.GDI32(00000000,00000000), ref: 0041AF46
SetBkColor.GDI32(00000000,?), ref: 0041AF53

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: c0d5bcb4e3e136d56fdad79d14bcb2504c33fc8a74749fbb00da5e049b323106
Instruction ID: cd8b06f21d39e7e3a7e3fb9164a1477e2cec4af8eaf2e363a2f859aea8ea57af
Opcode Fuzzy Hash: c0d5bcb4e3e136d56fdad79d14bcb2504c33fc8a74749fbb00da5e049b323106
Instruction Fuzzy Hash: 5B61B4B5A00515EFCB40EFADD985E9AB7F9EF08314B1481AAF518DB251C734ED408BA8

Function 00458954 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458B08,?, /s ",?,regsvr32.exe",?,00458B08), ref: 00458A7A

Strings

D, xrefs: 00458A30
/u, xrefs: 004589B6
CreateProcess, xrefs: 00458A6C
Spawning 32-bit RegSvr32: , xrefs: 00458A01
regsvr32.exe", xrefs: 0045899B
0x%x, xrefs: 00458A9D
/s ", xrefs: 004589C3
Spawning 64-bit RegSvr32: , xrefs: 004589DF

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: 88a8ecc116849fa22b3bf7709861da5fee82e83137093402862dacaf9fb7c2de
Instruction ID: 80d87ab17c090028f18ddd9dc69d9a9522a7783b235ef4a64a7d04e5292bd67e
Opcode Fuzzy Hash: 88a8ecc116849fa22b3bf7709861da5fee82e83137093402862dacaf9fb7c2de
Instruction Fuzzy Hash: 8341E470E003486BDB11EF95C842B9DB7B9AF45305F50407FB904BB296DF78AE098B59

Function 0044D7E4 Relevance: 13.6, APIs: 9, Instructions: 90COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044D815
GetSysColor.USER32(00000014), ref: 0044D81C
SetTextColor.GDI32(00000000,00000000), ref: 0044D834
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D85D
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D867
GetSysColor.USER32(00000010), ref: 0044D86E
SetTextColor.GDI32(00000000,00000000), ref: 0044D886
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D8AF
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D8DA

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: 70c625a45f7822c9c0c8d15dcd55c3925e6146c24073cdeca57399263d9d2978
Instruction ID: 7afddb25c4ac74ad42c6f663f4adf30dc2f4b2673d3e6822d8b2a46fb9ac5c49
Opcode Fuzzy Hash: 70c625a45f7822c9c0c8d15dcd55c3925e6146c24073cdeca57399263d9d2978
Instruction Fuzzy Hash: AB21AFB46015047FD700FB2ACD8AE9B7BECDF19319B00457A7914EB393C678DE408669

Function 00499360 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00451104: SetEndOfFile.KERNEL32(?,?,0045CBD2,00000000,0045CD5D,?,00000000,00000002,00000002), ref: 0045110B

Part of subcall function 004073E0: DeleteFileA.KERNEL32(00000000,0049E62C,0049B575,00000000,0049B5CA,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073EB

GetWindowThreadProcessId.USER32(00000000,?), ref: 004993F1
OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00499405
SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 0049941F
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 0049942B
CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00499431
Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00499444

Strings

Deleting Uninstall data files., xrefs: 00499367

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 1570157960-2568741658
Opcode ID: 3a776e577e820ddaef14c7e250d16aa821cc1e2dd83993fe724374ff748e9082
Instruction ID: b7a2e365abb4ca1ce7a24153babf5e0292396e8760e8134f6a37584f4bf7a1e8
Opcode Fuzzy Hash: 3a776e577e820ddaef14c7e250d16aa821cc1e2dd83993fe724374ff748e9082
Instruction Fuzzy Hash: 8F214470708200AFEB21EF7AEC86B163798DB58759F11453FB901DA1E3D6789C05DA1D

Function 00471A60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471B5D,?,?,?,?,00000000), ref: 00471AC7
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471B5D), ref: 00471ADE
AddFontResourceA.GDI32(00000000), ref: 00471AFB
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00471B0F

Strings

Failed to set value in Fonts registry key., xrefs: 00471AD0
AddFontResource, xrefs: 00471B19
Failed to open Fonts registry key., xrefs: 00471AE5

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseFontMessageNotifyOpenResourceSendValue
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 955540645-649663873
Opcode ID: 84f6a41e8c6dd6550177eab81c252e77b7800c9e9bc3319483211bedbc9b2c33
Instruction ID: e418864d87a496604354a2259d3816e8ecf3f11e764263395734e4855b1f90ef
Opcode Fuzzy Hash: 84f6a41e8c6dd6550177eab81c252e77b7800c9e9bc3319483211bedbc9b2c33
Instruction Fuzzy Hash: 5B2181707402047BDB10EA6A9C42F9A679CDB45704F60C077B904EB3D2EA7CED05966D

Function 1000B830 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 1000B87D

Part of subcall function 1001621B: RaiseException.KERNEL32(?,?,10014774,?,?,?,?,?,10014774,?,1002D024,10031A64), ref: 1001625B

__CxxThrowException@8.LIBCMT ref: 1000B8C1
__CxxThrowException@8.LIBCMT ref: 1000B905
__CxxThrowException@8.LIBCMT ref: 1000B944

Strings

ios_base::failbit set, xrefs: 1000B8CB
ios_base::badbit set, xrefs: 1000B887
ios_base::eofbit set, xrefs: 1000B90A

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3476068407-1866435925
Opcode ID: 0d6574c4b8d0f2852891c05f094d968911462884a2713bd0ad415edaf70bf12b
Instruction ID: cd146272872ced55ef4406843b970657603d59c2871c0bf75d2210d99da4f7f1
Opcode Fuzzy Hash: 0d6574c4b8d0f2852891c05f094d968911462884a2713bd0ad415edaf70bf12b
Instruction Fuzzy Hash: 9B315CB5018B44AEE314DF54DC42F9BB7E8FB89380F808A1DF29946191EF74A509CB66

Function 00464224 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004168A0: GetClassInfoA.USER32(00400000,?,?), ref: 0041690F
Part of subcall function 004168A0: UnregisterClassA.USER32(?,00400000), ref: 0041693B
Part of subcall function 004168A0: RegisterClassA.USER32(?), ref: 0041695E

GetVersion.KERNEL32 ref: 00464254
SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00464292
SHGetFileInfo.SHELL32(00464330,00000000,?,00000160,00004011), ref: 004642AF
LoadCursorA.USER32(00000000,00007F02), ref: 004642CD
SetCursor.USER32(00000000,00000000,00007F02,00464330,00000000,?,00000160,00004011), ref: 004642D3
SetCursor.USER32(?,00464313,00007F02,00464330,00000000,?,00000160,00004011), ref: 00464306

Strings

Explorer, xrefs: 0046426E

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
String ID: Explorer
API String ID: 2594429197-512347832
Opcode ID: e4246b70e64443b15e1828aa2d441563241c4fbc43c60fe3ab0de6d9b0488d6c
Instruction ID: b3b98aa5a53488e53f8304eecf0dc9993ee5463f80e55bafd62bb8cbb11790a6
Opcode Fuzzy Hash: e4246b70e64443b15e1828aa2d441563241c4fbc43c60fe3ab0de6d9b0488d6c
Instruction Fuzzy Hash: 4321BB307403046AFF11BBB65C47B9A76989B45708F5040BBBA05EB2C3D9BD5851866D

Function 0047A4E4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,022F7A28,?,?,?,022F7A28,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A4FD
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047A503
GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,022F7A28,?,?,?,022F7A28,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A516
CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,022F7A28,?,?,?,022F7A28), ref: 0047A540
CloseHandle.KERNEL32(00000000,?,?,?,022F7A28,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A55E

Strings

GetFinalPathNameByHandleA, xrefs: 0047A4F3
kernel32.dll, xrefs: 0047A4F8

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FileHandle$AddressAttributesCloseCreateModuleProc
String ID: GetFinalPathNameByHandleA$kernel32.dll
API String ID: 2704155762-2318956294
Opcode ID: f6e096ca0daf558875fc081709d481464f2ae0a0495a8f950f35fc7622461238
Instruction ID: 4c547af52153d5fc494c8abbb987ccd3797ba2b79672919e7250df90ec71fc91
Opcode Fuzzy Hash: f6e096ca0daf558875fc081709d481464f2ae0a0495a8f950f35fc7622461238
Instruction Fuzzy Hash: 54019291B4070476E520717A4C86BBF264C8BD4769F248137BB1CFE2D2E9AD992601AF

Function 0045A69C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045A81E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049A6E1,?,00000000,0049A784), ref: 0045A762

Part of subcall function 00454BF0: FindClose.KERNEL32(000000FF,00454CE6), ref: 00454CD5

Strings

Stripped read-only attribute., xrefs: 0045A724
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0045A73C
Deleting directory: %s, xrefs: 0045A6EB
Failed to strip read-only attribute., xrefs: 0045A730
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0045A7D7
Failed to delete directory (%d). Will retry later., xrefs: 0045A77B
Failed to delete directory (%d)., xrefs: 0045A7F8

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: 5346217df39339977b51ae0a3ca3b2b9cdfea47d40e409fafac5e4da8c828573
Instruction ID: ed451348c7d3678a4819a833a09a40bf82a586c96773c367329f7393d5e0e002
Opcode Fuzzy Hash: 5346217df39339977b51ae0a3ca3b2b9cdfea47d40e409fafac5e4da8c828573
Instruction Fuzzy Hash: 9441A734A101189BCB00EB6988417AE76A59F89306F55867FAC01E7383DB7CCA1D875F

Function 00429910 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042991A
GetTextMetricsA.GDI32(00000000), ref: 00429923

Part of subcall function 0041A678: CreateFontIndirectA.GDI32(?), ref: 0041A737

SelectObject.GDI32(00000000,00000000), ref: 00429932
GetTextMetricsA.GDI32(00000000,?), ref: 0042993F
SelectObject.GDI32(00000000,00000000), ref: 00429946
ReleaseDC.USER32(00000000,00000000), ref: 0042994E
GetSystemMetrics.USER32(00000006), ref: 00429973
GetSystemMetrics.USER32(00000006), ref: 0042998D

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
String ID:
API String ID: 1583807278-0
Opcode ID: fcd26ccfdf6108e84c8416210a92b931db41bfea8d69a3a7f30610f4478b51e7
Instruction ID: 064b8ceea34646deb673d9898a5f132a00f345b4bbd4d539d92df2c89931976d
Opcode Fuzzy Hash: fcd26ccfdf6108e84c8416210a92b931db41bfea8d69a3a7f30610f4478b51e7
Instruction Fuzzy Hash: 1801C4D17047112BF710B2B69CC2F6B5588DB84368F44053FFA869A3D3E97D9C80866E

Function 0041E2B4 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0041E2B7
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041E2C1
ReleaseDC.USER32(00000000,00000000), ref: 0041E2CE
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041E2DD
GetStockObject.GDI32(00000007), ref: 0041E2EB
GetStockObject.GDI32(00000005), ref: 0041E2F7
GetStockObject.GDI32(0000000D), ref: 0041E303
LoadIconA.USER32(00000000,00007F00), ref: 0041E314

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ObjectStock$CapsDeviceIconLoadRelease
String ID:
API String ID: 225703358-0
Opcode ID: 23cce13aa5fe555fb55eaf4af2e89c8eae1af8f60db2075199e19e80c48d8f58
Instruction ID: eda06bb9e73b08d19024368069479301758e63dc44a0e31fec7fdbc279e4b1ec
Opcode Fuzzy Hash: 23cce13aa5fe555fb55eaf4af2e89c8eae1af8f60db2075199e19e80c48d8f58
Instruction Fuzzy Hash: 8C112B70645301AAE740FF765996BAA3690D724708F40943BF604EF3D2DB7E5C418B6E

Function 00464634 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 00464738
SetCursor.USER32(00000000,00000000,00007F02,00000000,004647CD), ref: 0046473E
SetCursor.USER32(?,004647B5,00007F02,00000000,004647CD), ref: 004647A8

Strings

, xrefs: 004649B3
, xrefs: 004649CE
Internal error: Item already expanding, xrefs: 004646D5

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $Internal error: Item already expanding
API String ID: 1675784387-1948079669
Opcode ID: f0d8b3a22494a668e36ff372e63dbf03653d2e1c551dd02a847e0882ae5da109
Instruction ID: 9cbbcba472df96bd09ce797c5f765fac8c2f652b56477a68fde2327aac6a5f51
Opcode Fuzzy Hash: f0d8b3a22494a668e36ff372e63dbf03653d2e1c551dd02a847e0882ae5da109
Instruction Fuzzy Hash: 8CB1C174600604DFDB20DF65C585B9BBBF0AF85308F1580ABE8459B792E778ED44CB1A

Function 10003340 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 249COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 10003357

Strings

Unknown, xrefs: 1000F3DF
MB/s, xrefs: 1000F47E
Speed, xrefs: 1000F436
RemainingTime, xrefs: 1000F3A4
KB/s, xrefs: 1000F4BD

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CountTick
String ID: KB/s$MB/s$RemainingTime$Speed$Unknown
API String ID: 536389180-3641574352
Opcode ID: ab0434d183f243e0ed6e512f89f3685bdb81d8b3184551b64f2266404b659fb0
Instruction ID: bd3edbe84073a581e45eb2bdc281081dc8067cdb59d34de02d3a8bd64a9b0f5b
Opcode Fuzzy Hash: ab0434d183f243e0ed6e512f89f3685bdb81d8b3184551b64f2266404b659fb0
Instruction Fuzzy Hash: 6CA1E2B19087809BD310EF28C845B4BBBF4FB88394F50896DF99447256DB31E548CBA3

Function 0045452C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00454613

Strings

MoveFileEx, xrefs: 00454823
NUL, xrefs: 004546D5
WININIT.INI, xrefs: 004545C1
[rename], xrefs: 00454676, 004546B2
.tmp, xrefs: 004545CF

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: ef2b37ecb60733e99519b8817963c481a42caec7a41d94771ca950514a75206d
Instruction ID: c5648654d35dc4fa5992192bdfac3c74e0b4d15883e79a195514524b6fb94f40
Opcode Fuzzy Hash: ef2b37ecb60733e99519b8817963c481a42caec7a41d94771ca950514a75206d
Instruction Fuzzy Hash: D1912334A001099BDB01EFA5D841BDEB7F5EF89309F508467E900BB692D778AE49CB58

Function 1001E9C4 Relevance: 10.7, APIs: 7, Instructions: 175COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,10029470,00000001,?,?,?,00000200,?,?,?,1001EC2C,00000001,?,00000001,?,?), ref: 1001EA73
MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,00000200,?,?,?,1001EC2C,00000001,?,00000001), ref: 1001EAEA
__alloca_probe_16.LIBCMT ref: 1001EB0B

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide__alloca_probe_16
String ID:
API String ID: 1485939849-0
Opcode ID: f34b825662bd055eb4f319c4d7e12427de5614a4d18ce492dd3096f531484fda
Instruction ID: 4bad496bf5ea3fb3bce38e9283f96bf0082282f14c9bb01bca957e4837ef70b6
Opcode Fuzzy Hash: f34b825662bd055eb4f319c4d7e12427de5614a4d18ce492dd3096f531484fda
Instruction Fuzzy Hash: 5D51D1715042D5DFD702CF24CC8199E7FA5FF0A3A8B6A04A9E941AA022D736DD95CB90

Function 00408BB0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408DF8,?,?,?,?,00000000,00000000,00000000,?,00409DFF,00000000,00409E12), ref: 00408BCA

Part of subcall function 004089F8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049E4C4,00000001,?,00408AC3,?,00000000,00408BA2), ref: 00408A16

Part of subcall function 00408A44: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00408C46,?,?,?,00000000,00408DF8), ref: 00408A57

Strings

m/d/yy, xrefs: 00408C99
:mm, xrefs: 00408DAC
:mm:ss, xrefs: 00408DC6
AMPM, xrefs: 00408D95
mmmm d, yyyy, xrefs: 00408CBB

