Edit tour

Windows Analysis Report
msgtopstdemo.exe

Overview

General Information

Sample name:	msgtopstdemo.exe
Analysis ID:	1525130
MD5:	fa7fccb539f58ea32e2a92a0a32af286
SHA1:	1ba6a04fe2d9ebf47d97f2c6b295c33ad5803a3e
SHA256:	ee8fc4c0c9cb55699ef0bf026d5af42e7bb82d535ac8d84c8480569040f27257
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msgtopstdemo.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\msgtopstdemo.exe" MD5: FA7FCCB539F58EA32E2A92A0A32AF286)

msgtopstdemo.tmp (PID: 7304 cmdline: "C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp" /SL5="$20450,2062666,288768,C:\Users\user\Desktop\msgtopstdemo.exe" MD5: 03B1E8078CAE9C05B81C8B8FE2A11840)

MsgToPst.exe (PID: 7752 cmdline: "C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe" MD5: 5F741C35077C33000CF0638178E1F070)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: msgtopstdemo.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.SOFTWARE LICENSE AGREEMENT This Software License Agreement is a legal agreement between you (an individual) and the www.datavare.com software product identified above which includes computer software and may include associated media printed materials or electronic documentation ("SOFTWARE PRODUCT"). With the instalment copying or using the Datavare Software and Services LLP PRODUCT indicates that you are agree to the terms of this AGREEMENT. In case you are not agree to the Agreement terms and conditions it is better to not to install or run the "www.datavare.com" SOFTWARE PRODUCTS; you may however return it to the right place (the seller) for getting a full refund.www.datavare.com PRODUCT LICENSE:The SOFTWARE PRODUCT is fully protected by copyright laws and international copyright treaties as well as other intellectual property laws and treaties. It is for licensed not for selling.Termination. Without prejudice to any other rights www.datavare.com may terminate this AGREEMENT if you fail to comply with the terms and conditions of this AGREEMENT. In such event you must destroy all copies of the SOFTWARE PRODUCT and all of its component parts.CHECK OUT OTHER RIGHTS AND LIMITATIONSClients cannot Resale Software. You might not resell or otherwise transfer for value the SOFTWARE PRODUCT.LICENSE - It is a Trial license that signifies you are permitted to use this trial version of "Datavare Software and Services LLP". Once the usage is over you can able to apply for getting the registration key that will eliminate the trial limitation and allow you to use a copy of "Datavare Software and Services LLP" on one computer. In case you wish to apply for multiple licenses it is must to get request for multiple registration keys where one for each user. www.datavare.com might also offer you with one key with multiple licenses.OWNERSHIP - This Software is copyrighted and owned by www.datavare.com. Your license confers no ownership or title in the Software. You can make a copy of this software solely for the purpose of back up. But License shall not modify copy duplicate reproduce license or sub license the Software or transfer or convey the Software or any right in the Software to anyone else without the prior written consent of Developer.LIMITED WARRANTY- www.datavare.com confirms that any type of implied warranty is concerned for only thirty (30) days. Warranty for the Software will perform substantially according to the user documentation for thirty (30) days from the day of receipt. CUSTOMER REMEDIES - In case the program fails to meet with www.datavare.com limited warranty a consumer can ask to refund the purchasing amount but it should be within 30 days of the shopping. This limited warranty is void if failure of the Software has resulted from abu
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.SOFTWARE LICENSE AGREEMENT This Software License Agreement is a legal agreement between you (an individual) and the www.datavare.com software product identified above which includes computer software and may include associated media printed materials or electronic documentation ("SOFTWARE PRODUCT"). With the instalment copying or using the Datavare Software and Services LLP PRODUCT indicates that you are agree to the terms of this AGREEMENT. In case you are not agree to the Agreement terms and conditions it is better to not to install or run the "www.datavare.com" SOFTWARE PRODUCTS; you may however return it to the right place (the seller) for getting a full refund.www.datavare.com PRODUCT LICENSE:The SOFTWARE PRODUCT is fully protected by copyright laws and international copyright treaties as well as other intellectual property laws and treaties. It is for licensed not for selling.Termination. Without prejudice to any other rights www.datavare.com may terminate this AGREEMENT if you fail to comply with the terms and conditions of this AGREEMENT. In such event you must destroy all copies of the SOFTWARE PRODUCT and all of its component parts.CHECK OUT OTHER RIGHTS AND LIMITATIONSClients cannot Resale Software. You might not resell or otherwise transfer for value the SOFTWARE PRODUCT.LICENSE - It is a Trial license that signifies you are permitted to use this trial version of "Datavare Software and Services LLP". Once the usage is over you can able to apply for getting the registration key that will eliminate the trial limitation and allow you to use a copy of "Datavare Software and Services LLP" on one computer. In case you wish to apply for multiple licenses it is must to get request for multiple registration keys where one for each user. www.datavare.com might also offer you with one key with multiple licenses.OWNERSHIP - This Software is copyrighted and owned by www.datavare.com. Your license confers no ownership or title in the Software. You can make a copy of this software solely for the purpose of back up. But License shall not modify copy duplicate reproduce license or sub license the Software or transfer or convey the Software or any right in the Software to anyone else without the prior written consent of Developer.LIMITED WARRANTY- www.datavare.com confirms that any type of implied warranty is concerned for only thirty (30) days. Warranty for the Software will perform substantially according to the user documentation for thirty (30) days from the day of receipt. CUSTOMER REMEDIES - In case the program fails to meet with www.datavare.com limited warranty a consumer can ask to refund the purchasing amount but it should be within 30 days of the shopping. This limited warranty is void if failure of the Software has resulted from abu

Source: msgtopstdemo.exe

Static PE information: certificate valid

Source: msgtopstdemo.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: _c:\Users\test\Desktop\datavare products\DEMO-Datavare-MsgToPst\MsgToPst\MsgToPst\obj\x86\Debug\MsgToPst.pdb source: msgtopstdemo.tmp, 00000001.00000003.2027572801.0000000004948000.00000004.00001000.00020000.00000000.sdmp, MsgToPst.exe, 00000005.00000000.2026456010.000000000076A000.00000002.00000001.01000000.0000000A.sdmp, is-4FDGP.tmp.1.dr, is-01BK0.tmp.1.dr
Source:	Binary string: d:\Bjornar\SVN\istool\isxdl\trunk\source\Release\isxdl.pdb source: msgtopstdemo.tmp, 00000001.00000003.2027572801.0000000004987000.00000004.00001000.00020000.00000000.sdmp, isxdl.dll.1.dr
Source:	Binary string: c:\Users\test\Desktop\datavare products\DEMO-Datavare-MsgToPst\MsgToPst\MsgToPst\obj\x86\Debug\MsgToPst.pdb source: msgtopstdemo.tmp, 00000001.00000003.2027572801.0000000004948000.00000004.00001000.00020000.00000000.sdmp, MsgToPst.exe, 00000005.00000000.2026456010.000000000076A000.00000002.00000001.01000000.0000000A.sdmp, is-4FDGP.tmp.1.dr, is-01BK0.tmp.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00476120 FindFirstFileA,FindNextFileA,FindClose,	1_2_00476120
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004531A4 FindFirstFileA,GetLastError,	1_2_004531A4
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004648D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004648D0
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00464D4C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464D4C
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00463344 FindFirstFileA,FindNextFileA,FindClose,	1_2_00463344
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0049998C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_0049998C

Source: msgtopstdemo.exe	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: msgtopstdemo.exe	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: msgtopstdemo.exe	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: msgtopstdemo.exe	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: msgtopstdemo.exe	String found in binary or memory: http://crl.godaddy.com/gdig2s5-2.crl0
Source: msgtopstdemo.exe	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: msgtopstdemo.exe	String found in binary or memory: http://crl.starfieldtech.com/repository/0
Source: msgtopstdemo.exe	String found in binary or memory: http://crl.starfieldtech.com/repository/sfsroot.crl0P
Source: MsgToPst.exe, 00000005.00000002.2952651282.00000000012F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.ado
Source: msgtopstdemo.exe	String found in binary or memory: http://ocsp.godaddy.com/0
Source: msgtopstdemo.exe	String found in binary or memory: http://ocsp.godaddy.com/05
Source: msgtopstdemo.exe	String found in binary or memory: http://ocsp.starfieldtech.com/0D
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: msgtopstdemo.tmp, 00000001.00000003.1701151209.000000000215C000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.tmp, 00000001.00000003.1701048720.0000000003130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.datavare.com/
Source: msgtopstdemo.tmp, 00000001.00000003.2029636409.0000000002168000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.tmp, 00000001.00000003.1701151209.000000000215C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.datavare.com/B
Source: msgtopstdemo.tmp, 00000001.00000003.2027572801.0000000004948000.00000004.00001000.00020000.00000000.sdmp, MsgToPst.exe, 00000005.00000000.2026456010.000000000076A000.00000002.00000001.01000000.0000000A.sdmp, is-4FDGP.tmp.1.dr, is-01BK0.tmp.1.dr	String found in binary or memory: http://www.datavare.com/contact-us.html
Source: msgtopstdemo.tmp, 00000001.00000003.2027572801.0000000004948000.00000004.00001000.00020000.00000000.sdmp, MsgToPst.exe, 00000005.00000000.2026456010.000000000076A000.00000002.00000001.01000000.0000000A.sdmp, is-4FDGP.tmp.1.dr, is-01BK0.tmp.1.dr	String found in binary or memory: http://www.datavare.com/software/order/msg-to-pst-expert.html
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: msgtopstdemo.tmp, msgtopstdemo.tmp, 00000001.00000000.1700355107.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-0L47Q.tmp.1.dr, msgtopstdemo.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: isxdl.dll.1.dr	String found in binary or memory: http://www.istool.org/
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: msgtopstdemo.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: msgtopstdemo.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: msgtopstdemo.exe, 00000000.00000003.1699783757.0000000002370000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.exe, 00000000.00000003.1699586406.0000000002470000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.tmp, msgtopstdemo.tmp, 00000001.00000000.1700355107.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-0L47Q.tmp.1.dr, msgtopstdemo.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: msgtopstdemo.exe, 00000000.00000003.1699783757.0000000002370000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.exe, 00000000.00000003.1699586406.0000000002470000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.tmp, 00000001.00000000.1700355107.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-0L47Q.tmp.1.dr, msgtopstdemo.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/psU
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: msgtopstdemo.exe	String found in binary or memory: https://certs.godaddy.com/repository/0

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00423FD4 NtdllDefWindowProc_A,	1_2_00423FD4
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00412A28 NtdllDefWindowProc_A,	1_2_00412A28
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0042F9C0 NtdllDefWindowProc_A,	1_2_0042F9C0
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00479D08 NtdllDefWindowProc_A,	1_2_00479D08
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00457D90 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_00457D90

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Code function: 1_2_0042ED84: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042ED84

Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_004098E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_004098E8
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00455D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00455D80

Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_00408888	0_2_00408888
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00468034	1_2_00468034
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00471688	1_2_00471688
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0048F6BC	1_2_0048F6BC
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00435768	1_2_00435768
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00488030	1_2_00488030
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0046A088	1_2_0046A088
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00452100	1_2_00452100
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0043E1F0	1_2_0043E1F0
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004307FC	1_2_004307FC
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00444968	1_2_00444968
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00434A64	1_2_00434A64
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00444F10	1_2_00444F10
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00488F90	1_2_00488F90
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00431388	1_2_00431388
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00445608	1_2_00445608
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0045F8C0	1_2_0045F8C0
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0045B970	1_2_0045B970
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00445A14	1_2_00445A14
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Code function: 5_2_00DCDCF4	5_2_00DCDCF4

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00446274 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00453AAC appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 0043497C appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00458718 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 0040905C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00407D44 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00446544 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 0045850C appears 100 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 0040357C appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00406F14 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00403684 appears 229 times

Source: msgtopstdemo.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: msgtopstdemo.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: msgtopstdemo.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-0L47Q.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-0L47Q.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-0L47Q.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: msgtopstdemo.exe, 00000000.00000003.1699586406.000000000254A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs msgtopstdemo.exe
Source: msgtopstdemo.exe, 00000000.00000003.1699783757.0000000002446000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs msgtopstdemo.exe

Source: msgtopstdemo.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean5.winEXE@5/14@0/0

Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_004098E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_004098E8
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00455D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00455D80

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Code function: 1_2_004565A8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,

1_2_004565A8

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Code function: 1_2_00456DD4 CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString,

1_2_00456DD4

Source: C:\Users\user\Desktop\msgtopstdemo.exe

Code function: 0_2_0040A0D4 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_0040A0D4

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\msgtopstdemo.exe

File created: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\msgtopstdemo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: msgtopstdemo.exe	String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: msgtopstdemo.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\msgtopstdemo.exe

File read: C:\Users\user\Desktop\msgtopstdemo.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\msgtopstdemo.exe "C:\Users\user\Desktop\msgtopstdemo.exe"
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Process created: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp "C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp" /SL5="$20450,2062666,288768,C:\Users\user\Desktop\msgtopstdemo.exe"
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe "C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe"
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Process created: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp "C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp" /SL5="$20450,2062666,288768,C:\Users\user\Desktop\msgtopstdemo.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe "C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe"	Jump to behavior

Source: C:\Users\user\Desktop\msgtopstdemo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Datavare MSG to PST Converter - Demo Version.lnk.1.dr

LNK file: ..\..\..\..\..\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: I accept the agreement

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.SOFTWARE LICENSE AGREEMENT This Software License Agreement is a legal agreement between you (an individual) and the www.datavare.com software product identified above which includes computer software and may include associated media printed materials or electronic documentation ("SOFTWARE PRODUCT"). With the instalment copying or using the Datavare Software and Services LLP PRODUCT indicates that you are agree to the terms of this AGREEMENT. In case you are not agree to the Agreement terms and conditions it is better to not to install or run the "www.datavare.com" SOFTWARE PRODUCTS; you may however return it to the right place (the seller) for getting a full refund.www.datavare.com PRODUCT LICENSE:The SOFTWARE PRODUCT is fully protected by copyright laws and international copyright treaties as well as other intellectual property laws and treaties. It is for licensed not for selling.Termination. Without prejudice to any other rights www.datavare.com may terminate this AGREEMENT if you fail to comply with the terms and conditions of this AGREEMENT. In such event you must destroy all copies of the SOFTWARE PRODUCT and all of its component parts.CHECK OUT OTHER RIGHTS AND LIMITATIONSClients cannot Resale Software. You might not resell or otherwise transfer for value the SOFTWARE PRODUCT.LICENSE - It is a Trial license that signifies you are permitted to use this trial version of "Datavare Software and Services LLP". Once the usage is over you can able to apply for getting the registration key that will eliminate the trial limitation and allow you to use a copy of "Datavare Software and Services LLP" on one computer. In case you wish to apply for multiple licenses it is must to get request for multiple registration keys where one for each user. www.datavare.com might also offer you with one key with multiple licenses.OWNERSHIP - This Software is copyrighted and owned by www.datavare.com. Your license confers no ownership or title in the Software. You can make a copy of this software solely for the purpose of back up. But License shall not modify copy duplicate reproduce license or sub license the Software or transfer or convey the Software or any right in the Software to anyone else without the prior written consent of Developer.LIMITED WARRANTY- www.datavare.com confirms that any type of implied warranty is concerned for only thirty (30) days. Warranty for the Software will perform substantially according to the user documentation for thirty (30) days from the day of receipt. CUSTOMER REMEDIES - In case the program fails to meet with www.datavare.com limited warranty a consumer can ask to refund the purchasing amount but it should be within 30 days of the shopping. This limited warranty is void if failure of the Software has resulted from abu
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.SOFTWARE LICENSE AGREEMENT This Software License Agreement is a legal agreement between you (an individual) and the www.datavare.com software product identified above which includes computer software and may include associated media printed materials or electronic documentation ("SOFTWARE PRODUCT"). With the instalment copying or using the Datavare Software and Services LLP PRODUCT indicates that you are agree to the terms of this AGREEMENT. In case you are not agree to the Agreement terms and conditions it is better to not to install or run the "www.datavare.com" SOFTWARE PRODUCTS; you may however return it to the right place (the seller) for getting a full refund.www.datavare.com PRODUCT LICENSE:The SOFTWARE PRODUCT is fully protected by copyright laws and international copyright treaties as well as other intellectual property laws and treaties. It is for licensed not for selling.Termination. Without prejudice to any other rights www.datavare.com may terminate this AGREEMENT if you fail to comply with the terms and conditions of this AGREEMENT. In such event you must destroy all copies of the SOFTWARE PRODUCT and all of its component parts.CHECK OUT OTHER RIGHTS AND LIMITATIONSClients cannot Resale Software. You might not resell or otherwise transfer for value the SOFTWARE PRODUCT.LICENSE - It is a Trial license that signifies you are permitted to use this trial version of "Datavare Software and Services LLP". Once the usage is over you can able to apply for getting the registration key that will eliminate the trial limitation and allow you to use a copy of "Datavare Software and Services LLP" on one computer. In case you wish to apply for multiple licenses it is must to get request for multiple registration keys where one for each user. www.datavare.com might also offer you with one key with multiple licenses.OWNERSHIP - This Software is copyrighted and owned by www.datavare.com. Your license confers no ownership or title in the Software. You can make a copy of this software solely for the purpose of back up. But License shall not modify copy duplicate reproduce license or sub license the Software or transfer or convey the Software or any right in the Software to anyone else without the prior written consent of Developer.LIMITED WARRANTY- www.datavare.com confirms that any type of implied warranty is concerned for only thirty (30) days. Warranty for the Software will perform substantially according to the user documentation for thirty (30) days from the day of receipt. CUSTOMER REMEDIES - In case the program fails to meet with www.datavare.com limited warranty a consumer can ask to refund the purchasing amount but it should be within 30 days of the shopping. This limited warranty is void if failure of the Software has resulted from abu

Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: msgtopstdemo.exe

Static PE information: certificate valid

Source: msgtopstdemo.exe

Static file information: File size 2391528 > 1048576

Source: msgtopstdemo.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: _c:\Users\test\Desktop\datavare products\DEMO-Datavare-MsgToPst\MsgToPst\MsgToPst\obj\x86\Debug\MsgToPst.pdb source: msgtopstdemo.tmp, 00000001.00000003.2027572801.0000000004948000.00000004.00001000.00020000.00000000.sdmp, MsgToPst.exe, 00000005.00000000.2026456010.000000000076A000.00000002.00000001.01000000.0000000A.sdmp, is-4FDGP.tmp.1.dr, is-01BK0.tmp.1.dr
Source:	Binary string: d:\Bjornar\SVN\istool\isxdl\trunk\source\Release\isxdl.pdb source: msgtopstdemo.tmp, 00000001.00000003.2027572801.0000000004987000.00000004.00001000.00020000.00000000.sdmp, isxdl.dll.1.dr
Source:	Binary string: c:\Users\test\Desktop\datavare products\DEMO-Datavare-MsgToPst\MsgToPst\MsgToPst\obj\x86\Debug\MsgToPst.pdb source: msgtopstdemo.tmp, 00000001.00000003.2027572801.0000000004948000.00000004.00001000.00020000.00000000.sdmp, MsgToPst.exe, 00000005.00000000.2026456010.000000000076A000.00000002.00000001.01000000.0000000A.sdmp, is-4FDGP.tmp.1.dr, is-01BK0.tmp.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Code function: 1_2_004489CC LoadLibraryExA,LoadLibraryA,GetProcAddress,

1_2_004489CC

Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_00406A18 push 00406A55h; ret	0_2_00406A4D
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_004093B4 push 004093E7h; ret	0_2_004093DF
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_00408580 push ecx; mov dword ptr [esp], eax	0_2_00408585
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00409D9C push 00409DD9h; ret	1_2_00409DD1
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0041A078 push ecx; mov dword ptr [esp], ecx	1_2_0041A07D
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00452100 push ecx; mov dword ptr [esp], eax	1_2_00452105
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0040A273 push ds; ret	1_2_0040A29D
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004062C4 push ecx; mov dword ptr [esp], eax	1_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0040A29F push ds; ret	1_2_0040A2A0
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00460518 push ecx; mov dword ptr [esp], ecx	1_2_0046051C
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00496594 push ecx; mov dword ptr [esp], ecx	1_2_00496599
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004587B4 push 004587ECh; ret	1_2_004587E4
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00410930 push ecx; mov dword ptr [esp], edx	1_2_00410935
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00486A94 push ecx; mov dword ptr [esp], ecx	1_2_00486A99
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00478D50 push ecx; mov dword ptr [esp], edx	1_2_00478D51
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00412D78 push 00412DDBh; ret	1_2_00412DD3
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0040D288 push ecx; mov dword ptr [esp], edx	1_2_0040D28A
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0040F7E8 push ecx; mov dword ptr [esp], edx	1_2_0040F7EA
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004438E0 push ecx; mov dword ptr [esp], ecx	1_2_004438E4
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00459ACC push 00459B10h; ret	1_2_00459B08
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0049BD44 pushad ; retf	1_2_0049BD53

Source: C:\Users\user\Desktop\msgtopstdemo.exe	File created: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\isxdl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\Aspose.Email.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-4FDGP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-01BK0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-4AED4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-0L47Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Datavare MSG to PST Converter - Demo Version.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0042405C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_0042405C
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0042405C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_0042405C
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00422CAC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_00422CAC
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0041811E IsIconic,SetWindowPos,	1_2_0041811E
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00418120 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00418120
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004245E4 IsIconic,SetActiveWindow,	1_2_004245E4
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0042462C IsIconic,SetActiveWindow,SetFocus,	1_2_0042462C
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004187D4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_004187D4
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00484D28 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_00484D28
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0042F71C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	1_2_0042F71C
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004179E8 IsIconic,GetCapture,	1_2_004179E8

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Code function: 1_2_0041F568 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_0041F568

Source: C:\Users\user\Desktop\msgtopstdemo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Memory allocated: DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Memory allocated: 2B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Memory allocated: 4B10000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\isxdl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\Aspose.Email.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-4AED4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-0L47Q.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\msgtopstdemo.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-6075

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00476120 FindFirstFileA,FindNextFileA,FindClose,	1_2_00476120
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004531A4 FindFirstFileA,GetLastError,	1_2_004531A4
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004648D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004648D0
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00464D4C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464D4C
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00463344 FindFirstFileA,FindNextFileA,FindClose,	1_2_00463344
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0049998C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_0049998C

Source: C:\Users\user\Desktop\msgtopstdemo.exe

Code function: 0_2_0040A018 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_0040A018

Source: msgtopstdemo.tmp, 00000001.00000002.2030670411.0000000000596000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Code function: 1_2_004489CC LoadLibraryExA,LoadLibraryA,GetProcAddress,

1_2_004489CC

Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Code function: 1_2_0047974C ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_0047974C

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Code function: 1_2_0042F254 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,

1_2_0042F254

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Code function: 1_2_0042E4EC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042E4EC

Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: GetLocaleInfoA,	0_2_0040565C
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: GetLocaleInfoA,	0_2_004056A8
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: GetLocaleInfoA,	1_2_004089B8
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: GetLocaleInfoA,	1_2_00408A04

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Code function: 1_2_00458DC4 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_00458DC4

Source: C:\Users\user\Desktop\msgtopstdemo.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Code function: 1_2_00455D38 GetUserNameA,

1_2_00455D38

Source: C:\Users\user\Desktop\msgtopstdemo.exe

Code function: 0_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

0_2_00404654

Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Exploitation for Privilege Escalation	2 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Process Injection	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	2 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	3 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	2 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	26 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
msgtopstdemo.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\Aspose.Email.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-01BK0.tmp	0%	ReversingLabs
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-0L47Q.tmp	2%	ReversingLabs
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-4AED4.tmp	0%	ReversingLabs
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-4FDGP.tmp	0%	ReversingLabs
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\unins000.exe (copy)	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\isxdl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	7%	ReversingLabs

Source	Detection	Scanner	Label
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.remobjects.com/psU	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	msgtopstdemo.tmp, msgtopstdemo.tmp, 00000001.00000000.1700355107.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-0L47Q.tmp.1.dr, msgtopstdemo.tmp.0.dr	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certificates.godaddy.com/repository/0	msgtopstdemo.exe	false		unknown
http://www.fontbureau.com/designers?	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	msgtopstdemo.exe	false		unknown
http://certs.godaddy.com/repository/1301	msgtopstdemo.exe	false		unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	msgtopstdemo.exe	false		unknown
http://www.tiro.com	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.godaddy.com/gdig2s5-2.crl0	msgtopstdemo.exe	false		unknown
http://www.datavare.com/	msgtopstdemo.tmp, 00000001.00000003.1701151209.000000000215C000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.tmp, 00000001.00000003.1701048720.0000000003130000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://certs.godaddy.com/repository/0	msgtopstdemo.exe	false		unknown
http://www.goodfont.co.kr	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certificates.starfieldtech.com/repository/1604	msgtopstdemo.exe	false		unknown
http://ocsp.starfieldtech.com/0D	msgtopstdemo.exe	false		unknown
http://www.carterandcone.coml	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.godaddy.com/gdroot-g2.crl0F	msgtopstdemo.exe	false		unknown
http://www.fontbureau.com/designers/cabarga.htmlN	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.starfieldtech.com/repository/0	msgtopstdemo.exe	false		unknown
http://www.remobjects.com/psU	msgtopstdemo.exe, 00000000.00000003.1699783757.0000000002370000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.exe, 00000000.00000003.1699586406.0000000002470000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.tmp, 00000001.00000000.1700355107.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-0L47Q.tmp.1.dr, msgtopstdemo.tmp.0.dr	false	URL Reputation: safe	unknown
http://ns.ado	MsgToPst.exe, 00000005.00000002.2952651282.00000000012F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.jiyu-kobo.co.jp/	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.istool.org/	isxdl.dll.1.dr	false		unknown
http://www.fonts.com	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.starfieldtech.com/repository/sfsroot.crl0P	msgtopstdemo.exe	false		unknown
http://www.remobjects.com/ps	msgtopstdemo.exe, 00000000.00000003.1699783757.0000000002370000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.exe, 00000000.00000003.1699586406.0000000002470000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.tmp, msgtopstdemo.tmp, 00000001.00000000.1700355107.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-0L47Q.tmp.1.dr, msgtopstdemo.tmp.0.dr	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certificates.godaddy.com/repository/gdig2.crt0	msgtopstdemo.exe	false		unknown
http://www.datavare.com/B	msgtopstdemo.tmp, 00000001.00000003.2029636409.0000000002168000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.tmp, 00000001.00000003.1701151209.000000000215C000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.sakkal.com	MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.datavare.com/contact-us.html	msgtopstdemo.tmp, 00000001.00000003.2027572801.0000000004948000.00000004.00001000.00020000.00000000.sdmp, MsgToPst.exe, 00000005.00000000.2026456010.000000000076A000.00000002.00000001.01000000.0000000A.sdmp, is-4FDGP.tmp.1.dr, is-01BK0.tmp.1.dr	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525130
Start date and time:	2024-10-03 18:21:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	msgtopstdemo.exe
Detection:	CLEAN
Classification:	clean5.winEXE@5/14@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 193 Number of non-executed functions: 153
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: msgtopstdemo.exe

Process:	C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5050880
Entropy (8bit):	6.3876194256628755
Encrypted:	false
SSDEEP:	49152:YICZg+BaNccooZoE6qvw3RYUqTpWtGve8XrxJgo1dHLlx7:YVg+BSc3oZDqGUqTp3v
MD5:	C5F5518DD191ECFF9A02E2156A92557D
SHA1:	B3AF400B667AD046CE7A03F443905CACFC9BE45B
SHA-256:	DD1659341475958E1880AB344D84C019886ABBF402DAEDCC4104D88F6A01F6B5
SHA-512:	47C55D44A6F57805825BAB64FF27908F6255186D432A3B3452350D30CC961A604EA1BC009D46280E523B7941F8C0F603728644678DF22FCAB83E0830DEDFA90C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.V...........!......M.........B'M.. ...@M...@.. ........................M.......N...@..................................&M.W....`M.$....................@M...................................................... ............... ..H............text...H.M.. ....M................. ..`.reloc.......@M.......M.............@..B.rsrc...$....`M.......M.............@..@................$'M.....H.........0..C...........O'.....x.0......................................0...........,..-.+.(./..+.(./..+...0..+..........-.&...-.&...-.&.(g....Y(h...+.&+.&+.&+...0.............-.&(....+.&+.....0...........(i...u.....-.&.+..+....0....................-+&&&&&&...o. ......o. ....X.,.&.{....9....+.(....+..+....{....(j....,.&..-.&+9.+..+.....%.X.- &.{......{....Y.Z.?_c...X.-.&+.....+..+...2....Y.-.&.%{.....Y.-.&&.{.....>\|...+.....+.}....+....o. .....o. .....o. ..*......=.6.~]

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\Config.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp
File Type:	data
Category:	dropped
Size (bytes):	1019
Entropy (8bit):	5.48634308035643
Encrypted:	false
SSDEEP:	24:3Yp/OWbdNmigXnCi7xzx+p51xWQD4vJvsvXr:3MrPEXnCip4p51xWL+Xr
MD5:	B2B97996B6AE49DB4D364D53225BDE0E
SHA1:	A04148AB5BAC7F74A08BF796BA321741292497AA
SHA-256:	CE71A6C5D871ADD5CC25DC96F485B3E7D5FC557B20881ACD77363B2E22968347
SHA-512:	A088277CD01AECDB247A18B9B70C1999A0E54D119419D10998C285EA1A66785F7974F861504EB6B518E78BAB4A5B052B3F0D2190BE7F3A8CE4C83F58DBFDACB4
Malicious:	false
Reputation:	low
Preview:	ba&32~(;,-710c\|opn\|~;0=1:709c\|+8sf\|a`STb.7=;0-;`ST~~b.??`ST~~~~b.7=;0-;:.1`.18?5;0bq.7=;0-;:.1`ST~~~~b.3?72.1`=10?=.-18?5;0p=13bq.3?72.1`ST~~~~b.7=;0-;.'.;`.;(;21.;,~...bq.7=;0-;.'.;`ST~~~~b.7=;0-;.1;`.737;:~1~o~:;(;21.;,r~+02737;:~.6'-7=?2~21=?710-bq.7=;0-;.1;`ST~~~~b.,:;,..`oknlnfnfnlmjbq.,:;,..`ST~~~~b.-;,..`lgnlnlbq.-;,..`ST~~~~b...`.67-~7-~?~,;:7-,7<+?<2;~27=;0-;bq...`ST~~~~b.,1:+=-`ST~~~~~~b.,1:+=`.-.1-;p.3?72~81,~p...bq.,1:+=`ST~~~~bq.,1:+=-`ST~~~~b.:7710.'.;`.0;,.,7-;bq.:7710.'.;`ST~~~~b.;,7?2.+3<;,`ok<<<llfs=hf;sj;m8sghomsji=kjjk=jkiibq.;,7?2.+3<;,`ST~~~~b.+<-=,7.710.&.7,'`lnohnlnfbq.+<-=,7.710.&.7,'`ST~~~~b.7=;0-;.;,-710`mpnbq.7=;0-;.;,-710`ST~~~~b.7=;0-;.0-,+=710-`6.dqq)))p?-.1-;p=13q=1,.1,?;q.+,=6?-;q27=;0-;s70-,+=710-p?-.&bq.7=;0-;.0-,+=710-`ST~~bq.??`ST~~b.790?+,;`..=..-.,.=o$..q:..2f+.u..77u;,l2.,k..n,7..2...+u.7h......=).l9.l.56.$....5..i)7...?5..hmmf?.-...)n4.7.8..1....l..$lgg.f8$3q?/?1h..*.$.-)869(<.?17.g.(6$h..:??.l11.i'....6.9cbq.79

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1021952
Entropy (8bit):	2.9698644386804225
Encrypted:	false
SSDEEP:	12288:2j3HjlkA2Q52Wvf54rSHjlkA2Q52Wvf54ZhHjlkA2Q52Wvf5495BkHjlkA2Q52WO:2jQ7g5B
MD5:	5F741C35077C33000CF0638178E1F070
SHA1:	4C3CB86F34ED823FBFBEDF678DB36434817758ED
SHA-256:	547D072A543C0464542E146A95049A999E335E674C147D40878D87A6EA18E252
SHA-512:	266F70522DBB67522D104938981F3A35AAF7DC8681F456A032E9EA284E4252EE0D7A952750C1EE78BA9726193D28E5FA5DF2630C927B4373B45F7168F92F7486
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../Z................................. ... ....@.. ....................................@.................................l...O.... ..............................4................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................H............>......%...XP..Y...........................................b..}.....(.......(......&..(............0..,.........,..{.......+.....-...{....o........(.....*.0............s....}.........(....s.......{....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o......{....o......{....o......(......{.....o .....{........s!...o".....{....(#...o$.....{.....r...po%...t9...o&

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-01BK0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1021952
Entropy (8bit):	2.9698644386804225
Encrypted:	false
SSDEEP:	12288:2j3HjlkA2Q52Wvf54rSHjlkA2Q52Wvf54ZhHjlkA2Q52Wvf5495BkHjlkA2Q52WO:2jQ7g5B
MD5:	5F741C35077C33000CF0638178E1F070
SHA1:	4C3CB86F34ED823FBFBEDF678DB36434817758ED
SHA-256:	547D072A543C0464542E146A95049A999E335E674C147D40878D87A6EA18E252
SHA-512:	266F70522DBB67522D104938981F3A35AAF7DC8681F456A032E9EA284E4252EE0D7A952750C1EE78BA9726193D28E5FA5DF2630C927B4373B45F7168F92F7486
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../Z................................. ... ....@.. ....................................@.................................l...O.... ..............................4................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................H............>......%...XP..Y...........................................b..}.....(.......(......&..(............0..,.........,..{.......+.....-...{....o........(.....*.0............s....}.........(....s.......{....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o......{....o......{....o......(......{.....o .....{........s!...o".....{....(#...o$.....{.....r...po%...t9...o&

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-0L47Q.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	956069
Entropy (8bit):	5.923382701372054
Encrypted:	false
SSDEEP:	24576:5McMoi3rPR37dzHRA6G7WbuSEmK50Lyx9M3:5MrPR37dzHRA6GCbB80O8
MD5:	52414630A8FA97F12AF0F6402915576D
SHA1:	22C9F8629B2A2202DA0C5633C7488C10F0CDFA97
SHA-256:	BF8B71C38FA5E2B550A886858C9D23E88C1D2E1B0E5D1DC084032CF640A6F308
SHA-512:	32A1661AFF26EFFD7386C0DA39B6753F93AD9631F4F3DD7FD82EEC0710A5B155217492BC9DF25BBE476EEF2A007B3E06EDF5E528E2F7D7542082CE9108AD885E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	low
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................p............@......@...............................&...........................@...............................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc...............................@..P.....................r..............@..P........................................................................................................................................