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 9a7eb394a66080edfd24f68117555f400a3e3cdfc1c474aefde3fc5f2e1ccb78
Instruction ID: 6e389ecbf5aa42e5faf75f2f0cdd2dfe5a993f3520af0ea01b43abf2a46df86b
Opcode Fuzzy Hash: 9a7eb394a66080edfd24f68117555f400a3e3cdfc1c474aefde3fc5f2e1ccb78
Instruction Fuzzy Hash: 20514E34B00148ABDB01EBAAC94169E676ADB98308F50947FB091BB7C7CE3CDA05975D

Function 00411B84 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,00411D89), ref: 00411C1C
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 00411CDA

Part of subcall function 00411F3C: CreatePopupMenu.USER32 ref: 00411F56

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00411D66

Part of subcall function 00411F3C: CreateMenu.USER32 ref: 00411F60

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00411D4D

Strings

,, xrefs: 00411C2F
?, xrefs: 00411C36

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 2e8e8ea7aa81c0bb070b735559dd4681aa84df17034fe18f9a62e23080711f87
Instruction ID: 3fb5e0cd3bdc3201fae72ff24864c2251e092a1c83a82613ff871d7f09dca240
Opcode Fuzzy Hash: 2e8e8ea7aa81c0bb070b735559dd4681aa84df17034fe18f9a62e23080711f87
Instruction Fuzzy Hash: 82510674A00145ABDB10EF7ADD816DA7BF9AB09304F21417BFA04E73A6E738D941CB58

Function 0045580C Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455A28,00455A28,?,00455A28,00000000), ref: 004559B6
CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455A28,00455A28,?,00455A28), ref: 004559C3

Part of subcall function 00455778: WaitForInputIdle.USER32(?,00000032), ref: 004557A4
Part of subcall function 00455778: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004557C6
Part of subcall function 00455778: GetExitCodeProcess.KERNEL32(?,?), ref: 004557D5
Part of subcall function 00455778: CloseHandle.KERNEL32(?,00455802,004557FB,?,?,?,00000000,?,?,004559D7,?,?,?,00000044,00000000,00000000), ref: 004557F5

Strings

COMMAND.COM" /C , xrefs: 00455920
.cmd, xrefs: 004558B7
.bat, xrefs: 0045589C
cmd.exe" /C ", xrefs: 004558E9
D, xrefs: 00455954

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 854858120-615399546
Opcode ID: 507f094d76cd667aa2017d5ded2e4ab533ed5b9f1343ca21013152d5989c650d
Instruction ID: 0bf838f29b43a6125692e3b7c5bec048a51817b33ba316f47a5a27346a6aee42
Opcode Fuzzy Hash: 507f094d76cd667aa2017d5ded2e4ab533ed5b9f1343ca21013152d5989c650d
Instruction Fuzzy Hash: 34518B7060074DABDB00EF95D892BEEBBB9AF44305F50453BB804B7292D77C5E098759

Function 0041C2F3 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041C3B8
GetObjectA.GDI32(?,00000018,?), ref: 0041C3C7
GetBitmapBits.GDI32(?,?,?), ref: 0041C418
GetBitmapBits.GDI32(?,?,?), ref: 0041C426
DeleteObject.GDI32(?), ref: 0041C42F
DeleteObject.GDI32(?), ref: 0041C438
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041C455

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: ec19989a10235cbf9a1edf4f8eb35756c5d910f1ff26f4107efc2cfff39a000d
Instruction ID: 503a746306143f5d70b37ccc37edd8169d972c8c437de2bc6362dd1504a2ea70
Opcode Fuzzy Hash: ec19989a10235cbf9a1edf4f8eb35756c5d910f1ff26f4107efc2cfff39a000d
Instruction Fuzzy Hash: 52511831E002199FCB14DFE9C8819EEB7F9EF48314B10852AF914E7391D638AD81CB64

Function 0041D368 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041D38E
GetDeviceCaps.GDI32(00000000,00000026), ref: 0041D3AD
SelectPalette.GDI32(?,?,00000001), ref: 0041D413
RealizePalette.GDI32(?), ref: 0041D422
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D48C
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D4CA
SelectPalette.GDI32(?,?,00000001), ref: 0041D4EF

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
String ID:
API String ID: 2222416421-0
Opcode ID: 04b102cceab6519e9c3a92a55d02afe56828cc33fe19e53c7d712d938cb733d8
Instruction ID: 994e6928e375576195bbff131da20e2633e51e8889d6c5a0b4bc55991cd6db0b
Opcode Fuzzy Hash: 04b102cceab6519e9c3a92a55d02afe56828cc33fe19e53c7d712d938cb733d8
Instruction Fuzzy Hash: 10512FB0A00604AFD714DFA9C985F9AB7F9EF08304F148599B959D7292C778ED80CB58

Function 00457B6C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,?,?), ref: 00457BBE

Part of subcall function 0042470C: GetWindowTextA.USER32(?,?,00000100), ref: 0042472C

Part of subcall function 0041F334: GetCurrentThreadId.KERNEL32 ref: 0041F383
Part of subcall function 0041F334: EnumThreadWindows.USER32(00000000,0041F2E4,00000000), ref: 0041F389

Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457C25
TranslateMessage.USER32(?), ref: 00457C43
DispatchMessageA.USER32(?), ref: 00457C4C

Strings

[Paused] , xrefs: 00457BF4

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
String ID: [Paused]
API String ID: 1007367021-4230553315
Opcode ID: 243bd422c61f2622546d11c945774c602dc8f4b1793521091e356525211c3557
Instruction ID: 06e1226616be40fe5bc559768a91633e97e499603686e5a952697563b4c26b81
Opcode Fuzzy Hash: 243bd422c61f2622546d11c945774c602dc8f4b1793521091e356525211c3557
Instruction Fuzzy Hash: 523195319082485EDB12DBB5E841BDE7BF8DB49304F908077E810E7292D63C9909CB68

Function 0046C9CC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON

Download Yara Rule

APIs

GetCursor.USER32(00000000,0046CB0B), ref: 0046CA88
LoadCursorA.USER32(00000000,00007F02), ref: 0046CA96
SetCursor.USER32(00000000,00000000,00007F02,00000000,0046CB0B), ref: 0046CA9C
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046CB0B), ref: 0046CAA6
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046CB0B), ref: 0046CAAC

Strings

CheckPassword, xrefs: 0046CA30

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: b011458cb729c60ce144568bfe133873a52670ccbc0d1a437788af54ec369301
Instruction ID: dc4a4552949694c44ab81909cbfa5d37629526438aba0b0bd6801612213ae34e
Opcode Fuzzy Hash: b011458cb729c60ce144568bfe133873a52670ccbc0d1a437788af54ec369301
Instruction Fuzzy Hash: 10318234740244AFD711DB69C8CAFAA7BE4AF05304F5580B6B944AB3E2D778AE40CB49

Function 1000DF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1000DF2B
std::_Lockit::_Lockit.LIBCPMT ref: 1000DF51
__CxxThrowException@8.LIBCMT ref: 1000DFE5
std::_Lockit::_Lockit.LIBCPMT ref: 1000DFFA
std::locale::facet::facet_Register.LIBCPMT ref: 1000E017

Strings

bad cast, xrefs: 1000DFCD

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::locale::facet::facet_
String ID: bad cast
API String ID: 1988240374-3145022300
Opcode ID: f3559da6f9a655964bb78822a0fd5d31394151d333624a8a656a7a23b482a4cc
Instruction ID: 82230c7a271eec3862c11afaf12b5856b759d5043ab5025c21eddcf8d5082210
Opcode Fuzzy Hash: f3559da6f9a655964bb78822a0fd5d31394151d333624a8a656a7a23b482a4cc
Instruction Fuzzy Hash: 8F31B1354086119FE701DF14D891B9EB3E0FB44760F468A6EF8669B295DB30FC44CB92

Function 00479DE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00479D08: GetWindowThreadProcessId.USER32(00000000), ref: 00479D10
Part of subcall function 00479D08: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00479E07,0049F0AC,00000000), ref: 00479D23
Part of subcall function 00479D08: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00479D29

SendMessageA.USER32(00000000,0000004A,00000000,0047A19A), ref: 00479E15
GetTickCount.KERNEL32 ref: 00479E5A
GetTickCount.KERNEL32 ref: 00479E64
MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00479EB9

Strings

CallSpawnServer: Unexpected response: $%x, xrefs: 00479E4A
CallSpawnServer: Unexpected status: %d, xrefs: 00479EA2

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
API String ID: 613034392-3771334282
Opcode ID: 8f3ce9092d78e5e8ffb09c4fd0b96ce6ea02ef27a8c3c931be51606f83c456ff
Instruction ID: d0290b535038f0b538ca996bd373034cc9ef5a4571df1c0a7e48467b85276075
Opcode Fuzzy Hash: 8f3ce9092d78e5e8ffb09c4fd0b96ce6ea02ef27a8c3c931be51606f83c456ff
Instruction Fuzzy Hash: 82319C34A102149ADB20EBB9C8867EEB7A59F44704F50843BB148EB382D67D8E41C7AD

Function 0045A014 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045A0CF

Strings

Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045A0DA
Failed to load .NET Framework DLL "%s", xrefs: 0045A0B4
.NET Framework CreateAssemblyCache function failed, xrefs: 0045A0F2
Fusion.dll, xrefs: 0045A06F
CreateAssemblyCache, xrefs: 0045A0C6

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc
String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
API String ID: 190572456-3990135632
Opcode ID: 47528f8cc21b60fe5fd6cbfcf43eb270d72f12e503475e47cc24ebc3cb25aa49
Instruction ID: 9a321e89453ba4f36132349ca91dc91ba75a1bd21e0a38aa57df13fbbf55b943
Opcode Fuzzy Hash: 47528f8cc21b60fe5fd6cbfcf43eb270d72f12e503475e47cc24ebc3cb25aa49
Instruction Fuzzy Hash: B831A970D006059BCB11EFA5C84169EF7B5AF44715F40867BE910A7382DB3C9A188799

Function 0041C5D8 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C4D8: GetObjectA.GDI32(?,00000018), ref: 0041C4E5

GetFocus.USER32 ref: 0041C5F8
GetDC.USER32(?), ref: 0041C604
SelectPalette.GDI32(?,?,00000000), ref: 0041C625
RealizePalette.GDI32(?), ref: 0041C631
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C648
SelectPalette.GDI32(?,00000000,00000000), ref: 0041C670
ReleaseDC.USER32(?,?), ref: 0041C67D

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Palette$Select$BitsFocusObjectRealizeRelease
String ID:
API String ID: 3303097818-0
Opcode ID: 06f70be5c2937d22c7d59323c1d4f85c74eb10055d491e17f779f64a32073242
Instruction ID: 25388d08763cc31724119198cc62293da4a252d14e83de2780c9a5f0ba17a272
Opcode Fuzzy Hash: 06f70be5c2937d22c7d59323c1d4f85c74eb10055d491e17f779f64a32073242
Instruction Fuzzy Hash: C6116A71A40608BBDB10EBE9CC85FAFB7FCEF48700F15446AB518E7281D6789D008B68

Function 0048603C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004860F4), ref: 004860D9

Strings

LanmanNT, xrefs: 004860A3
WinNT, xrefs: 00486089
ServerNT, xrefs: 004860BD
System\CurrentControlSet\Control\ProductOptions, xrefs: 00486060
ProductType, xrefs: 00486078

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseOpen
String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 47109696-2530820420
Opcode ID: c9539a08b2b853992093d52bd6a45a0801c08c2e485eb2d00d7f5d93e4191c3f
Instruction ID: a713916a89d0883095a157a8cdf94fb09fad54fb56f7fa23aac7c7215c81ef38
Opcode Fuzzy Hash: c9539a08b2b853992093d52bd6a45a0801c08c2e485eb2d00d7f5d93e4191c3f
Instruction Fuzzy Hash: C411BF30604248AADB82FB65CC45B9FBBA9DB12314F524977A800E7283EB3DDE45871D

Function 10007C80 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 10007CA3
LoadIconA.USER32(00000000,00007F03), ref: 10007CC1
GetDlgItem.USER32(?,000003EB), ref: 10007CDD
SendMessageA.USER32(00000000), ref: 10007CE0
GetDlgItem.USER32(?,00000005), ref: 10007CFB
ShowWindow.USER32(00000000), ref: 10007CFE
GetDlgItem.USER32(?,000003E9), ref: 10007D12

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Item$DialogIconLoadMessageSendShowWindow
String ID:
API String ID: 1615092200-0
Opcode ID: 6a1520962860c77f87f3e153edca328fa580c06cbdb6d37fb6f67d641262e419
Instruction ID: 908aa63a5ec54450efda2dd22186b3da308237a7a35ef60577aa1b2ce05e9d16
Opcode Fuzzy Hash: 6a1520962860c77f87f3e153edca328fa580c06cbdb6d37fb6f67d641262e419
Instruction Fuzzy Hash: 4D118275A04225AFF201DB25CC9DF6B37A9FF89741F104449F549DB2D5C7789902CB60

Function 00498374 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00498385

Part of subcall function 0041A678: CreateFontIndirectA.GDI32(?), ref: 0041A737

SelectObject.GDI32(00000000,00000000), ref: 004983A7
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00498925), ref: 004983BB
GetTextMetricsA.GDI32(00000000,?), ref: 004983DD
ReleaseDC.USER32(00000000,00000000), ref: 004983FA

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 004983B2

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 2948443157-222967699
Opcode ID: 40663912515a33d48857a7cc17ded0f9fd9d2e35270be9166755b58ff18b4f99
Instruction ID: c67935f8e5cb56b1937036d64f6bf01096dd8c8546995d157710775fc85ec82d
Opcode Fuzzy Hash: 40663912515a33d48857a7cc17ded0f9fd9d2e35270be9166755b58ff18b4f99
Instruction Fuzzy Hash: 10018875604605AFEB00DFE9CC41F5FB7ECDB49704F51447AB500E7281EA78AD008B68

Function 0044CDDC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044CDAC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0044CDC4

LoadLibraryA.KERNEL32(00000000,00000000,0044CE9E,?,?,?,?,00000000,00000000), ref: 0044CE26
GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044CE37
GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044CE47

Strings

LresultFromObject, xrefs: 0044CE31
oleacc.dll, xrefs: 0044CE13
CreateStdAccessibleObject, xrefs: 0044CE41

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2141747552-1050967733
Opcode ID: 7ba4e215260a1174b67bd43160c3744282142a018bd3cfbd5bd7167bd4463890
Instruction ID: a702f4643fe6e099115479b548097bfe9a63d2924ca5d738d996a727133e4afc
Opcode Fuzzy Hash: 7ba4e215260a1174b67bd43160c3744282142a018bd3cfbd5bd7167bd4463890
Instruction Fuzzy Hash: 65119170602308ABF710EFA2DCC2B5A77A8E794708F64047BA00066691D7BD99448A1D

Function 0041B8F2 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 0041B900
SelectObject.GDI32(?,00000000), ref: 0041B90F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B93B
SelectObject.GDI32(00000000,00000000), ref: 0041B949
SelectObject.GDI32(?,00000000), ref: 0041B957
DeleteDC.GDI32(00000000), ref: 0041B960
DeleteDC.GDI32(?), ref: 0041B969

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: 9877176484a70d403600f1714a00c8a025884f8eac3cfbcae5058479fbc8ea05
Instruction ID: 7af7168ee4e3f122af8b0d4427163761b09037522acd9a56f3a9582fc2e5d9ca
Opcode Fuzzy Hash: 9877176484a70d403600f1714a00c8a025884f8eac3cfbcae5058479fbc8ea05
Instruction Fuzzy Hash: F7117CB2E40559ABDF10D6D9D885FAFB7BCEF08304F004416B714FB241C678A8418B94

Function 00423824 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 0042383F
WindowFromPoint.USER32(?,?), ref: 0042384C
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042385A
GetCurrentThreadId.KERNEL32 ref: 00423861
SendMessageA.USER32(00000000,00000084,?,?), ref: 0042387A
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423891
SetCursor.USER32(00000000), ref: 004238A3

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 70500f7dcf266beb48586870626c57fb13a9a50022589c1df5f619c5c3ec88b1
Instruction ID: af43fee0338c9e624ebb6e65c196278dc7248109df2d757125d2dc099b9481b9
Opcode Fuzzy Hash: 70500f7dcf266beb48586870626c57fb13a9a50022589c1df5f619c5c3ec88b1
Instruction Fuzzy Hash: 4C01B16230431136D6207A795C86E2F26E8DFC5B19F50413FB509BE282DA3D8C00636D

Function 004019CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
RtlEnterCriticalSection.KERNEL32(0049E420,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
LocalAlloc.KERNEL32(00000000,00000FF8,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
RtlLeaveCriticalSection.KERNEL32(0049E420,00401A89,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

`I, xrefs: 00401A4B
`I, xrefs: 00401A55

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: `I$`I
API String ID: 730355536-3984424023
Opcode ID: 64002adec9d96eccb06c3eb006b1eb85ee1d021eaacb40bd1b5c7d4f0963175f
Instruction ID: 94269b02b44d1611755d75869bdd1b1cad58823c34eb859de2800409b3eb1631
Opcode Fuzzy Hash: 64002adec9d96eccb06c3eb006b1eb85ee1d021eaacb40bd1b5c7d4f0963175f
Instruction Fuzzy Hash: BC01C070644240AEFB19EB6B98027253ED4D799748F11883BF440A6AF1CABD4840CB6E

Function 00498198 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 004981A8
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004981B5
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004981C2

Strings

MonitorFromRect, xrefs: 004981AF
user32.dll, xrefs: 004981A3
GetMonitorInfoA, xrefs: 004981BC

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: 5be428eabab937aecaf376b261ae7240ba502668b3757660f019f9de16c27e60
Instruction ID: c24bc2e529edd3fc2f7d71c8166a3bd51aa09706bb3324dad5a4058a97bc4c43
Opcode Fuzzy Hash: 5be428eabab937aecaf376b261ae7240ba502668b3757660f019f9de16c27e60
Instruction Fuzzy Hash: D5F09662B81A1566DA20257E1C42A7B69CCCB87764F14017FBE44B7383EDAD8C0646BD

Function 0045DA18 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,ISCryptGetVersion), ref: 0045DA21
GetProcAddress.KERNEL32(00000000,ArcFourInit), ref: 0045DA31
GetProcAddress.KERNEL32(00000000,ArcFourCrypt), ref: 0045DA41

Strings

ArcFourInit, xrefs: 0045DA2B
ArcFourCrypt, xrefs: 0045DA3B
ISCryptGetVersion, xrefs: 0045DA1B

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 190572456-508647305
Opcode ID: dde6d51f60abe5d0672bfaed80a86c2dd87a06dd1ae076193d4a680638cd494a
Instruction ID: 1edccc56acb66b4562ddfa4c7a90d58ee85ee4b976394e257a4a6a33c45d2cf5
Opcode Fuzzy Hash: dde6d51f60abe5d0672bfaed80a86c2dd87a06dd1ae076193d4a680638cd494a
Instruction Fuzzy Hash: 52F01DB09056008BD314DF36AC45727379DEB98306F58803BA845D11A3E77A089CEA0C

Function 0045DF18 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045DF21
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045DF31
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045DF41

Strings

BZ2_bzDecompressEnd, xrefs: 0045DF3B
BZ2_bzDecompressInit, xrefs: 0045DF1B
BZ2_bzDecompress, xrefs: 0045DF2B

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 190572456-212574377
Opcode ID: 1ba7f0a7f932c0f12d1df9f0648249643268a813f4c94efa46eb8b1189ec4832
Instruction ID: c781611ed6df2ffd52f678218cea13a9d8474895aea0bca464552a1c0941260e
Opcode Fuzzy Hash: 1ba7f0a7f932c0f12d1df9f0648249643268a813f4c94efa46eb8b1189ec4832
Instruction Fuzzy Hash: 97F030B5E00300DEE724DF32AC0972336D9AFA4716F14803BA946D66A3D378444DCE2D

Function 0042EEAC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EEC5
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EECB
InterlockedExchange.KERNEL32(0049E66C,00000001), ref: 0042EEDC

Part of subcall function 0042EE3C: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EF00,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EE52
Part of subcall function 0042EE3C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE58
Part of subcall function 0042EE3C: InterlockedExchange.KERNEL32(0049E664,00000001), ref: 0042EE69

ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EEF0

Strings

user32.dll, xrefs: 0042EEC0
ChangeWindowMessageFilterEx, xrefs: 0042EEBB

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 142928637-2676053874
Opcode ID: 927f38515658db31c7fed5d91d2e5f67c49424a855da097203f7ba78f6ca986b
Instruction ID: d73472cc1cf9ee785b15135c95e247d87a8e276cbab312dacd1aac06db931f35
Opcode Fuzzy Hash: 927f38515658db31c7fed5d91d2e5f67c49424a855da097203f7ba78f6ca986b
Instruction Fuzzy Hash: 6BE01BB1750720E6EE10B7777C46FA72654DB64769F950437F100A51D1C7FE0C848A6D

Function 0047AD94 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0049BAA8), ref: 0047AD9A
GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047ADA7
GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 0047ADB7

Strings

VerSetConditionMask, xrefs: 0047ADA1
kernel32.dll, xrefs: 0047AD95
VerifyVersionInfoW, xrefs: 0047ADB1

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
API String ID: 667068680-222143506
Opcode ID: b45619e19b7df4f31f5a5e1e7913cc9e2f5992c7008335275ff0f295cd2b689d
Instruction ID: e761ed85866ee686b9535240fc539701727dd680da56f3fb001ecc562e4fb54d
Opcode Fuzzy Hash: b45619e19b7df4f31f5a5e1e7913cc9e2f5992c7008335275ff0f295cd2b689d
Instruction Fuzzy Hash: 07C012E0680701AED610B7715C86D7E254DD550B1A320C03B7089B55C3D67C0C284F2D

Function 0041BAFC Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041BBD5
GetDC.USER32(?), ref: 0041BBE1
SelectPalette.GDI32(00000000,?,00000000), ref: 0041BC16
RealizePalette.GDI32(00000000), ref: 0041BC22
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC50
SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BC84

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Palette$Select$BitmapCreateFocusRealize
String ID:
API String ID: 3275473261-0
Opcode ID: c95e916aea5b0b320e39deb2acbd71507781b42672567b85ab8b3b895a144eff
Instruction ID: 6f3d196da8cc9963e266c073c65a40cf0d83fd4bf7ad6034c31d612a174a896e
Opcode Fuzzy Hash: c95e916aea5b0b320e39deb2acbd71507781b42672567b85ab8b3b895a144eff
Instruction Fuzzy Hash: 23511D70A00209AFDB11DFA9C895AEEBBF8FF49704F10446AF500A7750D7799D81CBA9

Function 0041BDCC Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041BEA7
GetDC.USER32(?), ref: 0041BEB3
SelectPalette.GDI32(00000000,?,00000000), ref: 0041BEED
RealizePalette.GDI32(00000000), ref: 0041BEF9
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BF1D
SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BF51

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Palette$Select$BitmapCreateFocusRealize
String ID:
API String ID: 3275473261-0
Opcode ID: 9472f51cddc4c318b63d6c649322b096de862bc5fca767e6fe291a367ca23efe
Instruction ID: d1d8e12ac76011fa0e11fd225ecf21e9d1788b3d06fe05564f2eab64f20773a9
Opcode Fuzzy Hash: 9472f51cddc4c318b63d6c649322b096de862bc5fca767e6fe291a367ca23efe
Instruction Fuzzy Hash: 28510875A00618AFCB11DFA9C891AEEBBF9EF49700F158066F504EB750D7389D40CBA8

Function 00477568 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122COMMON

Download Yara Rule

APIs

Part of subcall function 0042F2FC: GetTickCount.KERNEL32 ref: 0042F302

Part of subcall function 0042F118: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042F14D

GetLastError.KERNEL32(00000000,004776FD,?,?,0049F1E4,00000000), ref: 004775D0

Strings

, xrefs: 0047761E, 00477639
Renaming uninstaller., xrefs: 0047759F
LoggedMsgBox returned an unexpected value. Assuming Cancel., xrefs: 004776BB
The existing file appears to be in use (%d). Retrying., xrefs: 004775F1
MoveFileEx, xrefs: 0047764B

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CountErrorFileLastMoveTick
String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx$Renaming uninstaller.$The existing file appears to be in use (%d). Retrying.
API String ID: 2406187244-79500563
Opcode ID: d597868801e4d0ea2fd5800a3e69bd95f30f368d2522e7376fb4945bdb66630f
Instruction ID: 6023fe8b67aa7ba447fd38945f059c1701a0e9a08149722a7a21e5b3243787af
Opcode Fuzzy Hash: d597868801e4d0ea2fd5800a3e69bd95f30f368d2522e7376fb4945bdb66630f
Instruction Fuzzy Hash: 2B4145749041099FCB11EFA9D882ADEB7B4EF48314FA0853BE404A7355D77CA905CBAD

Function 0041B998 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041BA0E
GetDC.USER32(?), ref: 0041BA1A
GetDeviceCaps.GDI32(?,00000068), ref: 0041BA36
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA53
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA6A
ReleaseDC.USER32(?,?), ref: 0041BAB6

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
String ID:
API String ID: 2502006586-0
Opcode ID: 8677b4c9643155cfa8b241eb815e8948b89f536ec76e5c7ec5a5b4487363e7b6
Instruction ID: a7c0e65a03819a5ca0ecfd2330013adb4d65aecf06c5c54e884ed256bbcda07e
Opcode Fuzzy Hash: 8677b4c9643155cfa8b241eb815e8948b89f536ec76e5c7ec5a5b4487363e7b6
Instruction Fuzzy Hash: 7941C371A042149FDB10DFA9C886AAFBBB4EF45740F1484AAF940EB351D238AD11CBA5

Function 100143DD Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 10014410
__calloc_crt.LIBCMT ref: 1001441C
CreateThread.KERNEL32(00000000,?,10014369,00000000,00000004,00000000), ref: 1001444F
ResumeThread.KERNEL32(00000000,?,?,?,?,?,10009436,10001F60,00000000,10032560), ref: 1001445F
GetLastError.KERNEL32(?,?,?,?,?,10009436,10001F60,00000000,10032560), ref: 1001446A
__dosmaperr.LIBCMT ref: 10014482

Part of subcall function 100179F0: __getptd_noexit.LIBCMT ref: 100179F0

Part of subcall function 1001459A: __decode_pointer.LIBCMT ref: 100145A3

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd_noexit
String ID:
API String ID: 4018905736-0
Opcode ID: 0c311c3bcce0f4c21b2cdf85f6b8aa463f7b44db2a2ff769e43984b274e6722d
Instruction ID: 6af206c98dabb6b8e01621cf6b11183f8f7259711ecb482eaa05c62315f3d78e
Opcode Fuzzy Hash: 0c311c3bcce0f4c21b2cdf85f6b8aa463f7b44db2a2ff769e43984b274e6722d
Instruction Fuzzy Hash: AC113875401214AFE710EFB4CC8198E77B8FF44374B22022AF5189B1E1CF70E9818661

Function 0045D8DC Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,00000000,0045D9A8,?,?,?,?,00000000), ref: 0045D947
SetLastError.KERNEL32(00000000,00000002,?,?,?,0045DA14,?,00000000,0045D9A8,?,?,?,?,00000000), ref: 0045D986

Strings

MACHINE, xrefs: 0045D92A
CURRENT_USER, xrefs: 0045D91B
CLASSES_ROOT, xrefs: 0045D90C
USERS, xrefs: 0045D939

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: e67dd52cdc243cbb5e72bacc990bd15c15be47e674f81fc936459ad46248d631
Instruction ID: 6e5dfac74c505aaab96e92fe344d79fc6b24c6561d5ee78f4b35f8cdf0e82ab5
Opcode Fuzzy Hash: e67dd52cdc243cbb5e72bacc990bd15c15be47e674f81fc936459ad46248d631
Instruction Fuzzy Hash: 1611A5B5A04209AFD731DEA1C941BAA7AACDF48306F6040376D04A6283D67C5F0AD52E

Function 0041C21C Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041C265
GetSystemMetrics.USER32(0000000C), ref: 0041C26F
GetDC.USER32(00000000), ref: 0041C279
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041C2A0
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041C2AD
ReleaseDC.USER32(00000000,00000000), ref: 0041C2E6

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: b56dce364db8681bf449ce1525ba10edc72df88ae5eafd2cc45f48ffa874235a
Instruction ID: 9f2a90fdc7dd77bbc6d9abc5b90aadbfd0b864dc6f709442552c07669a95c1ee
Opcode Fuzzy Hash: b56dce364db8681bf449ce1525ba10edc72df88ae5eafd2cc45f48ffa874235a
Instruction Fuzzy Hash: 07213C75E44649AFEB00EFE9C882BEEB7B4EB48714F10806AF514B7280D7795940CB69

Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049E420,00000000,00401B68), ref: 00401ABD
LocalFree.KERNEL32(00778D70,00000000,00401B68), ref: 00401ACF
VirtualFree.KERNEL32(?,00000000,00008000,00778D70,00000000,00401B68), ref: 00401AEE
LocalFree.KERNEL32(00779D70,?,00000000,00008000,00778D70,00000000,00401B68), ref: 00401B2D
RtlLeaveCriticalSection.KERNEL32(0049E420,00401B6F), ref: 00401B58
RtlDeleteCriticalSection.KERNEL32(0049E420,00401B6F), ref: 00401B62

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 27230fc28db66510afed4ac7e76b62a69bf1a257bd7dde38b68ece54281650c8
Instruction ID: e11c9f51ffc8675c4dd52d411ec329e75971582e09b40c19516fbc4ecb4e7f79
Opcode Fuzzy Hash: 27230fc28db66510afed4ac7e76b62a69bf1a257bd7dde38b68ece54281650c8
Instruction Fuzzy Hash: 1E119D30B00340AAEB15EB67AC82B263BE49765708F44047BF40067AF2D67DA840876E

Function 0048099C Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EC), ref: 004809AA
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046E2F5), ref: 004809D0
GetWindowLongA.USER32(?,000000EC), ref: 004809E0
SetWindowLongA.USER32(?,000000EC,00000000), ref: 00480A01
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 00480A15
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 00480A31

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: fd47eba282066f6077479a46be718dc6a36e411284a163d57f72b468d1ce45bd
Instruction ID: 5fbc0a759a363429862e9e166b445db90943e559ec10ec679e577617c806b0ab
Opcode Fuzzy Hash: fd47eba282066f6077479a46be718dc6a36e411284a163d57f72b468d1ce45bd
Instruction Fuzzy Hash: 3C014CB1650210ABD710EB79CD41F2A77A8AB2D310F054767FA55EB3E3C239EC048B08

Function 10010320 Relevance: 9.0, APIs: 6, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 10010338
GetParent.USER32(?), ref: 1001034C
MapWindowPoints.USER32(00000000,00000000), ref: 10010351
GetParent.USER32(?), ref: 10010364
RedrawWindow.USER32(00000000), ref: 10010367
SendMessageA.USER32(?,0000000C,00000000,?), ref: 10010382

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$Parent$MessagePointsRectRedrawSend
String ID:
API String ID: 4113075923-0
Opcode ID: a3ee01fb7553d39f9a948c16fa51a89dc8280046234cf4d0263b505339711d34
Instruction ID: 6f79dbd7a11734617dd8e76077c4a5d2b9badc9dcfb53b9c2e4cffef938b4707
Opcode Fuzzy Hash: a3ee01fb7553d39f9a948c16fa51a89dc8280046234cf4d0263b505339711d34
Instruction Fuzzy Hash: 2B015A71604310BBF300EB55CC8EFAF7BADEB84740F854908F5865A0A1D7B0DA95CBA2

Function 0041B700 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041AB70: CreateBrushIndirect.GDI32 ref: 0041ABDB

UnrealizeObject.GDI32(00000000), ref: 0041B70C
SelectObject.GDI32(?,00000000), ref: 0041B71E
SetBkColor.GDI32(?,00000000), ref: 0041B741
SetBkMode.GDI32(?,00000002), ref: 0041B74C
SetBkColor.GDI32(?,00000000), ref: 0041B767
SetBkMode.GDI32(?,00000001), ref: 0041B772