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-4AED4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5050880
Entropy (8bit):	6.3876194256628755
Encrypted:	false
SSDEEP:	49152:YICZg+BaNccooZoE6qvw3RYUqTpWtGve8XrxJgo1dHLlx7:YVg+BSc3oZDqGUqTp3v
MD5:	C5F5518DD191ECFF9A02E2156A92557D
SHA1:	B3AF400B667AD046CE7A03F443905CACFC9BE45B
SHA-256:	DD1659341475958E1880AB344D84C019886ABBF402DAEDCC4104D88F6A01F6B5
SHA-512:	47C55D44A6F57805825BAB64FF27908F6255186D432A3B3452350D30CC961A604EA1BC009D46280E523B7941F8C0F603728644678DF22FCAB83E0830DEDFA90C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.V...........!......M.........B'M.. ...@M...@.. ........................M.......N...@..................................&M.W....`M.$....................@M...................................................... ............... ..H............text...H.M.. ....M................. ..`.reloc.......@M.......M.............@..B.rsrc...$....`M.......M.............@..@................$'M.....H.........0..C...........O'.....x.0......................................0...........,..-.+.(./..+.(./..+...0..+..........-.&...-.&...-.&.(g....Y(h...+.&+.&+.&+...0.............-.&(....+.&+.....0...........(i...u.....-.&.+..+....0....................-+&&&&&&...o. ......o. ....X.,.&.{....9....+.(....+..+....{....(j....,.&..-.&+9.+..+.....%.X.- &.{......{....Y.Z.?_c...X.-.&+.....+..+...2....Y.-.&.%{.....Y.-.&&.{.....>\|...+.....+.}....+....o. .....o. .....o. ..*......=.6.~]

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-4FDGP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1021952
Entropy (8bit):	2.9698644386804225
Encrypted:	false
SSDEEP:	12288:2j3HjlkA2Q52Wvf54rSHjlkA2Q52Wvf54ZhHjlkA2Q52Wvf5495BkHjlkA2Q52WO:2jQ7g5B
MD5:	5F741C35077C33000CF0638178E1F070
SHA1:	4C3CB86F34ED823FBFBEDF678DB36434817758ED
SHA-256:	547D072A543C0464542E146A95049A999E335E674C147D40878D87A6EA18E252
SHA-512:	266F70522DBB67522D104938981F3A35AAF7DC8681F456A032E9EA284E4252EE0D7A952750C1EE78BA9726193D28E5FA5DF2630C927B4373B45F7168F92F7486
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../Z................................. ... ....@.. ....................................@.................................l...O.... ..............................4................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................H............>......%...XP..Y...........................................b..}.....(.......(......&..(............0..,.........,..{.......+.....-...{....o........(.....*.0............s....}.........(....s.......{....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o......{....o......{....o......(......{.....o .....{........s!...o".....{....(#...o$.....{.....r...po%...t9...o&

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-SNPO1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp
File Type:	data
Category:	dropped
Size (bytes):	1019
Entropy (8bit):	5.48634308035643
Encrypted:	false
SSDEEP:	24:3Yp/OWbdNmigXnCi7xzx+p51xWQD4vJvsvXr:3MrPEXnCip4p51xWL+Xr
MD5:	B2B97996B6AE49DB4D364D53225BDE0E
SHA1:	A04148AB5BAC7F74A08BF796BA321741292497AA
SHA-256:	CE71A6C5D871ADD5CC25DC96F485B3E7D5FC557B20881ACD77363B2E22968347
SHA-512:	A088277CD01AECDB247A18B9B70C1999A0E54D119419D10998C285EA1A66785F7974F861504EB6B518E78BAB4A5B052B3F0D2190BE7F3A8CE4C83F58DBFDACB4
Malicious:	false
Reputation:	low
Preview:	ba&32~(;,-710c\|opn\|~;0=1:709c\|+8sf\|a`STb.7=;0-;`ST~~b.??`ST~~~~b.7=;0-;:.1`.18?5;0bq.7=;0-;:.1`ST~~~~b.3?72.1`=10?=.-18?5;0p=13bq.3?72.1`ST~~~~b.7=;0-;.'.;`.;(;21.;,~...bq.7=;0-;.'.;`ST~~~~b.7=;0-;.1;`.737;:~1~o~:;(;21.;,r~+02737;:~.6'-7=?2~21=?710-bq.7=;0-;.1;`ST~~~~b.,:;,..`oknlnfnfnlmjbq.,:;,..`ST~~~~b.-;,..`lgnlnlbq.-;,..`ST~~~~b...`.67-~7-~?~,;:7-,7<+?<2;~27=;0-;bq...`ST~~~~b.,1:+=-`ST~~~~~~b.,1:+=`.-.1-;p.3?72~81,~p...bq.,1:+=`ST~~~~bq.,1:+=-`ST~~~~b.:7710.'.;`.0;,.,7-;bq.:7710.'.;`ST~~~~b.;,7?2.+3<;,`ok<<<llfs=hf;sj;m8sghomsji=kjjk=jkiibq.;,7?2.+3<;,`ST~~~~b.+<-=,7.710.&.7,'`lnohnlnfbq.+<-=,7.710.&.7,'`ST~~~~b.7=;0-;.;,-710`mpnbq.7=;0-;.;,-710`ST~~~~b.7=;0-;.0-,+=710-`6.dqq)))p?-.1-;p=13q=1,.1,?;q.+,=6?-;q27=;0-;s70-,+=710-p?-.&bq.7=;0-;.0-,+=710-`ST~~bq.??`ST~~b.790?+,;`..=..-.,.=o$..q:..2f+.u..77u;,l2.,k..n,7..2...+u.7h......=).l9.l.56.$....5..i)7...?5..hmmf?.-...)n4.7.8..1....l..$lgg.f8$3q?/?1h..*.$.-)869(<.?17.g.(6$h..:??.l11.i'....6.9cbq.79

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp
File Type:	InnoSetup Log Datavare MSG to PST Converter - Demo Version {B704DD12-0FC2-4CCC-A183-86D06E9674A6}, version 0x30, 19133 bytes, 216554\user, "C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version"
Category:	dropped
Size (bytes):	19133
Entropy (8bit):	4.569440798598775
Encrypted:	false
SSDEEP:	384:F6j51FRESZE8DypfbzrL1rRkx129kTGfnrutQ:FP8MfrLzkx129lqtQ
MD5:	786D190AA981F1EDB691F798C8C91143
SHA1:	7CCC3EFF1402CA8766C46FAD9721D9BA6B4C62FC
SHA-256:	55AAC1D0D1E430338F0229CBEC211A0AEFC225ABC61B92FB133599CC2A5BA2CA
SHA-512:	7F863E61CB1392C907563AA06F55EDB248CDE1C4BA87A411520D2F764284D4C7D902753F03F4FE8FAC36DDF562F0D51F9FFCC5D8718D51A1799B3F25E099358C
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................{B704DD12-0FC2-4CCC-A183-86D06E9674A6}..........................................................................................Datavare MSG to PST Converter - Demo Version....................................................................................0........J..%...............................................................................................................".5............S......c....216554.userCC:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version.............#.... ......E....=IFPS........A....................................................................................................BOOLEAN....................................................TOUTPUTPROGRESSWIZARDPAGE....TOUTPUTPROGRESSWIZARDPAGE.......................!OPENARRAYOFSTRING..................................................................................!MAIN....-1..(...dll:files:isxdl.dll.isxdl_AddFile.........-...dll:fi

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	956069
Entropy (8bit):	5.923382701372054
Encrypted:	false
SSDEEP:	24576:5McMoi3rPR37dzHRA6G7WbuSEmK50Lyx9M3:5MrPR37dzHRA6GCbB80O8
MD5:	52414630A8FA97F12AF0F6402915576D
SHA1:	22C9F8629B2A2202DA0C5633C7488C10F0CDFA97
SHA-256:	BF8B71C38FA5E2B550A886858C9D23E88C1D2E1B0E5D1DC084032CF640A6F308
SHA-512:	32A1661AFF26EFFD7386C0DA39B6753F93AD9631F4F3DD7FD82EEC0710A5B155217492BC9DF25BBE476EEF2A007B3E06EDF5E528E2F7D7542082CE9108AD885E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................p............@......@...............................&...........................@...............................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc...............................@..P.....................r..............@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Datavare MSG to PST Converter - Demo Version.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Oct 3 15:22:35 2024, mtime=Thu Oct 3 15:22:35 2024, atime=Tue Dec 12 18:28:02 2017, length=1021952, window=hide
Category:	dropped
Size (bytes):	1344
Entropy (8bit):	4.541777816414468
Encrypted:	false
SSDEEP:	24:8mONZAEJdOEJHAG5yNXWJEVuyA9xadS5yNNcVCdS5yNKUUF/qyFm:8mcVJdOwAGWG6m9xadSWOCdSWrfyF
MD5:	348597AC50A89FBACB8A494884A0E6C7
SHA1:	D834756538D599EBE9A3F7F060B973938D04996B
SHA-256:	EB4BC2B7231B77C2989DA096C4DD3221DB077D736DF737C505D9175463CEC996
SHA-512:	8891A2504CB99D149334B0D2ACECEB2CE3BCE708F96CC2B9FEE403FDBCA5CDB52FD10EB6CCE524E544FD67F9A1B2EAC827992E39C6071C124186CC6394B9EB89
Malicious:	false
Preview:	L..................F.... ....Z.t.......t......US.s...............................P.O. .:i.....+00.../C:\.....................1.....CY...PROGRA~2.........O.ICY.....................V......8k.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.......1.....CY...DATAVA~1.........CY.CY..............................D.a.t.a.v.a.r.e. .M.S.G. .t.o. .P.S.T. .C.o.n.v.e.r.t.e.r. .-. .D.e.m.o. .V.e.r.s.i.o.n.....f.2......K.. .MsgToPst.exe..J......CY.CY.....i.........................M.s.g.T.o.P.s.t...e.x.e.......................-.......~.............mU.....C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe..\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.D.a.t.a.v.a.r.e. .M.S.G. .t.o. .P.S.T. .C.o.n.v.e.r.t.e.r. .-. .D.e.m.o. .V.e.r.s.i.o.n.\.M.s.g.T.o.P.s.t...e.x.e.C.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.D.a.t.a.v.a.r.e. .M.S.G. .t.o. .P.S.T. .C.o.n.v.e.r.t.e.r. .-. .D.e.m.o. .V.e.r.s.i.o.n.........*.

C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\isxdl.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	124416
Entropy (8bit):	6.209017847933318
Encrypted:	false
SSDEEP:	1536:dohlISko4eZHOMazWpdYoEWSekaDnXUq5o5dInL:dkIM4ehDaqEpMXUq5o5dIL
MD5:	48AD1A1C893CE7BF456277A0A085ED01
SHA1:	803997EF17EEDF50969115C529A2BF8DE585DC91
SHA-256:	B0CC4697B2FD1B4163FDDCA2050FC62A9E7D221864F1BD11E739144C90B685B3
SHA-512:	7C9E7FE9F00C62CCCB5921CB55BA0DD96A0077AD52962473C1E79CDA1FD9AA101129637043955703121443E1F8B6B2860CD4DFDB71052B20A322E05DEED101A4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................;......;..........u...............................Rich....................PE..L....>.I...........!.....F...................`............................... .......)......................................\|...d........-...........................b..................................@............`..4............................text....D.......F.................. ..`.rdata...<...`...>...J..............@..@.data...............................@....rsrc....-..........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Download File

Process:	C:\Users\user\Desktop\msgtopstdemo.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	944640
Entropy (8bit):	5.90600045027503
Encrypted:	false
SSDEEP:	24576:hMcMoi3rPR37dzHRA6G7WbuSEmK50Lyx9Ms:hMrPR37dzHRA6GCbB80OB
MD5:	03B1E8078CAE9C05B81C8B8FE2A11840
SHA1:	0780EAB7701BC74614159DC703DB72283F95C91B
SHA-256:	3AAE4693EA36C39A5330BF720877868D5868E7775D963FC6A64B3C69ADABEC35
SHA-512:	9E0D5B9F5E626ACD4747B58F4ABFB0A6221314C6ECC1B6FFA0788814D3BFB093B4256E05DA76D7B908284EBA189F76BEC54EC571693DA868575ED61A6C7C13D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................p............@......@...............................&...........................@...............................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc...............................@..P.....................r..............@..P........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.785776184585562
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	msgtopstdemo.exe
File size:	2'391'528 bytes
MD5:	fa7fccb539f58ea32e2a92a0a32af286
SHA1:	1ba6a04fe2d9ebf47d97f2c6b295c33ad5803a3e
SHA256:	ee8fc4c0c9cb55699ef0bf026d5af42e7bb82d535ac8d84c8480569040f27257
SHA512:	5d609ddfd936a66705a0c347d1c1c89a2fedf37a51104430c2fad5200bb9eddc919d2d076bc9d8f634fbc436ff0609da8f28e95ddf87a60813b54b9b67851377
SSDEEP:	49152:7475ldTxlFmUF4cjZzBDs6vDuC5q9yZ4w60/z0+AOl:E5DFnFLHskuC5Qyqw60/zl
TLSH:	1CB523979775537BC442D97022C0B3C2C53DBED8342E8DBF2C489628EB6B654593CAB2
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	7968cc8cc4e66060

Static PE Info

General

Entrypoint:	0x40aa98
Entrypoint Section:	CODE
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	2fb819a19fe4dee5c03e8c6a79342f79

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	30/12/2016 17:13:00 24/12/2017 09:51:38
Subject Chain	CN=DATAVARE SOFTWARE AND SERVICES LLP, O=DATAVARE SOFTWARE AND SERVICES LLP, L=New Delhi, S=Delhi, C=IN
Version:	3
Thumbprint MD5:	EA7307FD7B68D3802EE07F6DBEBEF440
Thumbprint SHA-1:	14E33129E5177106A28E90CBF15B2E3310B80D2E
Thumbprint SHA-256:	F7B7E942FD0EA2AFAC0734A45B023C321807B3AF621BC529EC5E361F46644375
Serial:	00A1ABBFC64605A0FE

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007F12A9296523h
call 00007F12A929772Ah
call 00007F12A9297A91h
call 00007F12A9297EACh
call 00007F12A9299E4Bh
call 00007F12A929C7E2h
call 00007F12A929C949h
xor eax, eax
push ebp
push 0040B169h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040B132h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040D014h]
call 00007F12A929D41Bh
call 00007F12A929D006h
cmp byte ptr [0040C234h], 00000000h
je 00007F12A929DEFEh
call 00007F12A929D518h
xor eax, eax
call 00007F12A9297219h
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007F12A929A45Bh
mov edx, dword ptr [ebp-10h]
mov eax, 0040DE30h
call 00007F12A92965BAh
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040DE30h]
mov dl, 01h
mov eax, 00407808h
call 00007F12A929AD16h
mov dword ptr [0040DE34h], eax
xor edx, edx
push ebp
push 0040B0EAh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F12A929D476h
mov dword ptr [0040DE3Ch], eax
mov eax, dword ptr [0040DE3Ch]
cmp dword ptr [eax+0Ch], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe000	0x97c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x3b0c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x246900	0x14e8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11000	0x0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x10000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0xa1d0	0xa200	b7ea439d9c6d5ec722056c9243fb3054	False	0.6025028935185185	data	6.643749028594943	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xc000	0x250	0x400	9b2268ed5360951559d8041925d025fb	False	0.3037109375	data	2.740124513017086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xd000	0xe94	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xe000	0x97c	0xa00	df5f31e62e05c787fd29eed7071bf556	False	0.41796875	data	4.486076246232586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xf000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x10000	0x18	0x200	14dfa4128117e7f94fe2f8d7dea374a0	False	0.05078125	data	0.190488766434666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x11000	0x91c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x3b0c8	0x3b200	c3dfc42115bda19f0c60b634bb04f1e4	False	0.0616906712473573	data	2.5080689992363787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x122c4	0x39808	Device independent bitmap graphic, 256 x 446 x 32, image size 228352	English	United States	0.05279202472742094
RT_STRING	0x4bacc	0x2f2	data			0.35543766578249336
RT_STRING	0x4bdc0	0x30c	data			0.3871794871794872
RT_STRING	0x4c0cc	0x2ce	data			0.42618384401114207
RT_STRING	0x4c39c	0x68	data			0.75
RT_STRING	0x4c404	0xb4	data			0.6277777777777778
RT_STRING	0x4c4b8	0xae	data			0.5344827586206896
RT_RCDATA	0x4c568	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0x4c594	0x14	data	English	United States	1.2
RT_VERSION	0x4c5a8	0x4f4	data	English	United States	0.2870662460567823
RT_MANIFEST	0x4ca9c	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	12:22:07
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\msgtopstdemo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\msgtopstdemo.exe"
Imagebase:	0x400000
File size:	2'391'528 bytes
MD5 hash:	FA7FCCB539F58EA32E2A92A0A32AF286
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:22:08
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp" /SL5="$20450,2062666,288768,C:\Users\user\Desktop\msgtopstdemo.exe"
Imagebase:	0x400000
File size:	944'640 bytes
MD5 hash:	03B1E8078CAE9C05B81C8B8FE2A11840
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 7%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:22:40
Start date:	03/10/2024
Path:	C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe"
Imagebase:	0x6b0000
File size:	1'021'952 bytes
MD5 hash:	5F741C35077C33000CF0638178E1F070
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.9%
Total number of Nodes:	1541
Total number of Limit Nodes:	24

Executed Functions

Function 00404654 Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 174
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,004048EE,?,?,?,?,00000000,?,0040AAB8), ref: 0040466F
GetVersion.KERNEL32(kernel32.dll,00000000,004048EE,?,?,?,?,00000000,?,0040AAB8), ref: 00404676
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040468B
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004046B3
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004048B5
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004048CB
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,004048EE,?,?,?,?,00000000,?,0040AAB8), ref: 004048D6

Strings

userenv.dll, xrefs: 0040473F
uxtheme.dll, xrefs: 0040471C
profapi.dll, xrefs: 00404857
SetProcessDEPPolicy, xrefs: 004048C5
comres.dll, xrefs: 0040487A
SetDefaultDllDirectories, xrefs: 00404685
dwmapi.dll, xrefs: 004047CB
propsys.dll, xrefs: 004047A8
setupapi.dll, xrefs: 00404762
SetSearchPathMode, xrefs: 004048AF
version.dll, xrefs: 00404834
SetDllDirectoryW, xrefs: 004046AD
apphelp.dll, xrefs: 00404785
clbcatq.dll, xrefs: 0040489D
kernel32.dll, xrefs: 0040466A
oleacc.dll, xrefs: 00404811
cryptbase.dll, xrefs: 004047EE

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 3297890031-2388063882
Opcode ID: 6206738d1768993a266272c574535deacfcb651ff371490375f42cd1ba234e07
Instruction ID: 9e7baa03e94b680687c531d55c537e9110a8ac934c54f9465d7227ec1282235b
Opcode Fuzzy Hash: 6206738d1768993a266272c574535deacfcb651ff371490375f42cd1ba234e07
Instruction Fuzzy Hash: B2611070600149AFDB00FBF6DA8398E77A99F80309B2045BBA604772D6D778EF059B5D

Function 0040A018 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 0040A02A
VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 0040A035
VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A076
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0A8
VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 0040A0B8

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 9ac3e84cebc6f461d525c38fea5a33ab6cb0156132446b09103c7350edb016b4
Instruction ID: f5309bbdda193f62b4be3c179e768a57e3f3f612c04de257546ab44ee606f1f6
Opcode Fuzzy Hash: 9ac3e84cebc6f461d525c38fea5a33ab6cb0156132446b09103c7350edb016b4
Instruction Fuzzy Hash: 142190B1240308ABD6309E69CC85F5777D8DF85354F08493AFAC5E33C2D63DE860866A

Function 0040565C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,00405727,?,00000000,00405806), ref: 0040567A

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7459d56e7c64c485d498697c6eb088ce7aaa21e11ea95b6c07db09bb75ef8263
Instruction ID: d14b50eaf9df709ed1cf3d56deeb77a2084f63d122e7671578114c6bad5e918b
Opcode Fuzzy Hash: 7459d56e7c64c485d498697c6eb088ce7aaa21e11ea95b6c07db09bb75ef8263
Instruction Fuzzy Hash: 68E0D87170021427D711A9699C86EFB735CDB58314F4006BFB909E73C6EDB59E8046ED

Function 00409520 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004095DE,?,?,?,?,00000000,00000000,?,0040AACC), ref: 00409542
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409548
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004095DE,?,?,?,?,00000000,00000000,?,0040AACC), ref: 0040955C
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409562

Strings

kernel32.dll, xrefs: 0040953D, 00409557
Wow64RevertWow64FsRedirection, xrefs: 00409552
shell32.dll, xrefs: 0040959F
Wow64DisableWow64FsRedirection, xrefs: 00409538

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 9711803e7e97600f978dac47126909fe1692835b2a3da83a2610dda9fb37f9b7
Instruction ID: 3d1781b746021e9606986d5b6d55f7cbde73f6a932e0ba52378b2443c6d91f24
Opcode Fuzzy Hash: 9711803e7e97600f978dac47126909fe1692835b2a3da83a2610dda9fb37f9b7
Instruction Fuzzy Hash: 79115470908244BEDB01FBA2CD43B5A7B68D784744F204477F501762D3DA7D5E08DA2D

Function 0040AF57 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00409AE8: GetLastError.KERNEL32(00000000,00409B8B), ref: 00409B0C

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AF9E
SetWindowLongA.USER32(00020450,000000FC,Function_00009E00), ref: 0040AFB5

Part of subcall function 00406FCC: GetCommandLineA.KERNEL32(00000000,00407010,?,?,?,?,00000000), ref: 00406FE4

Part of subcall function 00409E8C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000,00409F5F), ref: 00409EFC
Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000), ref: 00409F10
Part of subcall function 00409E8C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F29
Part of subcall function 00409E8C: GetExitCodeProcess.KERNEL32(?), ref: 00409F3B
Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78), ref: 00409F44

RemoveDirectoryA.KERNEL32(00000000,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0A1
DestroyWindow.USER32(00020450,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0B5

Strings

STATIC, xrefs: 0040AF97
/SL5="$%x,%d,%d,, xrefs: 0040AFF5
InnoSetupLdrWindow, xrefs: 0040AF92

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryErrorExitLastLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 849423697-3001827809
Opcode ID: 08113ef3ce2da518920d8c13058acc363925f6704d668fbfbfd076efd3cb2295
Instruction ID: d96ad4f456555d006dfdd6a111ba55fa130d32b67bbf9cfe256734ebf9c0f5f1
Opcode Fuzzy Hash: 08113ef3ce2da518920d8c13058acc363925f6704d668fbfbfd076efd3cb2295
Instruction Fuzzy Hash: 95413070A006449BD711EBE9EE85B9A77E4EB58304F10427BF514BB2E1C7B89C49CB9C

Function 0040AF42 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AF9E
SetWindowLongA.USER32(00020450,000000FC,Function_00009E00), ref: 0040AFB5

Part of subcall function 00406FCC: GetCommandLineA.KERNEL32(00000000,00407010,?,?,?,?,00000000), ref: 00406FE4

Part of subcall function 00409E8C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000,00409F5F), ref: 00409EFC
Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000), ref: 00409F10
Part of subcall function 00409E8C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F29
Part of subcall function 00409E8C: GetExitCodeProcess.KERNEL32(?), ref: 00409F3B
Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78), ref: 00409F44

RemoveDirectoryA.KERNEL32(00000000,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0A1
DestroyWindow.USER32(00020450,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0B5

Strings

STATIC, xrefs: 0040AF97
/SL5="$%x,%d,%d,, xrefs: 0040AFF5
InnoSetupLdrWindow, xrefs: 0040AF92

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3001827809
Opcode ID: 3e82f52e343573e9ee8ccf82fbc097b32b2466bbbc9497f93a956efcdcfa5545
Instruction ID: 22e85acea042a1c9b241f29fbd05952515ad99a43a6683ef4ce3977848861488
Opcode Fuzzy Hash: 3e82f52e343573e9ee8ccf82fbc097b32b2466bbbc9497f93a956efcdcfa5545
Instruction Fuzzy Hash: 00410971A006049BD710EBE9EE85BAA77A4EB58304F10427AF514BB2E1D7789C48CB9C

Function 00409E8C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000,00409F5F), ref: 00409EFC
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000), ref: 00409F10
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F29
GetExitCodeProcess.KERNEL32(?), ref: 00409F3B
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78), ref: 00409F44

Part of subcall function 00409AE8: GetLastError.KERNEL32(00000000,00409B8B), ref: 00409B0C

Strings

D, xrefs: 00409ED6

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: 7df226d52587f770460e981b15b5d19bc6ab37567cde566df4420800d0169a2d
Instruction ID: c83664c5db2498e28503e3c1fa1a9009394fa647db11d74ebe1f458a85c7f7ae
Opcode Fuzzy Hash: 7df226d52587f770460e981b15b5d19bc6ab37567cde566df4420800d0169a2d
Instruction Fuzzy Hash: 19113DB16042096ADB00EBE6CC42F9EB7ACEF89714F50017AB604F72C6DA789D048669

Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00401AB4), ref: 00401A09
LocalFree.KERNEL32(00000000,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AAE

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
Instruction ID: 2a1e8c518b16d72ac75c21d19d034316e64e92064156904d4596c6339aa50fda
Opcode Fuzzy Hash: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
Instruction Fuzzy Hash: 65114274B422805ADB11EBE99EC6F5276689785708F44407FF448B62F2C67CA848CB6D

Function 0040ACB4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD18

Strings

@z@, xrefs: 0040ADCC
.tmp, xrefs: 0040AD5E
d~@, xrefs: 0040AE21

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Message
String ID: .tmp$@z@$d~@
API String ID: 2030045667-2080866987
Opcode ID: 2b85bf55d00087c4ee4d3d53e5bb2d438756d7f2ac1061807f4f56549d36f6d1
Instruction ID: dd76c9251985b1ff4450233ddc9785193850427026a6d5c0e90a1b5537d094b7
Opcode Fuzzy Hash: 2b85bf55d00087c4ee4d3d53e5bb2d438756d7f2ac1061807f4f56549d36f6d1
Instruction Fuzzy Hash: 4B419570A046009FD705EFA5DE91A2A77A5EB59304B11447BF804BB7E1CA79AC04CB9D

Function 0040ACCF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD18

Strings

@z@, xrefs: 0040ADCC
.tmp, xrefs: 0040AD5E
d~@, xrefs: 0040AE21

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Message
String ID: .tmp$@z@$d~@
API String ID: 2030045667-2080866987
Opcode ID: 81bdbc4c120031e8217955485f9b4631603aba5f155e491865d52178ba1ca84f
Instruction ID: bf9d77eae5c07405b3109107b1835c74e23881a639ebcc62aff07684a9841850
Opcode Fuzzy Hash: 81bdbc4c120031e8217955485f9b4631603aba5f155e491865d52178ba1ca84f
Instruction Fuzzy Hash: BF419570B006019FD705EFA5DE92A6A77A5EB59304B10447BF804BB7E1CBB9AC04CB9D

Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
ExitProcess.KERNEL32 ref: 00403DE5

Strings

Error, xrefs: 00403D91
Runtime error at 00000000, xrefs: 00403D96, 00403DA9

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
Instruction ID: 19c161ad1fd1f445befe0ff666437f64548d8e35ccd3b0abec794ae5707e41c3
Opcode Fuzzy Hash: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
Instruction Fuzzy Hash: 0421C834E152418AE714EFE59A817153E989B5930DF04817BD504B73E3C67C9A4EC36E

Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
Instruction ID: ca3d82fa79822ebb621977d4c6345e30539334a4bf25a92a69ec079a2ec9ab95
Opcode Fuzzy Hash: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
Instruction Fuzzy Hash: F20192B4E442405EE715ABFA9A56B253BA4D789704F1080BFF044F72F2C67C6458C75D

Function 004097D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,004098BF,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409816
GetLastError.KERNEL32(00000000,00000000,?,00000000,004098BF,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040981F

Strings

.tmp, xrefs: 004097FF

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: bcfdd319b68c6234bb3b3c2b6e0791bb6992f3f2d01426f3b13c32e67b0b1ca6
Instruction ID: 48b9f2fdce89366346d31e95a36bae064327856a755920fc8e2ea7d65379a348
Opcode Fuzzy Hash: bcfdd319b68c6234bb3b3c2b6e0791bb6992f3f2d01426f3b13c32e67b0b1ca6
Instruction Fuzzy Hash: 23211575A10208ABDB05FFE5C8529DFB7B9EB48304F10457BE901B73C2DA789E05CAA5

Function 00409978 Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?), ref: 00409997
Sleep.KERNEL32(?), ref: 004099A7
GetLastError.KERNEL32(?), ref: 004099BA
GetLastError.KERNEL32(?), ref: 004099C4

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 1c248293a53693e5016b31d34f136ae5d975e0b827204b722e02cf7f87de802c
Instruction ID: 55ccdd2d2ee1bdbcd31af2ea42c7aee1c1b219f05c386506858fe4dd166fe014
Opcode Fuzzy Hash: 1c248293a53693e5016b31d34f136ae5d975e0b827204b722e02cf7f87de802c
Instruction Fuzzy Hash: 6AF090B2A0511856CA25A6AE9881B6FB28CEAC0368714413FFA44F7383D43DDC0152BA

Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00402148), ref: 00402017

Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID:
API String ID: 296031713-0
Opcode ID: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
Instruction ID: 72c497f3d878e3d6a4a9583ee00a9bb41c235ef620702b970aaba137d6b92855
Opcode Fuzzy Hash: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
Instruction Fuzzy Hash: 2341C2B2E007019FD710CFA9DE8561A7BA0EB58314B15817BD549B73E1D378A849CB48

Function 00409438 Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,00000000,00409495), ref: 0040946F
GetLastError.KERNEL32(00000000,00000000,00409495), ref: 00409477

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: cef11d40a142b83803210e371880030b93b56e60c6b6d61991ebac398e5bf5ba
Instruction ID: 3a2bfa3924d7da3ec485a5c2eebce42195f764b2344cc107bbad9e5710e02f6c
Opcode Fuzzy Hash: cef11d40a142b83803210e371880030b93b56e60c6b6d61991ebac398e5bf5ba
Instruction Fuzzy Hash: 3EF0AF71A08608ABCB01EFB59C4159EB3A8EB8831476045BBF808F32C3E6395E018599

Function 0040741C Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 00407426
LoadLibraryA.KERNEL32(00000000,00000000,00407470,?,00000000,0040748E,?,00008000), ref: 00407455

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 7c3291ca482dc4e73124ef6673235b1c1e4da24983ec1cf579c69c8d77eb9c24
Instruction ID: f52ba4a9feec5d4d4615fe406f45eaba014741ff6d770d8a308f032ff20cb8dd
Opcode Fuzzy Hash: 7c3291ca482dc4e73124ef6673235b1c1e4da24983ec1cf579c69c8d77eb9c24
Instruction Fuzzy Hash: 26F08270A14708BEDB025FB68C5282ABAECE749B1475288B6F900A2AD2E53C5820C569