Part of subcall function 0041A4E8: GetSysColor.USER32(?), ref: 0041A4F2

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: c61030d912a8a6847aea8d9dd9de33bb9ce49b13cbe3d1a7ba6db01534d8f73f
Instruction ID: e5a7d4b7c2e235827ad94a1825542cc68ab193fc61db3cfd758683236e3ca83d
Opcode Fuzzy Hash: c61030d912a8a6847aea8d9dd9de33bb9ce49b13cbe3d1a7ba6db01534d8f73f
Instruction Fuzzy Hash: 25F0C275615100ABDE00FFBADACAE4B37989F443097048097B504DF197C67CE8504B39

Function 10010450 Relevance: 9.0, APIs: 6, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 10010454
SetWindowLongA.USER32(?,000000F0,00000000), ref: 1001046A
SendMessageA.USER32(?,0000040A,00000001,0000001E), ref: 1001047A
SendMessageA.USER32(?,0000040A,00000000,00000000), ref: 1001048E
SetWindowLongA.USER32(?,000000F0,00000000), ref: 1001049B
RedrawWindow.USER32(?,00000000,00000000,00000301), ref: 100104AB

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$Long$MessageSend$Redraw
String ID:
API String ID: 3943020483-0
Opcode ID: c3b603542bc25e0be225ad0d9aba1943441581185576c3ecd5876d8ba503e94d
Instruction ID: a404be6f20c30acdff53be37c2165a515a2b0846ab5b777aa6a98462630dd4a4
Opcode Fuzzy Hash: c3b603542bc25e0be225ad0d9aba1943441581185576c3ecd5876d8ba503e94d
Instruction Fuzzy Hash: 08F0127198423276F52117624CCDFEB6D289B56BB2F314245F716780D0CBA41493D669

Function 00473AB4 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 272fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,00473C85,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041), ref: 00473C61
FindClose.KERNEL32(000000FF,00473C8C,00473C85,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041,?), ref: 00473C7F
FindNextFileA.KERNEL32(000000FF,?,00000000,00473DA7,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041), ref: 00473D83
FindClose.KERNEL32(000000FF,00473DAE,00473DA7,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041,?), ref: 00473DA1

Strings

@G, xrefs: 00473E67, 00473DCB, 00473DF5, 00473E03, 00473E35, 00473DE2, 00473B8D, 00473C30, 00473BC8, 00473BDF, 00473BED, 00473BA4, 00473BAD, 00473C33

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Find$CloseFileNext
String ID: @G
API String ID: 2066263336-4243591082
Opcode ID: 7ded09717b708ee544d999eb748772b7a047a64154b3b23c4e7dbd4b6474bbde
Instruction ID: 0da19416abf0173bdc8d3c7c7f8ad009371619145402d5c4f287baa4c6a871bb
Opcode Fuzzy Hash: 7ded09717b708ee544d999eb748772b7a047a64154b3b23c4e7dbd4b6474bbde
Instruction Fuzzy Hash: 28C1393490424D9FCF11DFA5C881ADEBBB9BF4C304F5081AAE848B7291D738AA45DF58

Function 00455F08 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045609F,?,00000000,004560DF), ref: 00455FE5

Strings

PendingFileRenameOperations, xrefs: 00455F84
PendingFileRenameOperations2, xrefs: 00455FB4
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455F68
WININIT.INI, xrefs: 00456014

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: 63bc92d3b485808cad68ebc7bad28867575a10dfcc0b1f4ee82dd694707425ba
Instruction ID: a4a9f2ec6dce7785653c913c6c24b0c1e176cc517468c749f5f74b0afa9d98e4
Opcode Fuzzy Hash: 63bc92d3b485808cad68ebc7bad28867575a10dfcc0b1f4ee82dd694707425ba
Instruction Fuzzy Hash: F551B430E002089BDB15EF62DD51ADEB7B9EF45705F50817BF904A72C2DB78AE49CA18

Function 0049ABE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C

ShowWindow.USER32(?,00000005,00000000,0049AE45,?,?,00000000), ref: 0049AC16

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67

Part of subcall function 00407738: SetCurrentDirectoryA.KERNEL32(00000000,?,0049AC3E,00000000,0049AE11,?,?,00000005,00000000,0049AE45,?,?,00000000), ref: 00407743

Part of subcall function 0042D8DC: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D96A,?,?,?,00000001,?,004568AE,00000000,00456916), ref: 0042D911

Strings

.dat, xrefs: 0049AC5D
.msg, xrefs: 0049AC7C
IMsg, xrefs: 0049ACEA
Uninstall, xrefs: 0049ABFC

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: 8cc8741fdde3d57da98d476cec90ec2627ee04639b2208d1d0e6e287e378197b
Instruction ID: 41fce5d7155baeeb4201c3977cb987a547f2b9c6e2b52af906847905e2aac1f5
Opcode Fuzzy Hash: 8cc8741fdde3d57da98d476cec90ec2627ee04639b2208d1d0e6e287e378197b
Instruction Fuzzy Hash: 4E31A374A00214AFCB00EF65CC52A6E7BB5FB89304F61857AF800E7752D739AD15CB99

Function 0042EF38 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EF6A
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EF70
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EF99

Strings

user32.dll, xrefs: 0042EF65
ShutdownBlockReasonCreate, xrefs: 0042EF60

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressByteCharHandleModuleMultiProcWide
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 828529508-2866557904
Opcode ID: 76c3ae556ff5016cceda8b60c842384167c68f0016227ebd4f9b5bd92a37e0ae
Instruction ID: 98e14bcb75ccd3fa79125cd8f842b3c85c6f4936fd04c03cffbbcbf6111bfa2c
Opcode Fuzzy Hash: 76c3ae556ff5016cceda8b60c842384167c68f0016227ebd4f9b5bd92a37e0ae
Instruction Fuzzy Hash: 8AF0F6E134462237E620B27FAC82F7B55CC8F98719F15003AB508FA2C1EA6CC905426F

Function 1001BAE2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 100180A9: __getptd_noexit.LIBCMT ref: 100180AA
Part of subcall function 100180A9: __amsg_exit.LIBCMT ref: 100180B7

__amsg_exit.LIBCMT ref: 1001BB0E
__lock.LIBCMT ref: 1001BB1E
InterlockedDecrement.KERNEL32(?), ref: 1001BB3B
InterlockedIncrement.KERNEL32(03271380), ref: 1001BB66

Strings

"v`"v, xrefs: 1001BB66

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID: "v`"v
API String ID: 2880340415-2422224426
Opcode ID: d790256de5d9771fb46f0d331803a04c815179442b81a80bf8ec92e8d90e2276
Instruction ID: cb3f8d07e474b1524a156136a7d50c6c7ab46c97c9500bb4219fe40de5198427
Opcode Fuzzy Hash: d790256de5d9771fb46f0d331803a04c815179442b81a80bf8ec92e8d90e2276
Instruction Fuzzy Hash: 1E01A135E05A259BDB51DB68988175973A0FF04650F110105F800AFA96CB78EAC1CBD2

Function 00458888 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 004588B8
GetExitCodeProcess.KERNEL32(?,?), ref: 004588D9
CloseHandle.KERNEL32(?,0045890C), ref: 004588FF

Strings

GetExitCodeProcess, xrefs: 004588E2
MsgWaitForMultipleObjects, xrefs: 004588C5

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: b41d100c780e0102d567981e9ead043da43d2217099a59abe6d3b29184cbb4a6
Instruction ID: 5ab474d98eb3a0ece9291f621c53fee7be03ae90ebbbcbdbcbdfc60506012216
Opcode Fuzzy Hash: b41d100c780e0102d567981e9ead043da43d2217099a59abe6d3b29184cbb4a6
Instruction Fuzzy Hash: 5601A271600204AFDB11EBA98C02A6A73A8EB45715F60057AF810F73D3DE38AE04961D

Function 0042E2D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042E2E0
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042E47B,00000000,0042E493,?,?,?,?,00000006,?,00000000,0049A6E1), ref: 0042E2FB
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E301

Strings

advapi32.dll, xrefs: 0042E2F6
RegDeleteKeyExA, xrefs: 0042E2F1

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 588496660-1846899949
Opcode ID: a7d7d163a2b4572837d540fa9020a88c6075fbeda32d6ef88a980983cb7fdc09
Instruction ID: 4593d6951ad1389f122581937974f3187b46c4a982a9796ded25b619d02fe20b
Opcode Fuzzy Hash: a7d7d163a2b4572837d540fa9020a88c6075fbeda32d6ef88a980983cb7fdc09
Instruction Fuzzy Hash: 84E06571750234F6D674AA677C4AF97260CD764726F940837F545661D187BC1C40CA5C

Function 0042EE3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EF00,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EE52
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE58
InterlockedExchange.KERNEL32(0049E664,00000001), ref: 0042EE69

Strings

ChangeWindowMessageFilter, xrefs: 0042EE48
user32.dll, xrefs: 0042EE4D

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 3478007392-2498399450
Opcode ID: d92cc62ee20d7ac2e8fab9b782aa11417d22a09e2c448ccd967ab38ddec500c6
Instruction ID: 048ca61b172dfedb03cf1c059d2784ab3124221c9e2a99dd16ddbc81be59c6a3
Opcode Fuzzy Hash: d92cc62ee20d7ac2e8fab9b782aa11417d22a09e2c448ccd967ab38ddec500c6
Instruction Fuzzy Hash: B6E0B6A1661310EAFA10B7736C8AF562555AB34B19FA1043BF100651E1C6BC0884C91D

Function 00479D08 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00479D10
GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00479E07,0049F0AC,00000000), ref: 00479D23
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00479D29

Strings

AllowSetForegroundWindow, xrefs: 00479D19
user32.dll, xrefs: 00479D1E

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressHandleModuleProcProcessThreadWindow
String ID: AllowSetForegroundWindow$user32.dll
API String ID: 1782028327-3855017861
Opcode ID: c36f3de8e5dc3318ea7383228e8bc1b00cc42ae4fa1597e4dc77134cd03fc9db
Instruction ID: 5357bd2adcb02916e042a40b4a090124369338466f1717feba3059f4eb7ed124
Opcode Fuzzy Hash: c36f3de8e5dc3318ea7383228e8bc1b00cc42ae4fa1597e4dc77134cd03fc9db
Instruction Fuzzy Hash: F8D0A9A0200301A6ED20B3B68C0BEEF239C8E9470AB10C83B3808F2187CA3CDC455B3C

Function 004170BC Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 004170E2
SaveDC.GDI32(?), ref: 00417113
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,004171D5), ref: 00417174
RestoreDC.GDI32(?,?), ref: 0041719B
EndPaint.USER32(00000000,?,004171DC,00000000,004171D5), ref: 004171CF

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 2aefb1f11be775139b331da31e14453598fb34486e2afd9f20f5c966e66715d4
Instruction ID: a59a5e74ec56046a8e44d3172024536881dae92cda495952d4f2aea49f83957e
Opcode Fuzzy Hash: 2aefb1f11be775139b331da31e14453598fb34486e2afd9f20f5c966e66715d4
Instruction Fuzzy Hash: 9C413D70A08204AFDB14DBA9C985FAA77F9FB48314F1544AAE8059B362C7789D81CB18

Function 00414C90 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 00414CC6
MulDiv.KERNEL32(?,?,?), ref: 00414CE0
MulDiv.KERNEL32(?,?,?), ref: 00414D09
MulDiv.KERNEL32(?,?,?), ref: 00414D34
MulDiv.KERNEL32(00000000,?,00000000), ref: 00414D7C

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6723b5202e330dc32e4e910c1744c1f6af12d9a6ca138e20ff4de4c990d11818
Instruction ID: b7433d6af5671a809cf87ab508426f3e85ed5e2fdb4bb50135625d5106dc29cf
Opcode Fuzzy Hash: 6723b5202e330dc32e4e910c1744c1f6af12d9a6ca138e20ff4de4c990d11818
Instruction Fuzzy Hash: 1B3170706057009FC720EB2DC884AABB7E8AF89710F04891EF9D5C3751D238EC808B59

Function 0041C048 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041C05A
GetSystemMetrics.USER32(0000000C), ref: 0041C064
GetDC.USER32(00000000), ref: 0041C0A2
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041C0E9
DeleteObject.GDI32(00000000), ref: 0041C12A

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: MetricsSystem$BitmapCreateDeleteObject
String ID:
API String ID: 1095203571-0
Opcode ID: 142aaef5fb75dc877dec10a7682396b9e25510c94f542f6073738a5e6d3aa482
Instruction ID: af0cd6ff41168786fc466cfb62adbf741af89e47da0ede509f3e80318da31809
Opcode Fuzzy Hash: 142aaef5fb75dc877dec10a7682396b9e25510c94f542f6073738a5e6d3aa482
Instruction Fuzzy Hash: 92314174E40205EFDB00DFA5C981AAEB7F5EB48704F1185AAF510AB381D7789E80DF98

Function 00429C5C Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429C98
SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429CC7
SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429CE3
SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 00429D0E
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00429D2C

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bc63629cb27ad13ca6417472d4f3f1d186b1f81fbb10e3d200fe59e3d4f08092
Instruction ID: 60921b255c01a359d0eb68e62e5e28d9b6fe2da514f119f30b014399c46582d3
Opcode Fuzzy Hash: bc63629cb27ad13ca6417472d4f3f1d186b1f81fbb10e3d200fe59e3d4f08092
Instruction Fuzzy Hash: C121AF707007057AD710ABA7DC82F4BB6ACDB40708F90043EB501AB2D2DB78AD41866D

Function 00475178 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0045D8DC: SetLastError.KERNEL32(00000057,00000000,0045D9A8,?,?,?,?,00000000), ref: 0045D947

GetLastError.KERNEL32(00000000,00000000,00000000,00475241,?,?,0049F1E4,00000000), ref: 004751FA
GetLastError.KERNEL32(00000000,00000000,00000000,00475241,?,?,0049F1E4,00000000), ref: 00475210

Strings

Setting permissions on key: %s\%s, xrefs: 004751BE
Could not set permissions on the key because it currently does not exist., xrefs: 00475204
Failed to set permissions on the key (%d)., xrefs: 00475221

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLast
String ID: Could not set permissions on the key because it currently does not exist.$Failed to set permissions on the key (%d).$Setting permissions on key: %s\%s
API String ID: 1452528299-522033246
Opcode ID: 1355e60d520c537b245591eb314ca0669cdd5b0204c3c9ddf5a0d2ec40fba8e3
Instruction ID: 51041ab3257bc5012ea3fc5fd74b59e1bc6a173a0ae5939bb589f078bf527dbc
Opcode Fuzzy Hash: 1355e60d520c537b245591eb314ca0669cdd5b0204c3c9ddf5a0d2ec40fba8e3
Instruction Fuzzy Hash: 0821A770A046045FDB00EBA9D8416DEBBF4EB89314F5044BBE404EB353DBB85D058BAD

Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 5ebc352aac4f77473dff7e3dcc86cc0c7398385e60e6a11f17e44d50ff4a2e93
Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
Opcode Fuzzy Hash: 5ebc352aac4f77473dff7e3dcc86cc0c7398385e60e6a11f17e44d50ff4a2e93
Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D

Function 00414870 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SelectPalette.GDI32(00000000,00000000,00000000), ref: 004148A9
RealizePalette.GDI32(00000000), ref: 004148B1
SelectPalette.GDI32(00000000,00000000,00000001), ref: 004148C5
RealizePalette.GDI32(00000000), ref: 004148CB
ReleaseDC.USER32(00000000,00000000), ref: 004148D6

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Palette$RealizeSelect$Release
String ID:
API String ID: 2261976640-0
Opcode ID: de0628dfb3b178927ad573b2282efd4894c3506f2a3e842425f6db2cbe849912
Instruction ID: 1b199f70f0334c5ad2d95ba866badc65d16692e0f82b4d98eea4daff33ed8e78
Opcode Fuzzy Hash: de0628dfb3b178927ad573b2282efd4894c3506f2a3e842425f6db2cbe849912
Instruction Fuzzy Hash: 8901DF7521C3806AE200B63D8C85A9F6FEC9FCA314F05596EF498DB382CA7ACC018765