Function 0040B0EF Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

RemoveDirectoryA.KERNEL32(00000000,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0A1
DestroyWindow.USER32(00020450,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0B5

Part of subcall function 00409978: Sleep.KERNEL32(?), ref: 00409997
Part of subcall function 00409978: GetLastError.KERNEL32(?), ref: 004099BA
Part of subcall function 00409978: GetLastError.KERNEL32(?), ref: 004099C4

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLast$DestroyDirectoryRemoveSleepWindow
String ID:
API String ID: 2192421792-0
Opcode ID: 42b787c3d9f5bd55058fd6c8f85d5fac1abeba9ca40111c3c6816528150393fb
Instruction ID: 80fe6e0f7824975e72fa29ef6d7a10d3d2514edd0f005a574200bdc13b2d30de
Opcode Fuzzy Hash: 42b787c3d9f5bd55058fd6c8f85d5fac1abeba9ca40111c3c6816528150393fb
Instruction Fuzzy Hash: C9F0CD70A105009BD725ABA9EE99B2632E5E7A4305F04453AA110BB2F1C7BD9C88CA8D

Function 00407AE8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00407B07
GetLastError.KERNEL32(?,?,?,00000000), ref: 00407B0F

Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,020F03AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 1efacffe01c84972d5e79d9e95937cadebc248d177395cf3b78af7fa5ea4bab0
Instruction ID: 2b235249b0a7ee07bcb8c1d8603e448d3cb6330bb11491e7c51f1e2a1a123f33
Opcode Fuzzy Hash: 1efacffe01c84972d5e79d9e95937cadebc248d177395cf3b78af7fa5ea4bab0
Instruction Fuzzy Hash: 13E092767081005FD610E55DC881A9B33DCDFC53A8F004537B654EB1D1D675B8008366

Function 00407AA8 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407ABF
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407ACE

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 62bc4757170e124d293d2e1ae2527044cf5abdc53c736f625f33b9d4ecf98daf
Instruction ID: e15dfe76c2c2153dd18fa5b66318eead10a3336b01bc7908bb5745e2d55223c8
Opcode Fuzzy Hash: 62bc4757170e124d293d2e1ae2527044cf5abdc53c736f625f33b9d4ecf98daf
Instruction Fuzzy Hash: DAE092A17181106EEB20A65E9884F6B67DCCBC9314F04817BF508EB282D6B8DC008777

Function 00407A40 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 00407A57
GetLastError.KERNEL32(?,00000000,?,00000001), ref: 00407A63

Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,020F03AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 0f363b337b605630cba33b2c75e34e58c088fa0b570b5e63e1fb747f55acf4b7
Instruction ID: b2e9c79a061d94bc6c1ac4e6a69a759f2ef78579472dc31f5d333ffaff30462c
Opcode Fuzzy Hash: 0f363b337b605630cba33b2c75e34e58c088fa0b570b5e63e1fb747f55acf4b7
Instruction Fuzzy Hash: C7E01AB1A002109EEB20EBB58981B5662D89B44364B048576A654DB2C6D274E800CB66

Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
Instruction ID: 66c3474f10fe082fedccbde799efe3bb5b58ff080b56d2e089ed954f0af67306
Opcode Fuzzy Hash: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
Instruction Fuzzy Hash: DAF02772B0032017DB2069AA0CC1B536AC59F85B90F1540BBFA4CFF3F9D2B98C0442A9

Function 004056D0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00405806), ref: 004056EF

Part of subcall function 0040512C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00405149

Part of subcall function 0040565C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,00405727,?,00000000,00405806), ref: 0040567A

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: cc3e47e390c1b33211b3d9873ad613d49b391b3cefde462b73c2cd7d0ab13d86
Instruction ID: 82c784cd7830e1ca4cd44457dad2f2fa429cf4e25a926eea24d274db27b93b1b
Opcode Fuzzy Hash: cc3e47e390c1b33211b3d9873ad613d49b391b3cefde462b73c2cd7d0ab13d86
Instruction Fuzzy Hash: C1316F75E00509ABCB00EF95CC819EEB379FF84304F508577E819BB285E739AE058B98

Function 004079F2 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A34

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5bc26aafbd8d3cc7e99f1b4789c5f450247a7b7967715b9db18694e2d0d8c5c5
Instruction ID: 042ae40820150c0b4851109f40d588701a9899a67d40570aa5757512981d293a
Opcode Fuzzy Hash: 5bc26aafbd8d3cc7e99f1b4789c5f450247a7b7967715b9db18694e2d0d8c5c5
Instruction Fuzzy Hash: 6FE0ED753442586EE340DAED6D81FA677DC974A714F008132B998DB382D4719D118BA8

Function 004079F4 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A34

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b99464c5deed90c436ccb8039285842caa459c4cfee6896295820f2cd2136feb
Instruction ID: 8ced2eed2e357b00b36525f681a949bcf9e14530d7ff6951507f50c56b932d1f
Opcode Fuzzy Hash: b99464c5deed90c436ccb8039285842caa459c4cfee6896295820f2cd2136feb
Instruction Fuzzy Hash: 95E0ED753442586EE240DAED6D81F96779C974A714F008122B998DB382D4719D118BA8

Function 00406E2C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00406E74,?,?,?,?,00000000,?,00406E89,004071E3,00000000,00407228,?,?,?), ref: 00406E57

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8e258e6088ff2729972a65b025d9916a43b1951ab399dc39633550a2ec6328db
Instruction ID: 5d103c24ca312c86e291a35865c809fd23e08ae6a8f6832d02acb9ca341f4446
Opcode Fuzzy Hash: 8e258e6088ff2729972a65b025d9916a43b1951ab399dc39633550a2ec6328db
Instruction Fuzzy Hash: ADE0E530300308BBD301EE72DC42D0ABBACDB89704B920476B400A26C2D5785E108068

Function 00407B44 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407B5B

Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,020F03AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 006c08a2f5d9871c0a1980147acda0c26795bf6e192fd3a261290223f417e960
Instruction ID: 30ae2be02b9f15b9cba2c15a2490e5271afae9e105f225727eb8a6e5b17a7771
Opcode Fuzzy Hash: 006c08a2f5d9871c0a1980147acda0c26795bf6e192fd3a261290223f417e960
Instruction Fuzzy Hash: 3FE06D727081106BD710A65A98C0E5777ECCF85764F00403BB608DB281C574AC01867A

Function 00407700 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004095C3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0040771F

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: b9ec76e9ce0cf7c9b11fbb0d22c3d5372d7ad8be8fd57ca1cb8678c9dba0653c
Instruction ID: cd8e50964804133df0be52219a4bf40107040f8cbf32d452899ff663d46cfc84
Opcode Fuzzy Hash: b9ec76e9ce0cf7c9b11fbb0d22c3d5372d7ad8be8fd57ca1cb8678c9dba0653c
Instruction Fuzzy Hash: 7CE04FB1B8830126F62519545C87F7B164E47C0B84F64403B7B50EE3D2DABEB94B429F

Function 00407B28 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,02370004,0040AEF9,00000000), ref: 00407B2F

Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,020F03AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 879c3aef20c26933657ab209da42f9acde188edf801b45e7798529f352953bc6
Instruction ID: c094c2b5ec81b014f7647aed55f46f5be6f6c9eff784118cc89584b894c57cec
Opcode Fuzzy Hash: 879c3aef20c26933657ab209da42f9acde188edf801b45e7798529f352953bc6
Instruction Fuzzy Hash: AFC04CB1B141045BDB00A6AA85C2A1672DC5A482083404076B504DB247D678F8504755

Function 00407477 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407495), ref: 00407488

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3513d2af45e6240a0d0531d222129c39ee3681c2f506e4d79ab3159715fa7836
Instruction ID: fee884e8913e26ea2b20a1c4334648daa9a2c142b99fe0c27f31eb53e83e856d
Opcode Fuzzy Hash: 3513d2af45e6240a0d0531d222129c39ee3681c2f506e4d79ab3159715fa7836
Instruction Fuzzy Hash: C6B09B76A0C2006DE705DEE5645153877D4D7C47103B14877F100D65C1D93C94108519

Function 00407493 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407495), ref: 00407488

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a150b1ccc28004dcf137bb0f7729195edfbe3cd1821f17504bb802deebb031e2
Instruction ID: c7febe38ef9f985557de65a49c8e3beabd1cb56d23a205183508381f5ecd03fa
Opcode Fuzzy Hash: a150b1ccc28004dcf137bb0f7729195edfbe3cd1821f17504bb802deebb031e2
Instruction Fuzzy Hash: EEA022A8C08008BACE00EEE88080A3C33A82A883003C008E23200B2082C03CE000820B

Function 00406DC0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,00406DBC,?,00406A99,?,?,0040959C,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004095DE), ref: 00406DC2

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: d44d7a6884596ca32ea416b380b4e8946229468d7e659b1743621721cd4621d4
Instruction ID: 95ac89871b9e49aa2ffc5daef894b278f4bc9d8aafa7dca88aae54a0e9e7edad
Opcode Fuzzy Hash: d44d7a6884596ca32ea416b380b4e8946229468d7e659b1743621721cd4621d4
Instruction Fuzzy Hash:

Function 0040150C Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 00401570

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4069ebeab1ecaaa6227b0d54b40c6f300b7ac340d294d08becb426def254346f
Instruction ID: ed4d65520c00d96bd64096adec8f86249eaccd310614155879460d3c6a05d2ca
Opcode Fuzzy Hash: 4069ebeab1ecaaa6227b0d54b40c6f300b7ac340d294d08becb426def254346f
Instruction Fuzzy Hash: EC21F970608711AFC700DF19C880A5AB7E0EFC4760F14C96AE899AB3A1D374EC45CB9A

Function 0040838C Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0040841C

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4fb7b38294bdf3fcfaab8189c6b2d31175aea6f156bf412ec83bea8fb86574a1
Instruction ID: 68aadeca7c52aa1374545c41b60170f14cbd4c45bc0c673343149efe9cc76684
Opcode Fuzzy Hash: 4fb7b38294bdf3fcfaab8189c6b2d31175aea6f156bf412ec83bea8fb86574a1
Instruction Fuzzy Hash: 7B116D716042059BDB00EF19C981B4B37A4AF84359F04847EF998AF2C7DF78D8058B6A

Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ae0a35522eec5974c246f826a8cf4d5dbbbccf5172876aab042d95c32cb5ff07
Instruction ID: d2bd3e7102ef9204b91f8816383c595cec19663beeae75bd92b4ab4675e4226e
Opcode Fuzzy Hash: ae0a35522eec5974c246f826a8cf4d5dbbbccf5172876aab042d95c32cb5ff07
Instruction Fuzzy Hash: E401F772A042104BC310AF28DDC092A77D4DB84324F19497ED985B73A1D23B7C0587A8

Function 004079C4 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 004079D4

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b39bb4760bd10523e8477a282be401f25cebef3596302d631dfd489199f81fc2
Instruction ID: 1333f047c66b0d9688efca9d11da816c999e90cdcd736c06211d3ba452c28d9f
Opcode Fuzzy Hash: b39bb4760bd10523e8477a282be401f25cebef3596302d631dfd489199f81fc2
Instruction Fuzzy Hash: B4D0A7D1B00A6007E315F2BF498964B92C85F88655F08843BF685E73D1D67CAC00D38D

Function 00408334 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,00408319), ref: 0040834B

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 230c808500062b5c35cb01985a317edf3050be8cd861299b6b1c2025d975cd45
Instruction ID: 2902acfab023b9b2f0de86f7a78627cda5d54dfc4b924a21aa22279fbea0049e
Opcode Fuzzy Hash: 230c808500062b5c35cb01985a317edf3050be8cd861299b6b1c2025d975cd45
Instruction Fuzzy Hash: 64D002B17553046FDB90EEB94DC5B0237D87B48700F14457A6E44EB2C6F775D8008B14

Non-executed Functions

Function 004098E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004098F7
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004098FD
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409916
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040993D
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 00409942
ExitWindowsEx.USER32(00000002,00000000), ref: 00409953

Strings

SeShutdownPrivilege, xrefs: 0040990F

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 76c26366ab73d400da16d1d616fb3f23b1dfff142f9860e5fbeddd1887b8e56a
Instruction ID: c716305aa6b255ea0f8bf04b803605974c64d9a32ef9e4c16490a57abd096404
Opcode Fuzzy Hash: 76c26366ab73d400da16d1d616fb3f23b1dfff142f9860e5fbeddd1887b8e56a
Instruction Fuzzy Hash: 17F062B0284302B6E610AAB18C07F2722885B81B18F40493EB711F52C3D7BDD904866F

Function 0040A0D4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 0040A0DE
SizeofResource.KERNEL32(00000000,00000000,?,0040AB53,00000000,0040B0EA,?,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040A0F1
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040AB53,00000000,0040B0EA,?,00000001,00000000,00000002,00000000,0040B132,?,00000000), ref: 0040A103
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040AB53,00000000,0040B0EA,?,00000001,00000000,00000002,00000000,0040B132), ref: 0040A114

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 5a5895066e8623d9c04d621fb25767811aface55f1ffab09d7e5ea7dbda8e6a9
Instruction ID: 6e0ad9993521ca4487a6dc9182c9ec88a9d7ecf9898e216691337b01ea42cf55
Opcode Fuzzy Hash: 5a5895066e8623d9c04d621fb25767811aface55f1ffab09d7e5ea7dbda8e6a9
Instruction Fuzzy Hash: 92E0EA9078970725EAA136E608D6B6B10884BB578EF40113ABB14B92C3DDBC8C14516E

Function 004056A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058AA,?,?,?,00000000,00405A5C), ref: 004056BB

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6c93c86b5f3b9f7a8269726404ed0fa1fa14f48feaf77c0ba1f6e5dd371dd8fd
Instruction ID: 0ac2273093169a9723f5a49d7def2a1a0e4efde15c2d8dcba0568209acb81ea7
Opcode Fuzzy Hash: 6c93c86b5f3b9f7a8269726404ed0fa1fa14f48feaf77c0ba1f6e5dd371dd8fd
Instruction Fuzzy Hash: 34D05EA631E6502AE310519B2D85EBB4EACCAC57A4F54483BF64CD7252D2248C069776

Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
Instruction ID: 8398a6df79db6557de4560d78939933842e781e1ed99b38cfbf2fd723ed8f470
Opcode Fuzzy Hash: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
Instruction Fuzzy Hash: 3BE04F21E0010A42C704ABA5CD435FDF7AEAB95604F044172A418E92E0F631C252C748

Function 00408888 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: 388b29b0a79f5f19ed4b4953a6a76f47c3e14b9604a8131d453ab3a085cd796f
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: BC32E675E04219DFCB14CF99CA80A9DBBB2BF88314F24816AD855B7385DB34AE42CF54

Function 004074A0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,004075A5,?,00000000,00409DB8), ref: 004074C9
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004074CF
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004075A5,?,00000000,00409DB8), ref: 0040751D

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0040752C
Locale, xrefs: 0040750C
.DEFAULT\Control Panel\International, xrefs: 004074F4
kernel32.dll, xrefs: 004074C4
GetUserDefaultUILanguage, xrefs: 004074BF

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 7c066b870a361991bc0752fcd93cb8768e255443e349242cb7f15e42003cd7d9
Instruction ID: b0f7b576ff72b1c2059ac61aa9c71175e867ef76c41006bc9f97b140b7c9741a
Opcode Fuzzy Hash: 7c066b870a361991bc0752fcd93cb8768e255443e349242cb7f15e42003cd7d9
Instruction Fuzzy Hash: 02215470E04209BBDB00EAE5CC55ADE77A8AB44304F508877A900F36C1E77CBA01C75A

Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
GetLastError.KERNEL32(000000F5), ref: 00403C1E

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D

Function 00405814 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00405A5C,?,?,?,?,00000000,00000000,00000000,?,00406A3B,00000000,00406A4E), ref: 0040582E

Part of subcall function 0040565C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,00405727,?,00000000,00405806), ref: 0040567A

Part of subcall function 004056A8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058AA,?,?,?,00000000,00405A5C), ref: 004056BB

Strings

m/d/yy, xrefs: 004058FD
:mm, xrefs: 00405A10
mmmm d, yyyy, xrefs: 0040591F
:mm:ss, xrefs: 00405A2A
AMPM, xrefs: 004059F9

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: f64dfcc9beea8e06f9a7216c135bb3ef8748e57adf0d60dccc58cc6af9805412
Instruction ID: 1f8fb3564ea85801462352e9f704d9e8acf1e4fd8595550e023c4eac14c4b858
Opcode Fuzzy Hash: f64dfcc9beea8e06f9a7216c135bb3ef8748e57adf0d60dccc58cc6af9805412
Instruction Fuzzy Hash: 2B513E34B006486BDB00FAA58C81A8F77A9DB99304F50857BA515BB3C6CA3DDA098F5C

Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
Opcode Fuzzy Hash: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD

Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0040AAAE), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,0040AAAE), ref: 004030EE

Strings

U1hd.@, xrefs: 00403103
%q, xrefs: 004030F3

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: U1hd.@$%q
API String ID: 2123368496-1561265964
Opcode ID: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
Instruction ID: daea45a2aa12e23edc1a75ca5ccfa9dec32d0aab9986280789c112b27ba3568a
Opcode Fuzzy Hash: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
Instruction Fuzzy Hash: 3AC0027894134055D764AFF69E497047594A74930DF40443FA20C7A1F1D67C460A6BDD

Function 0040A128 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 0040A15D

Strings

The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 0040A141
Setup, xrefs: 0040A14D

Memory Dump Source

Source File: 00000000.00000002.2033875693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033641508.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034012267.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034183391.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Message
String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
API String ID: 2030045667-3271211647
Opcode ID: ff94df1eb2564fec58b9a221cc3fe3b9cf965a2b136f430670f36a0b3f2e2132
Instruction ID: 9b5d989b58a55d658cadae164e54e3781760331d38193a884cd145b826483737
Opcode Fuzzy Hash: ff94df1eb2564fec58b9a221cc3fe3b9cf965a2b136f430670f36a0b3f2e2132
Instruction Fuzzy Hash: 87E065302443087EE312EA629C13F5E7BACE789B54F614477F500B55C1D6795E10D46D

Analysis Process: msgtopstdemo.tmpPID: 7304, Parent PID: 7288COMMON

Execution Graph

Execution Coverage:	15.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	104

Executed Functions

Function 0048F6BC Relevance: 138.4, APIs: 22, Strings: 56, Instructions: 1878COMMON

Download Yara Rule

Strings

REGWRITEMULTISTRINGVALUE, xrefs: 004908D8
DELETEINIENTRY, xrefs: 0048FAFB
REGQUERYSTRINGVALUE, xrefs: 00490372
INIKEYEXISTS, xrefs: 0048F912
REGWRITESTRINGVALUE, xrefs: 004906E0
GETSHORTNAME, xrefs: 0048FD51
FONTEXISTS, xrefs: 00490BDE
FILEEXISTS, xrefs: 0048F703
PARAMCOUNT, xrefs: 0048FBE3
PARAMSTR, xrefs: 0048FC07
ISPOWERUSERLOGGEDON, xrefs: 00490BBA
REGQUERYBINARYVALUE, xrefs: 004905D3
ADDPERIOD, xrefs: 00490C37
ADDQUOTES, xrefs: 0048FCE1
REGGETSUBKEYNAMES, xrefs: 00490298
SETINIBOOL, xrefs: 0048FA90
DIREXISTS, xrefs: 0048F73C
USINGWINNT, xrefs: 0048FF36
SETINISTRING, xrefs: 0048F9B6
REGQUERYMULTISTRINGVALUE, xrefs: 00490434
STRINGCHANGEEX, xrefs: 0048FEC2
GETENV, xrefs: 0048FB83
SETNTFSCOMPRESSION, xrefs: 00490CB0
REMOVEQUOTES, xrefs: 0048FD19
GETSYSTEMDIR, xrefs: 0048FDB6
REGWRITEEXPANDSTRINGVALUE, xrefs: 004907F7
REGQUERYDWORDVALUE, xrefs: 004904F6
GETINIBOOL, xrefs: 0048F8A7
GETCMDTAIL, xrefs: 0048FBBB
REGGETVALUENAMES, xrefs: 00490305
GETTEMPDIR, xrefs: 0048FE33
GETUILANGUAGE, xrefs: 00490C12
REGVALUEEXISTS, xrefs: 0049009B
GETSYSNATIVEDIR, xrefs: 0048FE06
CHARLENGTH, xrefs: 00490C6F
GETWINDIR, xrefs: 0048FD8E
STRINGCHANGE, xrefs: 0048FE5B
REGKEYEXISTS, xrefs: 0049001E
FILEORDIREXISTS, xrefs: 0048F775
ADDBACKSLASH, xrefs: 0048FC39
REMOVEBACKSLASH, xrefs: 0048FC71
FILECOPY, xrefs: 0048FF5A
GETINISTRING, xrefs: 0048F7AE
DELETEINISECTION, xrefs: 0048FB49
REGDELETEVALUE, xrefs: 004901F3
CONVERTPERCENTSTR, xrefs: 0048FFDD
REGWRITEBINARYVALUE, xrefs: 00490AB6
ISINISECTIONEMPTY, xrefs: 0048F96E
REGDELETEKEYIFEMPTY, xrefs: 00490198
GETINIINT, xrefs: 0048F822
REGWRITEDWORDVALUE, xrefs: 004909E2
SETINIINT, xrefs: 0048FA25
GETSYSWOW64DIR, xrefs: 0048FDDE
REGDELETEKEYINCLUDINGSUBKEYS, xrefs: 0049013D
ISADMINLOGGEDON, xrefs: 00490B96
REMOVEBACKSLASHUNLESSROOT, xrefs: 0048FCA9

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID:
String ID: ADDBACKSLASH$ADDPERIOD$ADDQUOTES$CHARLENGTH$CONVERTPERCENTSTR$DELETEINIENTRY$DELETEINISECTION$DIREXISTS$FILECOPY$FILEEXISTS$FILEORDIREXISTS$FONTEXISTS$GETCMDTAIL$GETENV$GETINIBOOL$GETINIINT$GETINISTRING$GETSHORTNAME$GETSYSNATIVEDIR$GETSYSTEMDIR$GETSYSWOW64DIR$GETTEMPDIR$GETUILANGUAGE$GETWINDIR$INIKEYEXISTS$ISADMINLOGGEDON$ISINISECTIONEMPTY$ISPOWERUSERLOGGEDON$PARAMCOUNT$PARAMSTR$REGDELETEKEYIFEMPTY$REGDELETEKEYINCLUDINGSUBKEYS$REGDELETEVALUE$REGGETSUBKEYNAMES$REGGETVALUENAMES$REGKEYEXISTS$REGQUERYBINARYVALUE$REGQUERYDWORDVALUE$REGQUERYMULTISTRINGVALUE$REGQUERYSTRINGVALUE$REGVALUEEXISTS$REGWRITEBINARYVALUE$REGWRITEDWORDVALUE$REGWRITEEXPANDSTRINGVALUE$REGWRITEMULTISTRINGVALUE$REGWRITESTRINGVALUE$REMOVEBACKSLASH$REMOVEBACKSLASHUNLESSROOT$REMOVEQUOTES$SETINIBOOL$SETINIINT$SETINISTRING$SETNTFSCOMPRESSION$STRINGCHANGE$STRINGCHANGEEX$USINGWINNT
API String ID: 0-4234653879
Opcode ID: 19854b33dafa67cb38d998cdaf23aab5f995192ac433efa49c9268e7aa2fcbb3
Instruction ID: 5ab6688b1d8de169e7eae929f0fe5b5c72d30124bbb070add725f290c9b618ac
Opcode Fuzzy Hash: 19854b33dafa67cb38d998cdaf23aab5f995192ac433efa49c9268e7aa2fcbb3
Instruction Fuzzy Hash: BAD25370B041455BDB04EBB9C8819AEBBA5AF58704F50893FB406AB346DF3CED068799

Function 00471688 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 961COMMON

Download Yara Rule

Strings

Incrementing shared file count (64-bit)., xrefs: 0047257B
Version of existing file: (none), xrefs: 00471CDA
Failed to strip read-only attribute., xrefs: 00471EB3
Installing into GAC, xrefs: 004726FA
Skipping due to "onlyifdestfileexists" flag., xrefs: 00471EDA
Non-default bitness: 64-bit, xrefs: 0047188F
Time stamp of existing file: %s, xrefs: 00471A0B
, xrefs: 00471BAF, 00471D80, 00471DFE
Couldn't read time stamp. Skipping., xrefs: 00471D15
InUn, xrefs: 0047213F
Will register the file (a DLL/OCX) later., xrefs: 0047250E
Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00471CA4
Time stamp of our file: %s, xrefs: 0047197B
Time stamp of our file: (failed to read), xrefs: 00471987
Dest file exists., xrefs: 0047199B
Existing file is a newer version. Skipping., xrefs: 00471BE2
Skipping due to "onlyifdoesntexist" flag., xrefs: 004719AE
Dest filename: %s, xrefs: 00471874
.tmp, xrefs: 00471F97
User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00471E76
Installing the file., xrefs: 00471EE9
Version of existing file: %u.%u.%u.%u, xrefs: 00471B5C
Dest file is protected by Windows File Protection., xrefs: 004718CD
Version of our file: %u.%u.%u.%u, xrefs: 00471AD0
Existing file has a later time stamp. Skipping., xrefs: 00471DAF
Existing file is protected by Windows File Protection. Skipping., xrefs: 00471DCC
Same version. Skipping., xrefs: 00471CC5
Non-default bitness: 32-bit, xrefs: 0047189B
Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00471CB0
User opted not to overwrite the existing file. Skipping., xrefs: 00471E2D
Version of our file: (none), xrefs: 00471ADC
Same time stamp. Skipping., xrefs: 00471D35
Stripped read-only attribute., xrefs: 00471EA7
-- File entry --, xrefs: 004716DB
Time stamp of existing file: (failed to read), xrefs: 00471A17
Uninstaller requires administrator: %s, xrefs: 0047216F
Will register the file (a type library) later., xrefs: 00472502
I, xrefs: 00471688
Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00471C95
Incrementing shared file count (32-bit)., xrefs: 00472594

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID:
String ID: $-- File entry --$.tmp$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.$I
API String ID: 0-4118084788
Opcode ID: c14e226d9891336989dafe503ecccccce581ef0ae42d4d4c3c1148ce2efd792b
Instruction ID: 6bf2baeb3a70bced245c17dd6e1df6b1677c078c0e18323f60fd28fe4f0ee562
Opcode Fuzzy Hash: c14e226d9891336989dafe503ecccccce581ef0ae42d4d4c3c1148ce2efd792b
Instruction Fuzzy Hash: 73927134A042889FDB11DFA9C585BDDBBF4AF05304F1480ABE848BB392D7789E45DB19

Function 0042E4EC Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E526
GetVersion.KERNEL32(00000000,0042E6D0,?,0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E543
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E6D0,?,0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E55C
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E562
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E6D0,?,0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E577
FreeSid.ADVAPI32(00000000,0042E6D7,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E6CA

Strings

advapi32.dll, xrefs: 0042E557
CheckTokenMembership, xrefs: 0042E552

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2252812187-1888249752
Opcode ID: bec140b171ea519891e8f75e6984b41f13cc792e2a5660a755a4f82e4b8777e7
Instruction ID: 33373ee259e646c263c3edb0d375fd355344fbe6f0fea3053a31bb261822ccd7
Opcode Fuzzy Hash: bec140b171ea519891e8f75e6984b41f13cc792e2a5660a755a4f82e4b8777e7
Instruction Fuzzy Hash: 33518371B44619AEDB10EAE69842B7F77ACDB19304FD4047BB500F72C2D57CD904876A

Function 00456DD4 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0049BA74,00000000,00000001,0049B774,?,00000000,0045717F), ref: 00456E1A
CoCreateInstance.OLE32(0049B764,00000000,00000001,0049B774,?,00000000,0045717F), ref: 00456E40
SysFreeString.OLEAUT32(00000000), ref: 00456FF7

Strings

IPersistFile::Save, xrefs: 004570FE
IShellLink::QueryInterface(IID_IPersistFile), xrefs: 004570A0
CoCreateInstance, xrefs: 00456E4B
IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456FDC
{pf32}\, xrefs: 00456EBA
IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 00457066
IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 0045702E
%ProgramFiles(x86)%\, xrefs: 00456ECA
IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 00456F59
IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 00456F8D
IPropertyStore::Commit, xrefs: 0045707F

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CreateInstance$FreeString
String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
API String ID: 308859552-2363233914
Opcode ID: 07d5a5579f8ca6652d0c1b29a29510edaaf9d516a664dc31519823db798bd8dc
Instruction ID: 02ec3099c1e013a4d2a6014e0405d8002507ef7a0ca247d1a979c15f6e32810c
Opcode Fuzzy Hash: 07d5a5579f8ca6652d0c1b29a29510edaaf9d516a664dc31519823db798bd8dc
Instruction Fuzzy Hash: 57B18071A04204AFDB11DFA9D845B9E7BF8AF08706F5440B6F904E7262DB38DD48CB69

Function 0042405C Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6f3cab85cb6cd94dd259e2a1688b0505dda5d67cc9468b745cf4902a0b6c1d
Instruction ID: 43e49367b0b6739e18dd975752e7d81306140be7a57883210305ee73c05c6530
Opcode Fuzzy Hash: fe6f3cab85cb6cd94dd259e2a1688b0505dda5d67cc9468b745cf4902a0b6c1d
Instruction Fuzzy Hash: 59E16E30704124EFD710DB6AE685A5DB7F4EF84314FA540A6F6859B392CB38EE81DB09

Function 00422CAC Relevance: 18.3, APIs: 12, Instructions: 255
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422E44
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,0042300E), ref: 00422E54

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: 50d217a044accfbb6ff9672ceaa0ff858f3e4d17f8446c7d09d6d8818b0f9199
Instruction ID: bacc4b86db7cb1d0e13acf93141a7ddfdaa0ad6c2af5cb9121abc77d57b19b6c
Opcode Fuzzy Hash: 50d217a044accfbb6ff9672ceaa0ff858f3e4d17f8446c7d09d6d8818b0f9199
Instruction Fuzzy Hash: 1B916270B14254AFD700DBA9DB46F9E77F4AB04304F5600B6F904AB292C7B8AE01AB58

Function 00468034 Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1649windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004971B4: GetWindowRect.USER32(00000000), ref: 004971CA

LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 004683DD

Part of subcall function 0041DB00: GetObjectA.GDI32(?,00000018,004683F6), ref: 0041DB2B

Part of subcall function 00467E10: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467EB3
Part of subcall function 00467E10: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467ED9
Part of subcall function 00467E10: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00467F30

Part of subcall function 004677CC: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00468491,00000000,00000000,00000000,0000000C,00000000), ref: 004677E4

Part of subcall function 00497438: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00497442

Part of subcall function 0042F188: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042F1E4
Part of subcall function 0042F188: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042F201

Part of subcall function 00497104: GetDC.USER32(00000000), ref: 00497126
Part of subcall function 00497104: SelectObject.GDI32(?,00000000), ref: 0049714C
Part of subcall function 00497104: ReleaseDC.USER32(00000000,?), ref: 0049719D

Part of subcall function 00497428: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00497432

GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,00000000,?), ref: 00469080
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00469091
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 004690A9

Strings

STOPIMAGE, xrefs: 004683D2
(Default), xrefs: 00469692
, xrefs: 0046849E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadProcRectReleaseSelectSystemUserWindow
String ID: $(Default)$STOPIMAGE
API String ID: 616467991-770201673
Opcode ID: 533b5b9c69d50d4e3bf7389d015b08925e7f9e5915c964b06be795d887c19e03
Instruction ID: 80892e57212ece105f8354d293749779e47711168eff5a6823bea21c9da9ff55
Opcode Fuzzy Hash: 533b5b9c69d50d4e3bf7389d015b08925e7f9e5915c964b06be795d887c19e03
Instruction Fuzzy Hash: 90F2E7786005108FCB00EB69D8D9F9977F5BF89304F1542BAE5049B36ADB78EC46CB4A

Function 004565A8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,004566E7), ref: 004565D8
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004565DE
GetDiskFreeSpaceExA.KERNELBASE(00000000,?,?,00000000,00000000,004566C5,?,00000000,kernel32.dll,GetDiskFreeSpaceExA,00000000,004566E7), ref: 00456634

Strings

kernel32.dll, xrefs: 004565D3
GetDiskFreeSpaceExA, xrefs: 004565CE

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressDiskFreeHandleModuleProcSpace
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1197914913-3712701948
Opcode ID: 25df71702425412e55e0ebe1ec94dd27c79a220fb61393adf873e88db180ab3d
Instruction ID: b48cc3d91c9fc3d8a1033014b63779c50d18bc65ef0bc06e4cd1291adb105b9d
Opcode Fuzzy Hash: 25df71702425412e55e0ebe1ec94dd27c79a220fb61393adf873e88db180ab3d
Instruction Fuzzy Hash: A2417471A00249AFCF01EFA5C8829EFBBB8EF48304F514567F800F7252D6795D098B69

Function 00476120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0047628A,?,?,0049E1E4,00000000), ref: 00476179
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,0047628A,?,?,0049E1E4,00000000), ref: 00476256
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,0047628A,?,?,0049E1E4,00000000), ref: 00476264

Strings

unins, xrefs: 004761CC
unins???.*, xrefs: 00476163

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: 816df3ee00217b6bb4e518e82dd9f1b30d6009901d4e98b0830000b4814bbc5f
Instruction ID: eb89464c752a784b36226a23c26c23c5edadcf818cb3280f2000aa581376a5b5
Opcode Fuzzy Hash: 816df3ee00217b6bb4e518e82dd9f1b30d6009901d4e98b0830000b4814bbc5f
Instruction Fuzzy Hash: 11312E70600548ABDB50EB65CC81ADEBBADDB45314F5180F6A84CAB3A6DB389F418F58

Function 004489CC Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448BA9), ref: 00448AEC
GetProcAddress.KERNEL32(00000000,00000000), ref: 00448B6D

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 867ba43a10b71c4e0cee705246465b706dfe17f876c727b36fdc5ac37d46efd6
Instruction ID: 477aa25612ad46cb30709e51daa048e72857c65cf3d1b396dc19b103b65ac6e4
Opcode Fuzzy Hash: 867ba43a10b71c4e0cee705246465b706dfe17f876c727b36fdc5ac37d46efd6
Instruction Fuzzy Hash: AA5133B0E00545AFDB00EF95C481AAEB7F9EB44315F10817FB814BB395DA78AE058B99

Function 004531A4 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00453207,?,?,-00000001,00000000), ref: 004531E1
GetLastError.KERNEL32(00000000,?,00000000,00453207,?,?,-00000001,00000000), ref: 004531E9

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 1201cac6feb998a2fb112764d438cb0eb727cdb5a4391e78fe092c8218b0a9ce
Instruction ID: d0bf465202dae3429285692917932fac375c13b7b10a14b33624456fe0da4cd4
Opcode Fuzzy Hash: 1201cac6feb998a2fb112764d438cb0eb727cdb5a4391e78fe092c8218b0a9ce
Instruction Fuzzy Hash: FEF02371A046047BCB10DF7AAC0145EF7ACDB4577675046BBFC14D3291DB784F088558

Function 004089B8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049D4C4,00000001,?,00408A83,?,00000000,00408B62), ref: 004089D6

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 40f9e6ad7b9874a9b05efedc53f019727417c817c0661ecad43f37488e602a1d
Instruction ID: 37d1d3aac47cb6b8cd62020f591dd9ac8cec50bf03644e7f1bddec785b1dbc63
Opcode Fuzzy Hash: 40f9e6ad7b9874a9b05efedc53f019727417c817c0661ecad43f37488e602a1d
Instruction Fuzzy Hash: 63E0227170021452C315A91A8C82AFAB24C9B18314F00427FB948E73C3EDB89E8042ED

Function 00423FD4 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,004245A1,?,00000000,004245AC), ref: 00423FFE

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 15ec92afe3337674697e5aaff926351660f6d808b83c1ecc1d592f8d8ff41db7
Instruction ID: 626c949ff67c0b5daba62b8ffba664747ea83a29b03f4787c3cb7294a8149fcf
Opcode Fuzzy Hash: 15ec92afe3337674697e5aaff926351660f6d808b83c1ecc1d592f8d8ff41db7
Instruction Fuzzy Hash: 9CF0B379205608AF8B40DF99C588D4ABBE8AB4C260B058295B988CB321C234EE808F94

Function 00455D38 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 00455D4E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: aa3a47175e92b859a3c3631cc0a30abc799c89e82c4a450a6b7a51612d703bec
Instruction ID: 82cf1e81aeab4cdf4c711474db213eebdc1b2e178f500b1422eacd8e28b83923
Opcode Fuzzy Hash: aa3a47175e92b859a3c3631cc0a30abc799c89e82c4a450a6b7a51612d703bec
Instruction Fuzzy Hash: 0AD0C27230460063C700AAA99C826AA359C8B84305F00883F3CC5DA2C3EABDDA4C5696

Function 0046FE70 Relevance: 75.8, APIs: 1, Strings: 42, Instructions: 512
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0046FC5C: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,VtG,?,0049E1E4,?,0046FF73,?,00000000,00470532,?,_is1), ref: 0046FC7F

RegCloseKey.ADVAPI32(?,00470539,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,00470584,?,?,0049E1E4,00000000), ref: 0047052C

Strings

" /SILENT, xrefs: 004701F2
Inno Setup: Icon Group, xrefs: 0046FFC5
Contact, xrefs: 004702E7
Inno Setup: User Info: Name, xrefs: 004700BE
NoModify, xrefs: 00470338
DisplayIcon, xrefs: 0047018B
HelpTelephone, xrefs: 00470273
Inno Setup: No Icons, xrefs: 0046FFE3
Readme, xrefs: 004702CA
InstallDate, xrefs: 0047036B
Inno Setup: App Path, xrefs: 0046FF96
URLInfoAbout, xrefs: 00470256
MajorVersion, xrefs: 00470397
Inno Setup: User, xrefs: 00470002
Inno Setup: Selected Components, xrefs: 00470040
Inno Setup: User Info: Organization, xrefs: 004700D3
Inno Setup: Language, xrefs: 0047010F
Publisher, xrefs: 00470239
NoRepair, xrefs: 0047034C
InstallLocation, xrefs: 0046FFB6
DisplayVersion, xrefs: 0047021C
Inno Setup: Deselected Components, xrefs: 0047005F
Inno Setup: Deselected Tasks, xrefs: 004700A6
QuietUninstallString, xrefs: 004701FF
ModifyPath, xrefs: 00470324
_is1, xrefs: 0046FECC
Inno Setup: Selected Tasks, xrefs: 00470087
MinorVersion, xrefs: 004703A9
HelpLink, xrefs: 00470290
EstimatedSize, xrefs: 004704A9
Comments, xrefs: 00470304
5.5.9 (a), xrefs: 0046FF66
Inno Setup: Setup Version, xrefs: 0046FF61
DisplayName, xrefs: 0047016E
RegisterPreviousData, xrefs: 004704E2
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0046FEC6
Inno Setup: User Info: Serial, xrefs: 004700E8
Inno Setup: Setup Type, xrefs: 00470021
URLUpdateInfo, xrefs: 004702AD
UninstallString, xrefs: 004701C5
VersionMinor, xrefs: 004703CD
VersionMajor, xrefs: 004703BB

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseValue
String ID: " /SILENT$5.5.9 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor$_is1
API String ID: 3132538880-2925550972
Opcode ID: fdb3abc282401ddcde1fd324222dc74367cf93ffdb601943bdf46b8bae72a72a
Instruction ID: 8dffaa2781584bc6e947bd791be20880efee78ab32c439a28404737c84d0984c
Opcode Fuzzy Hash: fdb3abc282401ddcde1fd324222dc74367cf93ffdb601943bdf46b8bae72a72a
Instruction Fuzzy Hash: F8124F34A00108DBDB04EB55E991ADE77F5EF48304F60807BE804AB3A5EB79BD45CB59

Function 004063F4 Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 174
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 0040640F
GetVersion.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 00406416
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040642B
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406453
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406655
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040666B
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 00406676

Strings

propsys.dll, xrefs: 00406548
userenv.dll, xrefs: 004064DF
comres.dll, xrefs: 0040661A
SetSearchPathMode, xrefs: 0040664F
uxtheme.dll, xrefs: 004064BC
version.dll, xrefs: 004065D4
kernel32.dll, xrefs: 0040640A
apphelp.dll, xrefs: 00406525
oleacc.dll, xrefs: 004065B1
cryptbase.dll, xrefs: 0040658E
SetProcessDEPPolicy, xrefs: 00406665
profapi.dll, xrefs: 004065F7
setupapi.dll, xrefs: 00406502
SetDefaultDllDirectories, xrefs: 00406425
clbcatq.dll, xrefs: 0040663D
SetDllDirectoryW, xrefs: 0040644D
dwmapi.dll, xrefs: 0040656B

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 3297890031-2388063882
Opcode ID: 7c5204fbbc2168c2f62eadc490ed385a4cfd672bd01c7cc457884a48157f0828
Instruction ID: 52ceb319b1b10a2745084cc2a18598c2ecefae742a63aceaaee3a2f28509b87b
Opcode Fuzzy Hash: 7c5204fbbc2168c2f62eadc490ed385a4cfd672bd01c7cc457884a48157f0828
Instruction Fuzzy Hash: 7061F130A00109EBCB01FBA6D982D8E77B9AB44709B214077B405772E6DB3DEF199B5D

Function 00450994 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 76
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,00450AB1,?,?,?,?,00000000,00000000), ref: 004509BF

Part of subcall function 00450964: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0045097C

LoadLibraryA.KERNEL32(00000000,00000000,00450AB1,?,?,?,?,00000000,00000000), ref: 004509FB
GetProcAddress.KERNEL32(00000000,RmStartSession), ref: 00450A19
GetProcAddress.KERNEL32(00000000,RmRegisterResources), ref: 00450A2E
GetProcAddress.KERNEL32(00000000,RmGetList), ref: 00450A43
GetProcAddress.KERNEL32(00000000,RmShutdown), ref: 00450A58
GetProcAddress.KERNEL32(00000000,RmRestart), ref: 00450A6D
GetProcAddress.KERNEL32(00000000,RmEndSession), ref: 00450A82

Strings

RmRestart, xrefs: 00450A62
RmGetList, xrefs: 00450A38
RmEndSession, xrefs: 00450A77
Rstrtmgr.dll, xrefs: 004509E8
RmStartSession, xrefs: 00450A0E
RmShutdown, xrefs: 00450A4D
RmRegisterResources, xrefs: 00450A23

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystemVersion
String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
API String ID: 2754715182-3419246398
Opcode ID: d8d5ff48d6aa38830af6a9e8a73036221bb65f2481768552fb853932befe92ab
Instruction ID: 7e76809d132c55fa29070b713de61cc7a3e08993567f6b48a797f9432d6667d5
Opcode Fuzzy Hash: d8d5ff48d6aa38830af6a9e8a73036221bb65f2481768552fb853932befe92ab
Instruction Fuzzy Hash: 58212AB4A00304AEE710FBA5EC86A6E77F8E764755F50053BB810A71A3D6789D49CB1C

Function 00484E68 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00484E79
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00484E86
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00484E94
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00484E9C
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00484EA8
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00484EC9
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00484EDC
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00484EE2
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00484EF9

Strings

kernel32.dll, xrefs: 00484E74
GetNativeSystemInfo, xrefs: 00484E80
advapi32.dll, xrefs: 00484ED7
GetSystemWow64DirectoryA, xrefs: 00484EC3
RegDeleteKeyExA, xrefs: 00484ED2
IsWow64Process, xrefs: 00484E96

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 2230631259-2623177817
Opcode ID: cd68709e737b022a93ba3f5ff6983bcc42b0d1d8f8071fae57a82298f7546d18
Instruction ID: 19f93fc1e60286517b98713993879556ba5b021e510ed05db2a10d1898c9039d
Opcode Fuzzy Hash: cd68709e737b022a93ba3f5ff6983bcc42b0d1d8f8071fae57a82298f7546d18
Instruction Fuzzy Hash: E8110351109353A4E721B3796E46B7F25889B8031CF080C7F7B84666C6EA7CC845833F

Function 00469A0C Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(?,00469C26,?,?,00000001,00000000,00000000,00469C41,?,00000000,00000000,?), ref: 00469C0F

Strings

Inno Setup: No Icons, xrefs: 00469AF7
Inno Setup: Setup Type, xrefs: 00469B1E
%s\%s_is1, xrefs: 00469A89
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00469A6B
Inno Setup: App Path, xrefs: 00469ACE
Inno Setup: Selected Tasks, xrefs: 00469B7B
Inno Setup: User Info: Serial, xrefs: 00469BF1
Inno Setup: Deselected Tasks, xrefs: 00469B9D
Inno Setup: User Info: Organization, xrefs: 00469BDE
Inno Setup: User Info: Name, xrefs: 00469BCB
Inno Setup: Icon Group, xrefs: 00469AEA
Inno Setup: Deselected Components, xrefs: 00469B50
Inno Setup: Selected Components, xrefs: 00469B2E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1093091907
Opcode ID: 7b5af505cdaee4b9995a13ec4fd6d8a32d5a0e4e315676c1a42935439103419e
Instruction ID: c7de7197f4a769c9e7c3cd52df4c64fbb683598124d789e1de9a85ab418445f9
Opcode Fuzzy Hash: 7b5af505cdaee4b9995a13ec4fd6d8a32d5a0e4e315676c1a42935439103419e
Instruction Fuzzy Hash: C4519430A006089BCB15DB66D941BEEB7F9EF49304F5084BAE84067395E7B8AF01CB5D

Function 00473AA0 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042CC54: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CC78

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00473C58
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00473D73
SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00473D89
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00473DAE

Strings

Creating the icon., xrefs: 00473C6D
.lnk, xrefs: 00473B2C
Successfully created the icon., xrefs: 00473D4D
target.lnk, xrefs: 00473DF8
Dest filename: %s, xrefs: 00473BFA
.pif, xrefs: 00473B4F, 00473CED
{group}\, xrefs: 00473AFA
Desktop.ini, xrefs: 00473E2F
.url, xrefs: 00473B72

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
String ID: .lnk$.pif$.url$Creating the icon.$Desktop.ini$Dest filename: %s$Successfully created the icon.$target.lnk${group}\
API String ID: 971782779-2902529204
Opcode ID: b72f850a64bbc8f123dd4924d5b2584716dd07303dfbb896ee9ec9fc6b8b6bc3
Instruction ID: 9b31a6288a8d0ad81c732a29d19026b8086b57763a6276d7ac4447936d78ea7d
Opcode Fuzzy Hash: b72f850a64bbc8f123dd4924d5b2584716dd07303dfbb896ee9ec9fc6b8b6bc3
Instruction Fuzzy Hash: EBD11374A00148ABDB11DFA9D582BDDBBF4AF08305F50806AF804B7392D778AE45DB69

Function 0047D978 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042DCE8: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,0045451C,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D), ref: 0042DCFB

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

Part of subcall function 0042DD40: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004542C2,00000000,00454365,?,?,00000000,00000000,00000000,00000000,00000000,?,00454755,00000000), ref: 0042DD5A
Part of subcall function 0042DD40: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DD60

SHGetKnownFolderPath.SHELL32(0049BD44,00008000,00000000,?,00000000,0047DC4C), ref: 0047DB52
CoTaskMemFree.OLE32(?,0047DB95), ref: 0047DB88

Part of subcall function 0042D658: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DE8E,00000000,0042DF20,?,?,?,0049D62C,00000000,00000000), ref: 0042D683

Strings

COMMAND.COM, xrefs: 0047DC27
cmd.exe, xrefs: 0047DC06
Failed to get path of 64-bit Common Files directory, xrefs: 0047DB18
SystemDrive, xrefs: 0047D9DF
\Program Files, xrefs: 0047DA67
CommonFilesDir, xrefs: 0047DA7A, 0047DAF6
ProgramFilesDir, xrefs: 0047DA40, 0047DAC7
Common Files, xrefs: 0047DAB1
Failed to get path of 64-bit Program Files directory, xrefs: 0047DAE9

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 3771764029-544719455
Opcode ID: 6ec6ff986ef5dd5265772e09c3445ba75f4a3d0a7ec86f160005d9c17a7e769a
Instruction ID: 0fe7c2c5921331aa3b985ab989dbf77b3a087c61dea5e3792aec770f31e1cce1
Opcode Fuzzy Hash: 6ec6ff986ef5dd5265772e09c3445ba75f4a3d0a7ec86f160005d9c17a7e769a
Instruction Fuzzy Hash: A061B234E24204AFDB11EFA6D84269E7B78EF84318F51C57BE404AB391D77CAA41CA1D

Function 0047E184 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 104
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 0047E2B1

Strings

shfolder.dll, xrefs: 0047E1BF
shell32.dll, xrefs: 0047E24F
Failed to load DLL "%s", xrefs: 0047E294
_isetup\_shfoldr.dll, xrefs: 0047E222
SHGetFolderPathA, xrefs: 0047E2A6
2, xrefs: 0047E1F3
SHFOLDERDLL, xrefs: 0047E22F
Failed to get address of SHGetFolderPath function, xrefs: 0047E2C2

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressDirectoryProcSystem
String ID: 2$Failed to get address of SHGetFolderPath function$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
API String ID: 996212319-3422985891
Opcode ID: 2ee55fa07f5402e21f3b06f2d1869faf56609dd587cb054fbf2c8bfa1446e0f1
Instruction ID: 9758cc0716918fe71002c31ee1435c1447d2ac946059de1b269defc554b01a12
Opcode Fuzzy Hash: 2ee55fa07f5402e21f3b06f2d1869faf56609dd587cb054fbf2c8bfa1446e0f1
Instruction Fuzzy Hash: C9415830A00119DFDB10DFA6C9415DE77B8FB48309F50C9BBE414A7252D7389E05CB59

Function 00423CC4 Relevance: 15.1, APIs: 10, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041F814: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F1F4,?,00423CDF,0042405C,0041F1F4), ref: 0041F832

GetClassInfoA.USER32(00400000,00423ACC), ref: 00423CEF
RegisterClassA.USER32(0049B630), ref: 00423D07
GetSystemMetrics.USER32(00000000), ref: 00423D29
GetSystemMetrics.USER32(00000001), ref: 00423D38
SetWindowLongA.USER32(004108B0,000000FC,00423ADC), ref: 00423D94
SendMessageA.USER32(004108B0,00000080,00000001,00000000), ref: 00423DB5
GetSystemMenu.USER32(004108B0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C,0041F1F4), ref: 00423DC0
DeleteMenu.USER32(00000000,0000F030,00000000,004108B0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C,0041F1F4), ref: 00423DCF
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004108B0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423DDC
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004108B0,00000000,00000000,00400000,00000000,00000000,00000000), ref: 00423DF2

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID:
API String ID: 183575631-0
Opcode ID: b1b7ab34adc4f0bdac85d35cd8319da5cc88f86eb62920a241cc02d958c0791e
Instruction ID: 7df3f4c256e16cf88ed5bb8a347b5b3a25df550de305930316ee8fcfc6e0617b
Opcode Fuzzy Hash: b1b7ab34adc4f0bdac85d35cd8319da5cc88f86eb62920a241cc02d958c0791e
Instruction Fuzzy Hash: 203164B17502106AEB10AF65DC86F6A3698D714709F60017AFA40EF2D7C6BDED40476D

Function 00482C40 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000), ref: 00482DFD
FreeLibrary.KERNEL32(00000000), ref: 00482E11
SendNotifyMessageA.USER32(00020450,00000496,00002710,00000000), ref: 00482E83

Strings

Not restarting Windows because Setup is being run from the debugger., xrefs: 00482E32
Deinitializing Setup., xrefs: 00482C5E
GetCustomSetupExitCode, xrefs: 00482C9D
Restarting Windows., xrefs: 00482E5E
DeinitializeSetup, xrefs: 00482CF9

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FreeLibrary$MessageNotifySend
String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 3817813901-1884538726
Opcode ID: 9c2bbffa538aa2e5b055a523d915f2d38be36e5908d6c0a026212498e4b0fc52
Instruction ID: 87ca8a1097935e6c4637b022688acffdd958b69fb8a4991d3dc3ea9519d40e2c
Opcode Fuzzy Hash: 9c2bbffa538aa2e5b055a523d915f2d38be36e5908d6c0a026212498e4b0fc52
Instruction Fuzzy Hash: F851AA30600200EFD711EF6AD949B6E7BE4EB19718F51897BE800D72A1DBB89C45CB5D

Function 0042FA00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042FA2F
GetFocus.USER32 ref: 0042FA37
RegisterClassA.USER32(0049B7AC), ref: 0042FA58
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042FB2C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042FA96
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042FADC
ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042FAED
SetFocus.USER32(00000000,00000000,0042FB0F,?,?,?,00000001,00000000,?,00458B4E,00000000,0049D62C), ref: 0042FAF4

Strings

TWindowDisabler-Window, xrefs: 0042FA8F, 0042FAD5

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$CreateFocus$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 3167913817-1824977358
Opcode ID: fec87ca07d7290a4a57da710bc1ddf3081f88a8d4dfe440d170acd63eb0d43c3
Instruction ID: be32ada46e774ba6914a87ad40c025b2c9e25f6d11d521099bf08b28c91ad89a
Opcode Fuzzy Hash: fec87ca07d7290a4a57da710bc1ddf3081f88a8d4dfe440d170acd63eb0d43c3
Instruction Fuzzy Hash: E121B570B40720BAE210EB65EC03F1A76B4EB04B04FA1813BF504BB2D1D7B96C1487AD

Function 00473950 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00473A11,?,?,?,00000008,00000000,00000000,00000000,?,00473C6D,?,?,00000000,00473EF0), ref: 00473974

Part of subcall function 0042D1E4: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042D25A

Part of subcall function 004073A0: DeleteFileA.KERNEL32(00000000,0049D62C,00499FD9,00000000,0049A02E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073AB

SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00473A11,?,?,?,00000008,00000000,00000000,00000000,?,00473C6D), ref: 004739EB
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00473A11,?,?,?,00000008,00000000,00000000,00000000), ref: 004739F1

Strings

{0AFACED1-E828-11D1-9187-B532F1E9575D}, xrefs: 004739AD
CLSID2, xrefs: 0047399E
target.lnk, xrefs: 004739C9
.ShellClassInfo, xrefs: 004739A3
desktop.ini, xrefs: 00473988

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
API String ID: 884541143-1710247218
Opcode ID: c5ee601f3e9953c735d8bf0a71158fe3e64be6cf92b19d5fab08f93ca351b12b
Instruction ID: bfb262a57c212aacfed1a05d1298e64af55acb3d3cb9d0523fd91374b550827c
Opcode Fuzzy Hash: c5ee601f3e9953c735d8bf0a71158fe3e64be6cf92b19d5fab08f93ca351b12b
Instruction Fuzzy Hash: 8F11D3B07006047BD701EA698C83AAE73ACDB48715F50813BB844A72C1DB3C9F02961D

Function 00453934 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453956
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045395C
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453970
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453976

Strings

Wow64RevertWow64FsRedirection, xrefs: 00453966
Wow64DisableWow64FsRedirection, xrefs: 0045394C
shell32.dll, xrefs: 004539B3
kernel32.dll, xrefs: 00453951, 0045396B

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 82da2a28b5003144a588bfd6711196aeba7955ca25a5e24eec6645e80d453e72
Instruction ID: a193a4472c2853cf72940ff7690ab9972ac4b2f80f688c1a00737a0c34b4483d
Opcode Fuzzy Hash: 82da2a28b5003144a588bfd6711196aeba7955ca25a5e24eec6645e80d453e72
Instruction Fuzzy Hash: B211E3B0A00244BBDB00EF66DC03F5E7BA8D70475AF60447BF84166282D6BC9F088A2D

Function 00467E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467EB3
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467ED9

Part of subcall function 00467D4C: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467DE7
Part of subcall function 00467D4C: DestroyCursor.USER32(00000000), ref: 00467DFD

ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00467F30
SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467F91
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467FB7

Strings

shell32.dll, xrefs: 00467F14
c:\directory, xrefs: 00467EAE

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Icon$Extract$FileInfo$CursorDestroyDraw
String ID: c:\directory$shell32.dll
API String ID: 3376378930-1375355148
Opcode ID: 5f39b0330533c07a7ed62396f03ad1b0497855389b17cb99d84a9eecbd47350c
Instruction ID: adf232676f9dc8545d434ff73a7213ff4163269ef5d9f53791e9b27a0c2465ea
Opcode Fuzzy Hash: 5f39b0330533c07a7ed62396f03ad1b0497855389b17cb99d84a9eecbd47350c
Instruction Fuzzy Hash: 64516D70644208AFD750EF65CC85FDEBBA8EB48308F1085A7F5089B391DA399E85CB59

Function 00430DE0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430DE8
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430DF7
GetCurrentThreadId.KERNEL32 ref: 00430E11
GlobalAddAtomA.KERNEL32(00000000), ref: 00430E32

Strings

commdlg_FindReplace, xrefs: 00430DF2
WndProcPtr%.8X%.8X, xrefs: 00430E23
commdlg_help, xrefs: 00430DE3

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: 50811bd1b0b0bc88e10382fd261453b7235327efbd1eb80bce93881789032006
Instruction ID: dd09876b0f9c3184917b018614b917cdad608ae665b29eb2c15b2e3af62d5cdc
Opcode Fuzzy Hash: 50811bd1b0b0bc88e10382fd261453b7235327efbd1eb80bce93881789032006
Instruction Fuzzy Hash: 98F082B09483409ED300EF26890371A7AE0AB58708F404F3FB48CA2291D7399910CB1F

Function 004232A0 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 004232F4
GetCapture.USER32 ref: 00423303
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00423309
ReleaseCapture.USER32 ref: 0042330E
GetActiveWindow.USER32 ref: 0042331D
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 0042339C
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00423400
GetActiveWindow.USER32 ref: 0042340F

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: bac6248c5c65b2a46f0a1d517af8b370a3a4e6cba25cb3140287781b4ccd40b9
Instruction ID: 3a9af59dda1f98e95100fec3f153a7acb7f05633bd4cd2eb2e4992da2b7770c9
Opcode Fuzzy Hash: bac6248c5c65b2a46f0a1d517af8b370a3a4e6cba25cb3140287781b4ccd40b9
Instruction Fuzzy Hash: 68414170B10258AFDB10EFAAD942B9DB7F1AF44704F5140BAE404AB292DB7C9F41CB18

Function 00477E98 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00477EF1
SetWindowLongW.USER32(00000000,000000FC,Function_00077E4C), ref: 00477F18
GetACP.KERNEL32(00000000,00478130,?,00000000,0047815A), ref: 00477F55
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00477F9B

Strings

Inno Setup: Language, xrefs: 00478023
COMBOBOX, xrefs: 00477EEA

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ClassInfoLongMessageSendWindow
String ID: COMBOBOX$Inno Setup: Language
API String ID: 3391662889-4234151509
Opcode ID: ee73a32da0349862b0492f9267fac64247cda7a4a61a4b082aceda1c218f248c
Instruction ID: 81c94a85f2d0ae2d33cbd4ee74d6221623364a49e9b2571c8ba4411711431487
Opcode Fuzzy Hash: ee73a32da0349862b0492f9267fac64247cda7a4a61a4b082aceda1c218f248c
Instruction Fuzzy Hash: 65813C34A00205DFD710EF69C989AAAB7F0FB49304F55C1BAE848D7362DB38AD45CB59

Function 00455778 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455994,00455994,?,00455994,00000000), ref: 00455922
CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455994,00455994,?,00455994), ref: 0045592F

Part of subcall function 004556E4: WaitForInputIdle.USER32(?,00000032), ref: 00455710
Part of subcall function 004556E4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00455732
Part of subcall function 004556E4: GetExitCodeProcess.KERNEL32(?,?), ref: 00455741
Part of subcall function 004556E4: CloseHandle.KERNEL32(?,0045576E,00455767,?,?,?,00000000,?,?,00455943,?,?,?,00000044,00000000,00000000), ref: 00455761

Strings

COMMAND.COM" /C , xrefs: 0045588C
cmd.exe" /C ", xrefs: 00455855
.bat, xrefs: 00455808
D, xrefs: 004558C0
.cmd, xrefs: 00455823

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 854858120-615399546
Opcode ID: 3aef928493a85a336b4fdc45b2ef872796c76b537a4fe3cf952342f788ba9a48
Instruction ID: 19165e213e9236b89a5b086241af4e71530f18fc7e42ed674525c8849c01d6f6
Opcode Fuzzy Hash: 3aef928493a85a336b4fdc45b2ef872796c76b537a4fe3cf952342f788ba9a48
Instruction Fuzzy Hash: F4514A7060074DABDB11EF96C892BEEBBB9AF44315F50403BF804BB282D77C99198759

Function 00423ADC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00423B6C
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423B99
OemToCharA.USER32(?,?), ref: 00423BAC
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423BEC

Strings

MAINICON, xrefs: 00423B61
2, xrefs: 00423B3A

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: 5bb029359a14fe80b98f3d31a1bddee7a09f53b94ef6d4528e1ea31487fdaa44
Instruction ID: e5d3831d9b5483d4bbbd2f836839ca6b10e9aa02fde8f17f2ef2fb4492c3d901
Opcode Fuzzy Hash: 5bb029359a14fe80b98f3d31a1bddee7a09f53b94ef6d4528e1ea31487fdaa44
Instruction Fuzzy Hash: 6031A271A042549ADB10EF29C8C57C67BE8AF14308F4045BAE844DB383D7BED988CB59

Function 00419388 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 0041938D
GlobalAddAtomA.KERNEL32(00000000), ref: 004193AE
GetCurrentThreadId.KERNEL32 ref: 004193C9
GlobalAddAtomA.KERNEL32(00000000), ref: 004193EA

Part of subcall function 00423518: GetDC.USER32(00000000), ref: 0042356E
Part of subcall function 00423518: EnumFontsA.GDI32(00000000,00000000,004234B8,004108B0,00000000,?,?,00000000,?,00419423,00000000,?,?,?,00000001), ref: 00423581
Part of subcall function 00423518: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423589
Part of subcall function 00423518: ReleaseDC.USER32(00000000,00000000), ref: 00423594

Part of subcall function 00423ADC: LoadIconA.USER32(00400000,MAINICON), ref: 00423B6C
Part of subcall function 00423ADC: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423B99
Part of subcall function 00423ADC: OemToCharA.USER32(?,?), ref: 00423BAC
Part of subcall function 00423ADC: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423BEC

Part of subcall function 0041F568: GetVersion.KERNEL32(?,00419440,00000000,?,?,?,00000001), ref: 0041F576
Part of subcall function 0041F568: SetErrorMode.KERNEL32(00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F592
Part of subcall function 0041F568: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F59E
Part of subcall function 0041F568: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F5AC
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F5DC
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F605
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F61A
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F62F
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F644
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F659
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F66E
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F683
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F698
Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6AD

Strings

ControlOfs%.8X%.8X, xrefs: 004193DB
Delphi%.8X, xrefs: 0041939F

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 316262546-2767913252
Opcode ID: e4565b8fba9480968b1ec32b488455297d6f31b702462cc9ec0cccc8cb2a2db4
Instruction ID: 7870b9ea93aa7f75565cd31cdf92f475c288cd9ab0443d66b722f1effdfa130a
Opcode Fuzzy Hash: e4565b8fba9480968b1ec32b488455297d6f31b702462cc9ec0cccc8cb2a2db4
Instruction Fuzzy Hash: 8D112C70A182419AC300FF36D44279A7AE09BA430CF50893FF488AB3A1DB3D9D458B5E

Function 00413A8C Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00413AB4
GetWindowLongA.USER32(?,000000F0), ref: 00413ABF
GetWindowLongA.USER32(?,000000F4), ref: 00413AD1
SetWindowLongA.USER32(?,000000F4,?), ref: 00413AE4
SetPropA.USER32(?,00000000,00000000), ref: 00413AFB
SetPropA.USER32(?,00000000,00000000), ref: 00413B12

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: a72ee32d6cac1f66b8d23ea34dc7313db56b2b1373a44c7e0100784739caab29
Instruction ID: a594f7604add2a8bfce9427623ad02c9736cb33a5a72341fbb506abd62de3718
Opcode Fuzzy Hash: a72ee32d6cac1f66b8d23ea34dc7313db56b2b1373a44c7e0100784739caab29
Instruction Fuzzy Hash: 0811CC75500244BFDF00DF99ED88E9A3BE8EB09364F104276B914DB2E1D739D990CB94

Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049D420,00000000,00401B68), ref: 00401ABD
LocalFree.KERNEL32(00000000,00000000,00401B68), ref: 00401ACF
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401AEE
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401B2D
RtlLeaveCriticalSection.KERNEL32(0049D420,00401B6F), ref: 00401B58
RtlDeleteCriticalSection.KERNEL32(0049D420,00401B6F), ref: 00401B62

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: a09964db7d5e1398f2afb7250b5a8c8ddfedb2b5ecba3fe18733cc428a63f314
Instruction ID: 86217af8f0c65890f5da76d4fe10d609cc5e2f7049d93a5e71f2b830536aceac
Opcode Fuzzy Hash: a09964db7d5e1398f2afb7250b5a8c8ddfedb2b5ecba3fe18733cc428a63f314
Instruction Fuzzy Hash: 7A11BF70E003405AEB15AB659D82B267BE4976570CF44007BF50067AF1D77CB840C76E

Function 004730AC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 272fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,00000000,00000000,0047327D,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639), ref: 00473259
FindClose.KERNEL32(000000FF,00473284,0047327D,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639,?), ref: 00473277
FindNextFileA.KERNEL32(000000FF,00000000,00000000,0047339F,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639), ref: 0047