Function 10014D9A Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 10014DB8

Part of subcall function 1001ADA4: __mtinitlocknum.LIBCMT ref: 1001ADB8
Part of subcall function 1001ADA4: __amsg_exit.LIBCMT ref: 1001ADC4
Part of subcall function 1001ADA4: EnterCriticalSection.KERNEL32(?,?,?,10020975,00000004,1002CDE8,0000000C,100173D8,00000000,00000000,00000000,00000000,00000000,1001805B,00000001,00000214), ref: 1001ADCC

___sbh_find_block.LIBCMT ref: 10014DC3
___sbh_free_block.LIBCMT ref: 10014DD2
HeapFree.KERNEL32(00000000,00000001,1002C9C0,0000000C,1001AD85,00000000,1002CBE8,0000000C,1001ADBD,00000001,?,?,10020975,00000004,1002CDE8,0000000C), ref: 10014E02
GetLastError.KERNEL32 ref: 10014E13

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 8138c0ffbe481b899e05031c0380943a3c2390b269d77bff90a9d0a706bde6ae
Instruction ID: cfc76feb669d3357d397b8650369f13d843ecf664989c9355249c888fcd2c980
Opcode Fuzzy Hash: 8138c0ffbe481b899e05031c0380943a3c2390b269d77bff90a9d0a706bde6ae
Instruction Fuzzy Hash: 4C018B39C01225AAEF21DF70AC45B4E37E8EF01761F214009F505AF192CF74D5C58B91

Function 0046D0BC Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON

Download Yara Rule

Strings

PrepareToInstall failed: %s, xrefs: 0046D41A
NextButtonClick, xrefs: 0046D1F8
Need to restart Windows? %s, xrefs: 0046D441

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID:
String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
API String ID: 0-2329492092
Opcode ID: 3a186a007e4f91e7caeefa56d0da4c1e8601630267600823766f63052068a651
Instruction ID: 44988f13848ffd89d71039ac62f11851b9b9fcebd064a36e5433384ef0c4aa5d
Opcode Fuzzy Hash: 3a186a007e4f91e7caeefa56d0da4c1e8601630267600823766f63052068a651
Instruction Fuzzy Hash: 4ED13E34E00109DFDB00EF99C585AEE77F5AB49308F6444B6E804AB352E778AE45CB5A

Function 10001F90 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

Getting file information..., xrefs: 1000209F
Initializing..., xrefs: 10002001
HEAD, xrefs: 1000215E

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Message$Peek$DispatchErrorInternetLastOpenTranslate
String ID: Getting file information...$HEAD$Initializing...
API String ID: 112184695-2928475931
Opcode ID: 94d24d67314c8fa4178f1b4aa1c9104cf026291a00f7cdead894d27cde1e5cc4
Instruction ID: ea77723d18dfd50b1d2fc6192bc443b74d99293cbfc67afdc41aa1699e1097d4
Opcode Fuzzy Hash: 94d24d67314c8fa4178f1b4aa1c9104cf026291a00f7cdead894d27cde1e5cc4
Instruction Fuzzy Hash: 2F91F271A00645AFDB00DF68C8816AEBBF1FF483A4F14822EE52497686CB31B955CBD1

Function 00485444 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,00000000,00485795), ref: 00485568
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00485606

Strings

, xrefs: 004856C3
Need to restart Windows? %s, xrefs: 00485643

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: a95cbf927e22f80de55b02d4689da4a175a84f58c248fd1ee268b9745b637bd1
Instruction ID: 8ac728fbb8e3d27f98a22662cdea6886523d2868be6ee68a7c392ecda210aa03
Opcode Fuzzy Hash: a95cbf927e22f80de55b02d4689da4a175a84f58c248fd1ee268b9745b637bd1
Instruction Fuzzy Hash: 1B91A034A006449FDB10EB69D885B9E77E1AF55308F5484BBE800DB366D73CA809CB5E

Function 1000EE20 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 182windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(?,00000402,?,00000000), ref: 1000EF58
PostMessageA.USER32(?,00000402,?,00000000), ref: 1000F085

Strings

FileProgressBar, xrefs: 1000F018
TotalProgressBar, xrefs: 1000EEEF

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: MessagePost
String ID: FileProgressBar$TotalProgressBar
API String ID: 410705778-679699356
Opcode ID: b856897ba4d1df8bfb805c8b996d0b8bb57fe9702c0e9d5d22ac01fcd5b6dadb
Instruction ID: 64bab11ce356a1b2a99fd013084b73626a41dc127b502d7358c22f98eb5cbfb0
Opcode Fuzzy Hash: b856897ba4d1df8bfb805c8b996d0b8bb57fe9702c0e9d5d22ac01fcd5b6dadb
Instruction Fuzzy Hash: E9715CB150C7808BD304DFA5C99165BFBE4FB88790F204D2DF8A5863A0EB79D884CB42

Function 00471340 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 0042CC94: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CCB8

GetLastError.KERNEL32(00000000,0047153D,?,?,0049F1E4,00000000), ref: 0047141A
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00471494
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004714B9

Strings

Creating directory: %s, xrefs: 00471402

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ChangeNotify$ErrorFullLastNamePath
String ID: Creating directory: %s
API String ID: 2451617938-483064649
Opcode ID: f3f5c76d6a811d2342dfff82ede6b91c6ded70d56010fc8a7de985c9a00577ad
Instruction ID: 20bf2e2c57de6391f44c88e9dad00ec8a22121e450acada444c040a0f05f54d0
Opcode Fuzzy Hash: f3f5c76d6a811d2342dfff82ede6b91c6ded70d56010fc8a7de985c9a00577ad
Instruction Fuzzy Hash: 94514634E00248ABDB01DFA9C982BDEB7F5AF48304F50847AE815B7392D7789E04CB59

Function 00407434 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON

Download Yara Rule

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407493
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040750D
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 00407565

Strings

Z, xrefs: 004074CC

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: 59fc97221ce8e2239389e9c8dfc74c2c781be37928cd4af1c274feeaca823a59
Instruction ID: 40f8d8e8b2f406d6a8a22564fe957c27a4ea1e6c79599dfe788430968c9fdea8
Opcode Fuzzy Hash: 59fc97221ce8e2239389e9c8dfc74c2c781be37928cd4af1c274feeaca823a59
Instruction Fuzzy Hash: DD51A270E04608AFDB11EF99CC41A9EBBF9EB09314F1045BAE400B72D1D778AE418F5A

Function 004613A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(00000000,0000000C), ref: 004613D4
GetDIBits.GDI32(00000000,00000000,?,00000000,00000000,004615E1), ref: 004614D4

Strings

, xrefs: 00461437
(, xrefs: 00461416

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: BitsCapsDevice
String ID: $(
API String ID: 1216508973-55695022
Opcode ID: 5957ec3d1a6f1ea59fd2c6b39eb5ebbf337cafbddb9fa20bd40169d8452b2992
Instruction ID: 5dc47b70b294587cc13581978d3ce92ec5f010f9ab1f52b5f87cd7b8da97004a
Opcode Fuzzy Hash: 5957ec3d1a6f1ea59fd2c6b39eb5ebbf337cafbddb9fa20bd40169d8452b2992
Instruction Fuzzy Hash: 67413E71E00209AFDB00DFA9C885AAEFBF8FF49304F14406AE515F72A0D7799944CB5A

Function 0044D62C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0044D6BA
DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D6E5
DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D76D

Strings

, xrefs: 0044D69F

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: e6e59adc673dea5e3a01a58b7e7b770fcdf0972a29114f76cbe18b4b20e21186
Instruction ID: 12a4b21e602b9f7a78cd53eafda620a7b7433ebb18c5ccfef023c502be569e40
Opcode Fuzzy Hash: e6e59adc673dea5e3a01a58b7e7b770fcdf0972a29114f76cbe18b4b20e21186
Instruction Fuzzy Hash: B6515171E00244AFDB11DFA5C885BDEBBF9EF49308F05847AE805EB252D7789944CB64

Function 100094D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000111,00000000), ref: 100113AE
idpReportError.IDP ref: 100113FF

Strings

WizardForm, xrefs: 10011369
InvisibleButton, xrefs: 100112F1, 10011345

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorMessageReportSend
String ID: InvisibleButton$WizardForm
API String ID: 832656352-3077912615
Opcode ID: 6fe366af748c9212a4c210cba9be6ec28d3324f956991dd6cb23fb1c02a94907
Instruction ID: 302f3f52566c2900e7d544648f35baabe7b1fa575a50273f1bd01b015bf0bc9c
Opcode Fuzzy Hash: 6fe366af748c9212a4c210cba9be6ec28d3324f956991dd6cb23fb1c02a94907
Instruction Fuzzy Hash: D641AEB65087409FD314CF19C881A9BBBE8FB85B50F400A2EF69547351DB79E888CB97

Function 10010700 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

MessageBeep.USER32(00000030), ref: 10010826
GetDesktopWindow.USER32 ref: 10010835
DialogBoxParamA.USER32(?,00000065,00000000,10007C80,00000000), ref: 1001084C

Strings

LabelFont, xrefs: 10010751

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: BeepDesktopDialogMessageParamWindow
String ID: LabelFont
API String ID: 2847301737-2346607873
Opcode ID: 814ec205267feb42dd700eb0244b538c278535473597b201e6d18a1966c88bfd
Instruction ID: 45189f05bad93587ec4a766e1363c1d582697811280d4e49e11effef2d98524f
Opcode Fuzzy Hash: 814ec205267feb42dd700eb0244b538c278535473597b201e6d18a1966c88bfd
Instruction Fuzzy Hash: 10418C755083819FE320CB68C886B9FB7E8FF89650F40491EF59987252DB34E948CB63

Function 0042F440 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042F46A

Part of subcall function 0041A678: CreateFontIndirectA.GDI32(?), ref: 0041A737

SelectObject.GDI32(?,00000000), ref: 0042F48D
ReleaseDC.USER32(00000000,?), ref: 0042F56C

Strings

...\, xrefs: 0042F51E

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CreateFontIndirectObjectReleaseSelect
String ID: ...\
API String ID: 3133960002-983595016
Opcode ID: 4dbb05239853b56f211487c34bba1e3065c43c6cc540eb48ddca839a47f377ff
Instruction ID: 6da19e17498f2b2ee05211f2735e4231f31b0ac4056ea50bc180adaf4849e001
Opcode Fuzzy Hash: 4dbb05239853b56f211487c34bba1e3065c43c6cc540eb48ddca839a47f377ff
Instruction Fuzzy Hash: 3E313370B00229ABDF11EF9AD851BAEB7B8EB48304FD0447BF414A7291C77C5D45CA59

Function 10007430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 10007493
std::_String_base::_Xlen.LIBCPMT ref: 100074A6
_memcpy_s.LIBCMT ref: 100074F9

Strings

HEAD, xrefs: 10007434

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: String_base::_Xlenstd::_$_memcpy_s
String ID: HEAD
API String ID: 709706234-2439387944
Opcode ID: af5304e976208645e8e736165c8dd4e7d2c9d6aad5028bd832b100f8e18a0a8b
Instruction ID: 962f7e72fdadf9a267ec6c835637fa989174db726706bc13f6c7598dbf747d76
Opcode Fuzzy Hash: af5304e976208645e8e736165c8dd4e7d2c9d6aad5028bd832b100f8e18a0a8b
Instruction Fuzzy Hash: F631F831B006144BE730DE5CD8C051EB7E6FB912D07614A2DE14A8B64EDB75FC4487A2

Function 004555D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 0045567E
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00455744), ref: 004556E8

Strings

SfcIsFileProtected, xrefs: 00455678
sfc.dll, xrefs: 00455640

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID: SfcIsFileProtected$sfc.dll
API String ID: 2508298434-591603554
Opcode ID: cd1d4ec634ffaaeb32f3c4dbc28009c9e63fbc03d90feba525fc8c0b3ebaedcf
Instruction ID: 311e8501e48ef86dedbd1e32416f62ff44579e2f461d143f7aa5c8e880f43ce1
Opcode Fuzzy Hash: cd1d4ec634ffaaeb32f3c4dbc28009c9e63fbc03d90feba525fc8c0b3ebaedcf
Instruction Fuzzy Hash: FC418670A00718DBEB20EB55DC95BAD77B8AB04309F5041B7A908E7293D7785F48DA5C

Function 004540B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541A7
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541B7

Strings

.tmp, xrefs: 0045415B
_iu, xrefs: 00454149

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$_iu
API String ID: 3498533004-10593223
Opcode ID: 53f828e6ceb702bbfaa2d7dbbab8cdacf8318c59bed055e58ff6238b3f7065b7
Instruction ID: 578c6d25dcdad9d531da493d0199c9855db5075e5bb7f28aad5cf4ca392b9bb0
Opcode Fuzzy Hash: 53f828e6ceb702bbfaa2d7dbbab8cdacf8318c59bed055e58ff6238b3f7065b7
Instruction Fuzzy Hash: F431C770E00119ABCB11EFA5C842B9EBBB5AF54309F60416AF804BB3C2D6385F4586A8

Function 004168A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,?,?), ref: 0041690F
UnregisterClassA.USER32(?,00400000), ref: 0041693B
RegisterClassA.USER32(?), ref: 0041695E

Strings

@, xrefs: 004168B9

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 09c5f863f50a19c9c3a0ba234899ce8f036c1dfa8e61a409ba2f05b6422b8e41
Instruction ID: f0814f926fbfb3063bbfc520005841906eff1053595eb63299fc6e458af65efd
Opcode Fuzzy Hash: 09c5f863f50a19c9c3a0ba234899ce8f036c1dfa8e61a409ba2f05b6422b8e41
Instruction Fuzzy Hash: 70316E702043418BDB20EF69C485B9A77E5AB89308F04447FF985DF392DB39DD858B6A

Function 0049B094 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,0049B9E4,00000000,0049B18A,?,?,00000000,0049E62C), ref: 0049B104
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,0049B9E4,00000000,0049B18A,?,?,00000000,0049E62C), ref: 0049B12D
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0049B146

Strings

isRS-%.3u.tmp, xrefs: 0049B0E3

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: fe636f5d486f977561d955d8d27fc1c933ee631e33dfc5204804ac15784fdca6
Instruction ID: e58a6bb4d61ebf27a8f85bf79e18a3daf7ddf139a146e4c83f08b8ac6b3baeb0
Opcode Fuzzy Hash: fe636f5d486f977561d955d8d27fc1c933ee631e33dfc5204804ac15784fdca6
Instruction Fuzzy Hash: B2216470E10209ABCF04EFA9D9929AFBBB8EF44354F10453AB814B72D1D7385E018A99

Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
ExitProcess.KERNEL32 ref: 00404E0D

Strings

Runtime error at 00000000, xrefs: 00404DBE, 00404DD1
Error, xrefs: 00404DB9

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 3b61d1fed352f5282028831249daba76a748604d35a297349552cc65daff4f89
Instruction ID: d5004cfacfd42fd5c2be0182736057b03719568bea5446043c3b888183e5f090
Opcode Fuzzy Hash: 3b61d1fed352f5282028831249daba76a748604d35a297349552cc65daff4f89
Instruction Fuzzy Hash: AE21B360A442519AEB15E7B7EC857163BD197E9348F048177E700B73E3C6BC984487AE

Function 0045742C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042CC94: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CCB8

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00457480
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 004574AD

Strings

LoadTypeLib, xrefs: 0045748B
RegisterTypeLib, xrefs: 004574B8

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: ef98400a3cb6d0e3d8d993fb867b0761591a4800f398f9cc68cb898a501ed530
Instruction ID: 9f3c69dbed6527a7536611739b590712afd4786c139aba5f8c5ce656fa2fa7d6
Opcode Fuzzy Hash: ef98400a3cb6d0e3d8d993fb867b0761591a4800f398f9cc68cb898a501ed530
Instruction Fuzzy Hash: 0D11B130B04604BFDB11DFA6DD51A5ABBADEB89305F1084B6BC04D3652EA389A04CA18

Function 004579E4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 004579FE
SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00457A9B

Strings

Failed to create DebugClientWnd, xrefs: 00457A64
Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00457A2A

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
API String ID: 3850602802-3720027226
Opcode ID: b03ed1056f1f7c238425172a1330e6ac177058c3a5e9163237303df94b25fdc9
Instruction ID: 1ab6ed05e85d1bb283b6b865c49c58556a26672ef247bde5bc39928aa0d5d30a
Opcode Fuzzy Hash: b03ed1056f1f7c238425172a1330e6ac177058c3a5e9163237303df94b25fdc9
Instruction Fuzzy Hash: 751123707082106FE310AB28AC81B8F7B989B15309F04807BF985DB383C3799D08C7AE

Function 00450424 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,004504FD,?,?,?,?,00000000,00000000), ref: 0045048C
LoadLibraryA.KERNEL32(00000000,00000000,004504FD,?,?,?,?,00000000,00000000), ref: 004504D2

Part of subcall function 004503F4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0045040C

Strings

RICHED32.DLL, xrefs: 004504BF
RICHED20.DLL, xrefs: 00450479

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: LibraryLoad$DirectorySystem
String ID: RICHED20.DLL$RICHED32.DLL
API String ID: 2630572097-740611112
Opcode ID: 374f2d9e90cc37eef180cc8d20d2e3149e70aeb14d460e8c5a8d30249f6f1077
Instruction ID: 4d2f5d6df61b0d0ac72fc53e5f3b8721577eb5fe8aac3b6587ce23d73eaa98fa
Opcode Fuzzy Hash: 374f2d9e90cc37eef180cc8d20d2e3149e70aeb14d460e8c5a8d30249f6f1077
Instruction Fuzzy Hash: 4F212174500248FFDB00FFA2D886B5E77F8EB5435AF504477E800A7662D7786A498E5C

Function 0047A860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C

GetFocus.USER32 ref: 0047A8CB
GetKeyState.USER32(0000007A), ref: 0047A8DD
WaitMessage.USER32(?,00000000,0047A904,?,00000000,0047A92B,?,?,00000001,00000000,?,00482693,00000000,0048361D), ref: 0047A8E7

Strings

Wnd=$%x, xrefs: 0047A8AF

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: e5dbb5df603875cdc39d478cadb00c751de2674426fb931424df1fbe3e193bac
Instruction ID: 77d4776769ed3d961f5a478265b7c30efea3ded7fa53bcd9a53f0dfc2223b557
Opcode Fuzzy Hash: e5dbb5df603875cdc39d478cadb00c751de2674426fb931424df1fbe3e193bac
Instruction Fuzzy Hash: A91194B0604145AFC700FF66D841A9E77B8EB89714B5288B6F408E7281D73C6D208A6B

Function 1000B0B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1000B0D8
GetModuleHandleA.KERNEL32(wininet.dll,00000000,00000400,?,00000400,00000000), ref: 1000B105
FormatMessageA.KERNEL32(00001200,00000000,00000000,00000400,?,00000400,00000000), ref: 1000B125

Strings

wininet.dll, xrefs: 1000B100

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: FormatHandleMessageModule_memset
String ID: wininet.dll
API String ID: 528496211-3354682871
Opcode ID: 38a10d756f39a5cfb6feebfa59d39f2de6f8920bf53a07f71fe09334c7cc00e4
Instruction ID: bfd13f30e42cf246182aa47666bba72f02dbdecf80acc5ef3aaa173cbfc2ea29
Opcode Fuzzy Hash: 38a10d756f39a5cfb6feebfa59d39f2de6f8920bf53a07f71fe09334c7cc00e4
Instruction Fuzzy Hash: 171170B42047406FF320CB10CD56FAB77E9EB84B44F508518F7499A1C5DBB4A549879A

Function 0046FD50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?), ref: 0046FD58
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046FD67

Strings

(invalid), xrefs: 0046FDEA
%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 0046FDDC

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: bb060cc39148aedb455345e7bc3ff301bf93d173113d396d92c14034a51e3361
Instruction ID: 1dc787eced2517cb8807bab7c2b20f1510b2cd86f013857d73bb6b07fca1fef3
Opcode Fuzzy Hash: bb060cc39148aedb455345e7bc3ff301bf93d173113d396d92c14034a51e3361
Instruction Fuzzy Hash: CB11F8A440C3919AD340DF2AC44472BBAE4AF99704F04496EF9C8D6391E77AC948DB67

Function 00454772 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000020), ref: 0045477F

Part of subcall function 004073E0: DeleteFileA.KERNEL32(00000000,0049E62C,0049B575,00000000,0049B5CA,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073EB

MoveFileA.KERNEL32(00000000,00000000), ref: 004547A4

Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B

Strings

MoveFile, xrefs: 004547AD
DeleteFile, xrefs: 00454790

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: DeleteFile$MoveFile
API String ID: 3024442154-139070271
Opcode ID: b6f22cc9759424c3a784986225b8e0c35bb72f21a930fd5492b6a91afa80a7cc
Instruction ID: 530c5230d1c48a198e6632d8711bb006f4eeac499d42d39edb4531016cb1c6b4
Opcode Fuzzy Hash: b6f22cc9759424c3a784986225b8e0c35bb72f21a930fd5492b6a91afa80a7cc
Instruction Fuzzy Hash: C2F086752142445AE701FFA6D84266E63ECDB8431FFA1443BFC00BB6C3DA3C9D094929

Function 00456240 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(?,004562AB,?,00000001,00000000), ref: 0045629E

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 0045624C
PendingFileRenameOperations, xrefs: 00456270
PendingFileRenameOperations2, xrefs: 0045627F

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: 92624241078a00f7c1b0f08652fbe8534835c4ea1a2c908f545524f159a12353
Instruction ID: 03744892537dc61f373a56118159d2a705b6a08e7bce835c08af8ac15a0ef851
Opcode Fuzzy Hash: 92624241078a00f7c1b0f08652fbe8534835c4ea1a2c908f545524f159a12353
Instruction Fuzzy Hash: 2EF09671204604AFDB05E7A6DC13B6B73ACD744715FE245B7F900C7682DAB9ED04962C

Function 00465A14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044BBBC: LoadLibraryA.KERNEL32(00000000,00000000,0044BF9F,?,?,?,?,00000000,00000000,?,0044FDE1,0049BA76), ref: 0044BC1E
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BC36
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BC48
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BC5A
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BC6C
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC7E
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC90
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BCA2
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BCB4
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BCC6
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BCD8
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BCEA
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BCFC
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BD0E

Part of subcall function 004659E8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004659FB

LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,00465A8A,?,?,?,?,00000000,00000000,?,0049BA9E), ref: 00465A5F
GetProcAddress.KERNEL32(00000000,00000000), ref: 00465A65

Strings

shell32.dll, xrefs: 00465A4C
SHPathPrepareForWriteA, xrefs: 00465A31

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressProc$LibraryLoad$DirectorySystem
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 1442766254-2683653824
Opcode ID: af518b03cf9376046f8dcedef4f09e900b75585814e9c5691420b5e6294b90ad
Instruction ID: 40adbffb9e5bdfd27d779661ae68592eaffae07e03a1378c290830cb38e34495
Opcode Fuzzy Hash: af518b03cf9376046f8dcedef4f09e900b75585814e9c5691420b5e6294b90ad
Instruction Fuzzy Hash: 07F04470640A08BFD701FBA2DC93F5E7BACDB45714FA0457BB400B6592E67C9E048A5D

Function 00459BF4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459D31,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459C41

Strings

.NET Framework not found, xrefs: 00459C50
SOFTWARE\Microsoft\.NETFramework, xrefs: 00459C14
InstallRoot, xrefs: 00459C30

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: 8e19ad16d369bcc1cdc551d6f7a6bfc3dd5aaf0307e8b56589e706dd5174713a
Instruction ID: 38d3340ec7adb02875813bbcd1e17bd1b65749923c884860087a6e41a9d30ab7
Opcode Fuzzy Hash: 8e19ad16d369bcc1cdc551d6f7a6bfc3dd5aaf0307e8b56589e706dd5174713a
Instruction Fuzzy Hash: CEF0A9713001109BC710EB1A9881B9E63CEDB92316F24403BBA85C7353E63CCC0A8629

Function 00485F94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00485FD5
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00485FF8

Strings

System\CurrentControlSet\Control\Windows, xrefs: 00485FA2
CSDVersion, xrefs: 00485FCC

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3677997916-1910633163
Opcode ID: 6218c6c2fb9451a17f77c2bb797b492f1626bc5d3910a3f1f10820abaf446096
Instruction ID: 690f3357d7f3b8f107864325de2190f20260369eddc5d30bd8c99057d7f378d2
Opcode Fuzzy Hash: 6218c6c2fb9451a17f77c2bb797b492f1626bc5d3910a3f1f10820abaf446096
Instruction Fuzzy Hash: D9F04475A40208EADF10EAD58C45BDF73BC9B04704F104567EB10E7280EB39AA04CB5D

Function 10021D45 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,10018C05), ref: 10021D4A
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 10021D5A

Strings

IsProcessorFeaturePresent, xrefs: 10021D54
KERNEL32, xrefs: 10021D45

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 52f91cba384985d72e24e7e642c3ea1e1a73a93e61eeab7bf516b55f6d64dcda
Instruction ID: 836bf0a6e4ae59400666b4504b5a2db79e34c851a083ef9494c8542cb11c8dd3
Opcode Fuzzy Hash: 52f91cba384985d72e24e7e642c3ea1e1a73a93e61eeab7bf516b55f6d64dcda
Instruction Fuzzy Hash: FFF0D034900919E6EF44AFA1BC496EE7A78FB95746FD20590D5D2B0094DF3180B59391

Function 0042DD80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00454356,00000000,004543F9,?,?,00000000,00000000,00000000,00000000,00000000,?,004547E9,00000000), ref: 0042DD9A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DDA0

Strings

GetSystemWow64DirectoryA, xrefs: 0042DD90
kernel32.dll, xrefs: 0042DD95

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 1646373207-4063490227
Opcode ID: 90681687b24dd86f9c3e273dd486589356378cd60c5b464a2f7951d6e4eef599
Instruction ID: 364facf3dcd8fd4fb48bac821a112922c1d8aa8d1bb3947713f5e14a9d28bbdd
Opcode Fuzzy Hash: 90681687b24dd86f9c3e273dd486589356378cd60c5b464a2f7951d6e4eef599
Instruction Fuzzy Hash: 8EE026A1B60F0113D700317A5C8375B208E4F84718F90043F3984F52C2DDBCD988462D

Function 0042EFE4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EF60), ref: 0042EFF2
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EFF8

Strings

user32.dll, xrefs: 0042EFED
ShutdownBlockReasonDestroy, xrefs: 0042EFE8

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: e8811ed0a627a4e133d1dc9a4b4f14b5e47b32fb59af0e63981d665b4b5d3b09
Instruction ID: d167ebeb3a0c78ffef62d304a6593c01274f0b6b7e47665dfbb0b7c0d901300f
Opcode Fuzzy Hash: e8811ed0a627a4e133d1dc9a4b4f14b5e47b32fb59af0e63981d665b4b5d3b09
Instruction Fuzzy Hash: 68D0C792712732576A5035F53CC1AAB429CC9156AE3D40077FA40E6143D95DCC1926AC

Function 0044FDB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049BA76), ref: 0044FDEB
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FDF1

Strings

NotifyWinEvent, xrefs: 0044FDE1
user32.dll, xrefs: 0044FDE6

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NotifyWinEvent$user32.dll
API String ID: 1646373207-597752486
Opcode ID: 5908743018cfd2f6cefc4491aa27570e9f34bc63df026fe54f1bbb87c612bb86
Instruction ID: 223032890b7009ceba89b3f881feb785258270d151d072d0a62a9436c582bc8a
Opcode Fuzzy Hash: 5908743018cfd2f6cefc4491aa27570e9f34bc63df026fe54f1bbb87c612bb86
Instruction Fuzzy Hash: 4FE012F0D417509AFB00FBB79846B093AE0D76471CB10107FF541A6653DBBC54588B1E

Function 0049B7EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049BACC,00000001,00000000,0049BAF0), ref: 0049B7F6
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049B7FC

Strings

DisableProcessWindowsGhosting, xrefs: 0049B7EC
user32.dll, xrefs: 0049B7F1

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: 9ab8e43da6454e8868478a7b9e10f81f4b0d0e94fccef25b277911ace8fae704
Instruction ID: 54119c6ef0f49054147f19105d5d020da2821b8521f233d32c589f61db0a4d0d
Opcode Fuzzy Hash: 9ab8e43da6454e8868478a7b9e10f81f4b0d0e94fccef25b277911ace8fae704
Instruction Fuzzy Hash: E5B09280681A01509C00B2B22E02A6B080CCC887997240037B400B00C6CF6C844504BD

Function 0047F8B0 Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0047FA24,?,?,?,?,00000000,0047FB79,?,?,?,00000000,?,0047FC88), ref: 0047FA00
FindClose.KERNEL32(000000FF,0047FA2B,0047FA24,?,?,?,?,00000000,0047FB79,?,?,?,00000000,?,0047FC88,00000000), ref: 0047FA1E

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 782f464fb3219a71b0426b89cfcc2a1ae4ac0cdfd739204b341c0cf05095bebc
Instruction ID: a2492a823a8cbc0112e5e27725a6df3c9536d0a8ebd69a23b4f87c8590b3ed18
Opcode Fuzzy Hash: 782f464fb3219a71b0426b89cfcc2a1ae4ac0cdfd739204b341c0cf05095bebc
Instruction Fuzzy Hash: AE814F7090024DAFCF11DFA5CC51AEFBBB8EB49304F5080BAE508A7291D7399A4ACF55

Function 00414188 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004141D6
GetDesktopWindow.USER32 ref: 0041428E

Part of subcall function 00419350: 6FC2C6F0.COMCTL32(?,00000000,00414453,00000000,00414563,?,?,0049E62C), ref: 0041936C
Part of subcall function 00419350: ShowCursor.USER32(00000001,?,00000000,00414453,00000000,00414563,?,?,0049E62C), ref: 00419389

SetCursor.USER32(00000000,?,?,?,?,00413F83,00000000,00413F96), ref: 004142CC

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: 8cfee51e6bd22bc240f75105183b6b05eca44474532d8ed2e66bef73f0c2bade
Instruction ID: 19a59601e3d98a3dbb13d851837e3bb0d350916c882c7f1eea00ba3daa39fbf9
Opcode Fuzzy Hash: 8cfee51e6bd22bc240f75105183b6b05eca44474532d8ed2e66bef73f0c2bade
Instruction Fuzzy Hash: 1B414C74600161EFCB10EF6AE988B9637E1ABA5318B4588BBF414CB365D738DC81CB1D

Function 10022D1B Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 10022D4B
__isleadbyte_l.LIBCMT ref: 10022D7F
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,1001976C,?,?,00000002), ref: 10022DB0
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,1001976C,?,?,00000002), ref: 10022E1E

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 01cb28d65e255065f856e53455069d490a0d56db272263c896bbdf87778fb01a
Instruction ID: 329c05c60c342fa6dc16da6eb877a45b4e190b72b387b2956c432082f24e4741
Opcode Fuzzy Hash: 01cb28d65e255065f856e53455069d490a0d56db272263c896bbdf87778fb01a
Instruction Fuzzy Hash: B531CF31A00286FFDB10DFE4E885AAE7BE9FF01251F9285A9E8649B1A1D730DD40DB51

Function 00408EE4 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408F05
LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408F74
LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 0040900F
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040904E

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: 812d311920031a8e66895dbedfea53089e64aafa65463e8f60422c8f645d5955
Instruction ID: ceac9c6dafe2e417819c9b5c7653bc03c0e73b1c5c8721bcefa97444966463b6
Opcode Fuzzy Hash: 812d311920031a8e66895dbedfea53089e64aafa65463e8f60422c8f645d5955
Instruction Fuzzy Hash: 6B3152716083819EE330EB65C945B9B77D89B86704F00483EB6C8EB2D2DBB999048767

Function 0044EF30 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044EF79

Part of subcall function 0044D5BC: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044D5EE

InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044EFFD

Part of subcall function 0042C044: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042C058

IsRectEmpty.USER32(?), ref: 0044EFBF
ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044EFE2

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
String ID:
API String ID: 855768636-0
Opcode ID: 9e5418f1d691a9325b46ebb0c0de8143c548934329e90edb6007b66489b6f05d
Instruction ID: 10a93ef1daca5ec4afac806ac6fb62918bca6b9886f72cf97470359dbd205846
Opcode Fuzzy Hash: 9e5418f1d691a9325b46ebb0c0de8143c548934329e90edb6007b66489b6f05d
Instruction Fuzzy Hash: F211387170030027E720BA7E9C86B5B76899B88748F04083FB545EB383DD79D80987AA

Function 00498790 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,00000000), ref: 004987F4
OffsetRect.USER32(?,00000000,?), ref: 0049880F
OffsetRect.USER32(?,?,00000000), ref: 00498829
OffsetRect.USER32(?,00000000,?), ref: 00498844

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: 6336d15f36953f24f9fc14a3ec9817a63ff553bf727e99fcd033c27e753f75de
Instruction ID: 3054ac6025076f3b6e7609c5ec68807071a52c8bb3756e2ec3ebb03cdf9dd8d0
Opcode Fuzzy Hash: 6336d15f36953f24f9fc14a3ec9817a63ff553bf727e99fcd033c27e753f75de
Instruction Fuzzy Hash: A4213BB66042019BD700DE6DCD85E6BB7EEEBC4300F54CA2EF554C724ADA34E94487A6

Function 004176A8 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 004176F0
SetCursor.USER32(00000000), ref: 00417733
GetLastActivePopup.USER32(?), ref: 0041775D
GetForegroundWindow.USER32(?), ref: 00417764

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: e473d6fd5258e5271c1e4462a64c5a209d04cf0713861ccc24dc9748cac10f85
Instruction ID: 2e5a0fdf5ba03c47f255224e58a8cf5d0223c50b95843e628a0bc5c759944eb4
Opcode Fuzzy Hash: e473d6fd5258e5271c1e4462a64c5a209d04cf0713861ccc24dc9748cac10f85
Instruction Fuzzy Hash: C521A1342086018ACB10EF2AD885ADB33B1AB54754F45456BE4658B3A2D73CFC80CB89

Function 10013850 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

FtpGetFileSize.WININET(?,?), ref: 1001386B
HttpQueryInfoA.WININET(?,20000005,?,?,?), ref: 100138AC
InternetCloseHandle.WININET(?), ref: 100138D8
InternetCloseHandle.WININET(?), ref: 100138EF

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseHandleInternet$FileHttpInfoQuerySize
String ID:
API String ID: 3196265937-0
Opcode ID: 9ee172b47f6cda229a24c54c5b7c5d8e0de0e7e8b0d3f506f038409a2315639d
Instruction ID: 66675e9abe107ef4515a1fce17a470345106ff4a24ee28f0b8a9fe09c6c0636f
Opcode Fuzzy Hash: 9ee172b47f6cda229a24c54c5b7c5d8e0de0e7e8b0d3f506f038409a2315639d
Instruction Fuzzy Hash: FE112B716047059FE310DF6AC884B97B7E9FB88364F504A2DF969C2240DB34EA498A21

Function 10001E80 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(?,?,?,00000000,00000000), ref: 10001ED5
InternetSetOptionA.WININET(00000000,00000002,000000FE,00000004), ref: 10001F01
InternetSetOptionA.WININET(00000000,00000005,000000FE,00000004), ref: 10001F1B
InternetSetOptionA.WININET(00000000,00000006,?,00000004), ref: 10001F35

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Internet$Option$Open
String ID:
API String ID: 1764825000-0
Opcode ID: fead50b3e73745da6217dd3236f5ad90378ca3a703bf12bc2f084a612d43aa39
Instruction ID: 36ce0c1a3cfa839c792adb72fd13ae93b827a54613ac2458d02bdd792e6c7646
Opcode Fuzzy Hash: fead50b3e73745da6217dd3236f5ad90378ca3a703bf12bc2f084a612d43aa39
Instruction Fuzzy Hash: 7C112970200B46EBE774CA70CC49FEBB3E8EB84795F504A2CE6A6961C0D7B4B8458B10

Function 00498448 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(8B500000,00000008,?), ref: 0049845D
MulDiv.KERNEL32(50142444,00000008,?), ref: 00498471
MulDiv.KERNEL32(F6D0DBE8,00000008,?), ref: 00498485
MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 004984A3

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132935396d45b7e69a68efe33a8bbc5bdde74f5cffd31387bad91a8df47aab5f
Instruction ID: 16986aa08010ea5786b5adfb16098ff8e4cfd335a8687684758257d255a94a27
Opcode Fuzzy Hash: 132935396d45b7e69a68efe33a8bbc5bdde74f5cffd31387bad91a8df47aab5f
Instruction Fuzzy Hash: E6112172604214ABCB40DFADC8C4D9B7BECEF4D330B14416AF918DB246DA34ED408BA4

Function 0041F910 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,0041F900,?), ref: 0041F931
UnregisterClassA.USER32(0041F900,00400000), ref: 0041F95A
RegisterClassA.USER32(0049C598), ref: 0041F964
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F99F

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 5f2beac9259aabfde2fa88ee50984dcdd8da4d914c3ba614155804bbda9a3f11
Instruction ID: 68e5657fabb3e6ce4c602d6ce4962bfcd13d5dfe703a8334c3f88caa16143e55
Opcode Fuzzy Hash: 5f2beac9259aabfde2fa88ee50984dcdd8da4d914c3ba614155804bbda9a3f11
Instruction Fuzzy Hash: 10019EB22001147BCB10EF69DC81E9B3798A719324B10413BBA05EB2E1C63AAC158BAD

Function 00455778 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,00000032), ref: 004557A4
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004557C6
GetExitCodeProcess.KERNEL32(?,?), ref: 004557D5
CloseHandle.KERNEL32(?,00455802,004557FB,?,?,?,00000000,?,?,004559D7,?,?,?,00000044,00000000,00000000), ref: 004557F5

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: 57295d33ad6a1093ec6467e7b000eac01f0bccdd93fbf097cc2358da62840bd5
Instruction ID: 5ee05597952c7b60c0905264d30be017cf261a6af7f6414952b470fafc47fcf8
Opcode Fuzzy Hash: 57295d33ad6a1093ec6467e7b000eac01f0bccdd93fbf097cc2358da62840bd5
Instruction Fuzzy Hash: B801B970A40A18BEEB10D7A58C16F7BBBACDF49770F610567F904D72C2D5B85D00C668

Function 0040D4A0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D4B7
LoadResource.KERNEL32(00400000,72756F73,0040AC58,00400000,00000001,00000000,?,0040D414,00000000,?,00000000,?,?,0047ED94,0000000A,00000000), ref: 0040D4D1
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040AC58,00400000,00000001,00000000,?,0040D414,00000000,?,00000000,?,?,0047ED94), ref: 0040D4EB
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040AC58,00400000,00000001,00000000,?,0040D414,00000000,?,00000000,?), ref: 0040D4F5

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 9bd8c699d2ce0c84cebcbedeaf10d9de5ae675f1ab96295db303bf00b8c9f240
Instruction ID: 6e22508d3f73bf4cb8027158dc6397cf7561c54783b82958bb500a3598b7952a
Opcode Fuzzy Hash: 9bd8c699d2ce0c84cebcbedeaf10d9de5ae675f1ab96295db303bf00b8c9f240
Instruction Fuzzy Hash: 66F017736055046F9744EEADA881D6B77DCDE48364310417FF908D7246D938DD118B78

Function 10021C39 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 10021C5D

Part of subcall function 10021A88: __fltout2.LIBCMT ref: 10021AB2

__cftog_l.LIBCMT ref: 10021C83
__cftoe_l.LIBCMT ref: 10021CB5

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: e65e0fb3893ad0086685bf588fe0b1a9c84b709b96e47e72e07466fa111e5513
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: C001833A44014EBBCF128F80EC418DE3F62FF28284F958414FE5954031C332D971AB81

Function 004565CC Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045C03E,?,?,?,?,?,00000000,0045C065), ref: 00456608
RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045C03E,?,?,?,?,?,00000000), ref: 00456611
RemoveFontResourceA.GDI32(00000000), ref: 0045661E
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00456632

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: 0144adda08525407a7e8f3b5244105c9112ab39d3edb3319c9ec77ff886cb319
Instruction ID: 8f096fb0a68a4ca8fa6e8945f44f96b9dbd63233ba955a9cb78d2d10420d775d
Opcode Fuzzy Hash: 0144adda08525407a7e8f3b5244105c9112ab39d3edb3319c9ec77ff886cb319
Instruction Fuzzy Hash: A4F05EB574131076EA10B6B69D87F5B268C8F54745F50483BBA00EF2C3D97CD805566E

Function 00471658 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 004716A9

Strings

Setting NTFS compression on directory: %s, xrefs: 00471677
Failed to set NTFS compression state (%d)., xrefs: 004716BA
Unsetting NTFS compression on directory: %s, xrefs: 0047168F

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
API String ID: 1452528299-1392080489
Opcode ID: 4cef6f6a4a71dfcfdb95b2b4fcf457652783e7f00feeb96097633952fc34e028
Instruction ID: 126f6134b27ad8e4671cf18fb541cded6235f59fca6c90d789c2948c6de7ddb8
Opcode Fuzzy Hash: 4cef6f6a4a71dfcfdb95b2b4fcf457652783e7f00feeb96097633952fc34e028
Instruction Fuzzy Hash: 9C014F30E082486BCB04DBAD54412DDBBE49F4D305F58C1EFA458E7292DA780A088BAA

Function 00471E04 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000), ref: 00471E55

Strings

Setting NTFS compression on file: %s, xrefs: 00471E23
Unsetting NTFS compression on file: %s, xrefs: 00471E3B
Failed to set NTFS compression state (%d)., xrefs: 00471E66

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
API String ID: 1452528299-3038984924
Opcode ID: 8e8a0c5cdfe0ce8b7a8857350832ba381cbecebb6f103b99e3fa8de1305063f7
Instruction ID: f6184f432152a0a7fc1a05f21f829c234c5ebe7cab1ff57a01f48c4da343ccce
Opcode Fuzzy Hash: 8e8a0c5cdfe0ce8b7a8857350832ba381cbecebb6f103b99e3fa8de1305063f7
Instruction Fuzzy Hash: 6F01A230E0824866DB00DBED54412DDBBE58F4D344F54C1EFAC58E7392DF780A088B9A

Function 100035C0 Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 100035DF
TranslateMessage.USER32(?), ref: 100035F4
DispatchMessageA.USER32(?), ref: 100035F7
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 10003602

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 1f3e084d03dfef12975d8d0d23ba00e1d6486804f9d89c5be42f2a9b48817671
Instruction ID: f22ecac74d8b84270f57e9e7b9dfb41fae66a4d7bb78910db73619bb1d974a17
Opcode Fuzzy Hash: 1f3e084d03dfef12975d8d0d23ba00e1d6486804f9d89c5be42f2a9b48817671
Instruction Fuzzy Hash: C1F0657278572536F22252165C82F9B638D9B46BD8F224011F700661D4D696A94241AC

Function 0047EF84 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0047EFA5
GetLastError.KERNEL32 ref: 0047EFAF
GetTickCount.KERNEL32 ref: 0047EFB9
Sleep.KERNEL32(00000032), ref: 0047EFC9

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: 3a97ad30cdd890e38319d0d446ae931dd422a5845237926ba868b52b95081b14
Instruction ID: 0807e7f7cf1e805980a62751cbb38808fe0fbb755af5a0e062f1309e6a3556a9
Opcode Fuzzy Hash: 3a97ad30cdd890e38319d0d446ae931dd422a5845237926ba868b52b95081b14
Instruction Fuzzy Hash: 3BE02B3230910065C72075BF18966BF498ACE89368F148BBFF088E7686C81C8C05957E

Function 10014369 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 10014369

Part of subcall function 10017EF2: TlsGetValue.KERNEL32(10018035), ref: 10017EF8
Part of subcall function 10017EF2: __decode_pointer.LIBCMT ref: 10017F08
Part of subcall function 10017EF2: TlsSetValue.KERNEL32(00000000), ref: 10017F15

Part of subcall function 10017ED7: TlsGetValue.KERNEL32(?,10014379,00000000), ref: 10017EE1

__freefls@4.LIBCMT ref: 100143B4

Part of subcall function 10017F1C: __decode_pointer.LIBCMT ref: 10017F2A

GetLastError.KERNEL32(00000000,?,00000000), ref: 10014390
ExitThread.KERNEL32 ref: 10014397

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Value$__decode_pointer$ErrorExitLastThread___set_flsgetvalue__freefls@4
String ID:
API String ID: 3839060521-0
Opcode ID: a4fe926313d7a6d2242ddb2f43980a825445d5553d511e076acb9c5b280ba196
Instruction ID: 2fc379692e8ee6ba6c64bcc6eeed7fa4d366cb4c915913473749003525cc6407
Opcode Fuzzy Hash: a4fe926313d7a6d2242ddb2f43980a825445d5553d511e076acb9c5b280ba196
Instruction Fuzzy Hash: D8F0F9785002519FE708EBA0CD8AA1A7BE9EF48344F228558F91C8B172DF34EDD6DA11

Function 10014328 Relevance: 6.0, APIs: 4, Instructions: 32threadCOMMON

Download Yara Rule

APIs

Part of subcall function 100180A9: __getptd_noexit.LIBCMT ref: 100180AA
Part of subcall function 100180A9: __amsg_exit.LIBCMT ref: 100180B7

__getptd_noexit.LIBCMT ref: 100142FE
CloseHandle.KERNEL32(?), ref: 10014312
__freeptd.LIBCMT ref: 10014319
ExitThread.KERNEL32 ref: 10014321

Part of subcall function 10018442: __FindPESection.LIBCMT ref: 10018469

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: __getptd_noexit$CloseExitFindHandleSectionThread__amsg_exit__freeptd
String ID:
API String ID: 3726980375-0
Opcode ID: 150d0a0add5352be1a4b1858eddbd6e54890c39aa76365abe1068670a54ed427
Instruction ID: ff4ef8a4f2f0ea5e82b298b28a641943d379afee87524f1c2ba5b1f9fc7bdd63
Opcode Fuzzy Hash: 150d0a0add5352be1a4b1858eddbd6e54890c39aa76365abe1068670a54ed427
Instruction Fuzzy Hash: D3F08C36801625AFE345E7A08C89FDD3BA5DF00792F620200F5229E0B1CF74DBC69766

Function 0047A378 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000001,00000000,00000002,00000000,0048361D,?,?,?,?,?,0049BB5F,00000000,0049BB87), ref: 0047A381
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000001,00000000,00000002,00000000,0048361D,?,?,?,?,?,0049BB5F,00000000,0049BB87), ref: 0047A387
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,00000001,00000000,00000002,00000000,0048361D), ref: 0047A3A9
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,00000001,00000000,00000002,00000000,0048361D), ref: 0047A3BA

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: f93ed52c88d90ba5c528f42d115abfb4af007baf83d414758cff02644cdb3cd3
Instruction ID: c90943684b1729c40737559502ac118c81e83100165bab7ebfc4b972d9605339
Opcode Fuzzy Hash: f93ed52c88d90ba5c528f42d115abfb4af007baf83d414758cff02644cdb3cd3
Instruction Fuzzy Hash: 94F037616443006BD600EAB58D81E5F73DCDB44354F04883A7E94C72C1E678DC18A776

Function 004246D0 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32(?), ref: 004246DC
IsWindowVisible.USER32(?), ref: 004246ED
IsWindowEnabled.USER32(?), ref: 004246F7
SetForegroundWindow.USER32(?), ref: 00424701

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: be5d64faa6e157b5653d3523cc15ea2db8985bb2f0094ead62a70df3ff2b4bec
Instruction ID: 089861d4a48d175db2243411625799630e322bd2ba2e4807a6d4d74949adae11
Opcode Fuzzy Hash: be5d64faa6e157b5653d3523cc15ea2db8985bb2f0094ead62a70df3ff2b4bec
Instruction Fuzzy Hash: 1CE08691B03531129E31FAA518D1A9B018CEDC6B843461127FC26F7243DB1CCC0041BC

Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 00406287
GlobalUnlock.KERNEL32(00000000), ref: 0040628E
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
GlobalLock.KERNEL32(00000000), ref: 00406299

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: a3b8d3293011eaaa35143cb505ff432a4562d86b91654664e64843e7403df00d
Instruction ID: 024a49765fc045a09389489d8ed5919b86daafa6bea6a005e9f609907830066e
Opcode Fuzzy Hash: a3b8d3293011eaaa35143cb505ff432a4562d86b91654664e64843e7403df00d
Instruction Fuzzy Hash: 64B009C6925A46B8EC0473B24C4BD3F041CE88472C3809A6E7554BA0839C7C9C002E3A

Function 10002330 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 269networkCOMMON

Download Yara Rule

APIs

Part of subcall function 10001E80: InternetOpenA.WININET(?,?,?,00000000,00000000), ref: 10001ED5

GetTickCount.KERNEL32 ref: 1000240A

Part of subcall function 10003810: GetLastError.KERNEL32(EC6CF6C6,?,?,?,00000000,10027C48,000000FF,100030EE,?,Download failed), ref: 10003835

InternetCloseHandle.WININET(?), ref: 100026C2

Strings

Starting download..., xrefs: 10002438

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Internet$CloseCountErrorHandleLastOpenTick
String ID: Starting download...
API String ID: 2714926856-2667269516
Opcode ID: e167a1e1c28e1c859388f78e7bbe5d42e93a878a9d2667b8d75a20d07f1c78e5
Instruction ID: 7e04c7f06969f049970f30f1c27fce7ad9f0dd45213ba74aca60a0fa978390b5
Opcode Fuzzy Hash: e167a1e1c28e1c859388f78e7bbe5d42e93a878a9d2667b8d75a20d07f1c78e5
Instruction Fuzzy Hash: 1BB12570A04741AFE720DF24C48179AB7E5FF853A4F14466DF8585B28ACB71B885CBE2

Function 0047C450 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047DD3D,?,00000000,00000000,00000001,00000000,0047C6ED,?,00000000), ref: 0047C6B1

Strings

Failed to parse "reg" constant, xrefs: 0047C6B8
Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047C525

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
API String ID: 3535843008-1938159461
Opcode ID: be73ed550b73c9f20417e78dc73e822ec0b2bde051a3891d29eeba9427ee46df
Instruction ID: 4f1aaac30373af7a786909edf03acd4fac9d6a039f8d9495eedf865a7040ef78
Opcode Fuzzy Hash: be73ed550b73c9f20417e78dc73e822ec0b2bde051a3891d29eeba9427ee46df
Instruction Fuzzy Hash: FE813274E00118AFCB11EF95D481ADEBBF9AF48354F60816AE414B7391D738AE45CB98

Function 0045CAF4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00451104: SetEndOfFile.KERNEL32(?,?,0045CBD2,00000000,0045CD5D,?,00000000,00000002,00000002), ref: 0045110B

FlushFileBuffers.KERNEL32(?), ref: 0045CD29

Strings

EndOffset range exceeded, xrefs: 0045CC5D
NumRecs range exceeded, xrefs: 0045CC26

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: c7e604c63b29e8d075c99916e6d10cbafca466e6adb22fecd52460a6388c3f12
Instruction ID: 31f4abf116af19d9e5b678acab2297332ff925687264b8022cc2431fdfe05cd7
Opcode Fuzzy Hash: c7e604c63b29e8d075c99916e6d10cbafca466e6adb22fecd52460a6388c3f12
Instruction Fuzzy Hash: 95617234A002948FDB25DF25C891BDAB7B5AF49305F0084DAED899B352D674AEC8CF54

Function 0048594C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00485AD6,?,00000000,00485B17,?,?,?,?,00000000,00000000,00000000,?,0046D345), ref: 00485985
SetActiveWindow.USER32(?,00000000,00485AD6,?,00000000,00485B17,?,?,?,?,00000000,00000000,00000000,?,0046D345), ref: 00485997

Strings

Will not restart Windows automatically., xrefs: 00485AB6

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window$ActiveForeground
String ID: Will not restart Windows automatically.
API String ID: 307657957-4169339592
Opcode ID: 9d8835dc8d46110495ea61d090e603bececdbc6f3ad0e802ffcb83f831e3beb0
Instruction ID: f83d4e2d24e7b328884665d644b63d6f540d85ee55f206053ba059ac37762111
Opcode Fuzzy Hash: 9d8835dc8d46110495ea61d090e603bececdbc6f3ad0e802ffcb83f831e3beb0
Instruction Fuzzy Hash: 5E411830204A40DFD715FB64DC85BAE7BE89B25308F5549B7E880D73A2D67C9848D71E

Function 0046E1B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

Failed to proceed to next wizard page; aborting., xrefs: 0046E2D0
Failed to proceed to next wizard page; showing wizard., xrefs: 0046E2E4

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: 6c0b08fdae734d3c1eb3fe3f4fe9577e29954076c18d8d916fa6dcbbbaf4cb5a
Instruction ID: 70d08a633ec7b89d525ec852f300456f6342c088b46b0ce34def68a00de2c099
Opcode Fuzzy Hash: 6c0b08fdae734d3c1eb3fe3f4fe9577e29954076c18d8d916fa6dcbbbaf4cb5a
Instruction Fuzzy Hash: 1C31B074604240DFD711DB9AD985F9977F9AB15304F6400FBF4049B3A2E738AE84DB1A

Function 004508A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 00450935
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00450966

Strings

open, xrefs: 00450959

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ExecuteMessageSendShell
String ID: open
API String ID: 812272486-2758837156
Opcode ID: 41377852c43bddfddcae31f96e2b69fa43cefbc2a0355827ec7b6d4d68a21241
Instruction ID: 9d2ddf54ec7714fdda98ff8d0cc6f814dd21c32a1b145895e499ae4a69db9d05
Opcode Fuzzy Hash: 41377852c43bddfddcae31f96e2b69fa43cefbc2a0355827ec7b6d4d68a21241
Instruction Fuzzy Hash: 2F212EB4E00604AFEB10DF6AC881B9EB7F8EB44705F10857AB401F7297D6789A45CA58

Function 00455A8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 00455B28
GetLastError.KERNEL32(0000003C,00000000,00455B71,?,?,?), ref: 00455B39

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67

Strings

<, xrefs: 00455AE2

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <
API String ID: 893404051-4251816714
Opcode ID: 8905fb652c31356344cf329a6b31199d683e67ad4c0ae43da576633582a19355
Instruction ID: 999fafdfd618aac71dabfb14027d48496d6343d42a6da5b956ec7361bda3743f
Opcode Fuzzy Hash: 8905fb652c31356344cf329a6b31199d683e67ad4c0ae43da576633582a19355
Instruction Fuzzy Hash: 48216570A00609AFDB10DF65D8926AE7BF8EF05345F50443BF844E7291D7789E49CB58

Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049E420,00000000,)), ref: 004025C7
RtlLeaveCriticalSection.KERNEL32(0049E420,0040263D), ref: 00402630

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049E420,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049E420,00401A89,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

), xrefs: 004025AE

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: )
API String ID: 2227675388-1084416617
Opcode ID: 662812d5b2f770babba1450f84ee1e78b681317e28eec64c8fceec8e84081569
Instruction ID: 917976a40c8b6a40365e5f884633a4dcf06f5f23cdaa1afef62ceea8ee6a87c6
Opcode Fuzzy Hash: 662812d5b2f770babba1450f84ee1e78b681317e28eec64c8fceec8e84081569
Instruction Fuzzy Hash: F61101317042046FEB25EB7A9F1A62A6AD4D795758B24087FF404F33D2D9FD9C02826C

Function 0049999A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004999D5

Strings

/INITPROCWND=$%x , xrefs: 00499A00
@, xrefs: 004999A0

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: b77a36dcc97026e4c7e84e03e5d2da815b65b232eacde215835398ce835a4be4
Instruction ID: 16850a3933f6126195f36b65bc9072021203f0d8c6b6540213bbd0006db66c27
Opcode Fuzzy Hash: b77a36dcc97026e4c7e84e03e5d2da815b65b232eacde215835398ce835a4be4
Instruction Fuzzy Hash: 8B11AF71A042498FDB01DBA9D851BAEBBF9EB98304F50847FE804E7292D63D9D058B58

Function 00447904 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

SysFreeString.OLEAUT32(?), ref: 004479B6

Strings

NIL Interface Exception, xrefs: 00447958
Unknown Method, xrefs: 0044798F

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: d7c63457d166a350f53d970eb0409965f77a8d21c5a8cfae6addd8da613f3b75
Instruction ID: 6ea0978f5b97d4648a43087cb94c4cadf7395b3a3abdd2f7dcac649bd3e58428
Opcode Fuzzy Hash: d7c63457d166a350f53d970eb0409965f77a8d21c5a8cfae6addd8da613f3b75
Instruction Fuzzy Hash: A6119371A04244AFEB10DFA58C92AAEBBACEB49704F91407EF504E7281D7789D01CB69

Function 0049920C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004992D4,?,004992C8,00000000,004992AF), ref: 0049927A
CloseHandle.KERNEL32(00499314,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004992D4,?,004992C8,00000000), ref: 00499291

Part of subcall function 00499164: GetLastError.KERNEL32(00000000,004991FC,?,?,?,?), ref: 00499188

Strings

D, xrefs: 00499254

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: D
API String ID: 3798668922-2746444292
Opcode ID: 3852403a966114f0880391513c617ada09f7db3f7ec662499cacf7f263fc3d4a
Instruction ID: 28a6660038b4d88ad00b798bd9ba61154fa8ff357054911c5ced557c69a1e98d
Opcode Fuzzy Hash: 3852403a966114f0880391513c617ada09f7db3f7ec662499cacf7f263fc3d4a
Instruction Fuzzy Hash: B8015EB1604248BFDB00DB96CC42A9F7BACDF49714F51447AF504E72C1D6789E048A28

Function 0042E1F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042E208
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042E248

Strings

Inno Setup: No Icons, xrefs: 0042E206

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: bd0511ca20757f211e757699c0c9aa78b94ac5dafba73a7c2283d1bafa6b3c91
Instruction ID: a539eabee655ef144818f3097a210d44f5522b7a792cb7edb349fa40b75ec101
Opcode Fuzzy Hash: bd0511ca20757f211e757699c0c9aa78b94ac5dafba73a7c2283d1bafa6b3c91
Instruction Fuzzy Hash: 8C01DB3178D371E9F73545637D42B7B578C9B42B60F64027BF941BA2C0DA589C04927E

Function 0049A6E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00455E14: GetCurrentProcess.KERNEL32(00000028), ref: 00455E23
Part of subcall function 00455E14: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00455E29

SetForegroundWindow.USER32(?), ref: 0049A71A

Strings

Restarting Windows., xrefs: 0049A6F7
Not restarting Windows because Uninstall is being run from the debugger., xrefs: 0049A745

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Process$CurrentForegroundOpenTokenWindow
String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
API String ID: 3179053593-4147564754
Opcode ID: bb6777940c6a50ae658ff3ebc4d9c8fd61fcf05fcdd40ee010721d59e4735647
Instruction ID: 5122ca49785e6841ab91457b0b89b6e488dcfd7854ae65d0270566c1c2237fbf
Opcode Fuzzy Hash: bb6777940c6a50ae658ff3ebc4d9c8fd61fcf05fcdd40ee010721d59e4735647
Instruction Fuzzy Hash: EA01D4746041446FEB01FBA5D842B5C2BE99B94309F50447BF400AB2D3DA7CD959875E

Function 0049AE88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0047F300: FreeLibrary.KERNEL32(74A90000,00483DC7), ref: 0047F316

Part of subcall function 0047EFD8: GetTickCount.KERNEL32 ref: 0047F022

Part of subcall function 00457B24: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 00457B43

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049B7DF), ref: 0049AEDD
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049B7DF), ref: 0049AEE3

Strings

Detected restart. Removing temporary directory., xrefs: 0049AE97

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: 228b47364d40a631affd0c677e0885d1ddc7291000f615e4cc02e4ac91571499
Instruction ID: 3c913c32d0756031035703f4f4cddf398d0ed36f6509ee9f01125c758f9cf03b
Opcode Fuzzy Hash: 228b47364d40a631affd0c677e0885d1ddc7291000f615e4cc02e4ac91571499
Instruction Fuzzy Hash: DAE055722082843EDE0277A6BC1382B7F8CD34532D761047BF80481852D92C4820C27E

Function 00477208 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047743F), ref: 0047722D
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047743F), ref: 00477244

Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B

Strings

CreateFile, xrefs: 00477239

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: CreateFile
API String ID: 2528220319-823142352
Opcode ID: c65408f8976d7c549a038a8c0b1a218b4942c580411e651757ed02999df5e0be
Instruction ID: 90e4e6ff62ef8f0e28f50a913bfb33107960128ee808bbf2bf0dc207e29e0456
Opcode Fuzzy Hash: c65408f8976d7c549a038a8c0b1a218b4942c580411e651757ed02999df5e0be
Instruction Fuzzy Hash: A6E06D306883447BEA20EA69DCC6F4A77889B04768F108152FA58AF3E3C5B9EC408658

Function 10013945 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 1001394C
__CxxThrowException@8.LIBCMT ref: 1001397E

Part of subcall function 1001621B: RaiseException.KERNEL32(?,?,10014774,?,?,?,?,?,10014774,?,1002D024,10031A64), ref: 1001625B

Strings

invalid string position, xrefs: 10013951

Memory Dump Source

Source File: 00000002.00000002.3381047345.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3381032851.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381080659.0000000010030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: invalid string position
API String ID: 1961742612-1799206989
Opcode ID: 44a50505c95bcc44ecbbb6ae098b36eb3cc4f9aee659903c1f4b8b2b2202d45e
Instruction ID: cc382f927eddd05f6d73bdb53251bee73a652ccb527fc3b47bb6e18114c0897a
Opcode Fuzzy Hash: 44a50505c95bcc44ecbbb6ae098b36eb3cc4f9aee659903c1f4b8b2b2202d45e
Instruction Fuzzy Hash: 6CE0ECB9810098AADB40DBD0EC51BDDB778FB1C351F800125F205AA489DBB4A5488764

Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0049BA3A), ref: 0040334B
GetCommandLineA.KERNEL32(00000000,0049BA3A), ref: 00403356

Strings

h7v, xrefs: 0040335B

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: h7v
API String ID: 2123368496-2430875575
Opcode ID: 507b3439899aadcda4e4dd714f17469bdfd07b248e46d296d00f93cf4dba3756
Instruction ID: 98797e2be282b29c5dcb55f6b27639491d6d1699e35d5459d8823e2e9957d9fe
Opcode Fuzzy Hash: 507b3439899aadcda4e4dd714f17469bdfd07b248e46d296d00f93cf4dba3756
Instruction Fuzzy Hash: 72C002609012159AE750EF7758467152A949751349F80447FB104BE1E1D6BD82055BDE

Function 00455EA4 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 00455EC3
Sleep.KERNEL32(?), ref: 00455ED3
GetLastError.KERNEL32 ref: 00455EE6
GetLastError.KERNEL32 ref: 00455EF0

Memory Dump Source

Source File: 00000002.00000002.3380267985.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3380250703.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380323665.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380339661.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380357093.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3380375470.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Setup_DigiSignerOne_x86.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 6a5dd68216f633a44ec124f5b7bc5ae83bc60a54fdb172d1fd1805aed014b2ac
Instruction ID: 9465cf589d0d0c12c73eacd3b1eef521cbdc8b34a4c5067471d78d0fd9128cb0
Opcode Fuzzy Hash: 6a5dd68216f633a44ec124f5b7bc5ae83bc60a54fdb172d1fd1805aed014b2ac
Instruction Fuzzy Hash: 08F02B32B05A14774F20A7BB989357FA28CDE44376710512BFD04D7343D939DE4586A8

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup_DigiSignerOne_x86.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\idp.dll

C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\logo_digisign_nou.bmp

C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
Setup_DigiSignerOne_x86.exe

Function 00404654 Relevance: 43.9, APIs: 7, Strings: 18, Instructions: 182
libraryloaderCOMMON

Function 0040A050 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Function 0040AF8D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109
COMMON

Function 00409558 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56
libraryloaderCOMMON

Function 0040AF7A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Function 00409EC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Function 00401918 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
memoryCOMMON

Function 0040ACEC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
windowCOMMON

Function 0040AD07 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
windowCOMMON

Function 00409808 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122
COMMON

Function 00407454 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Function 00407AE0 Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Function 00407B20 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON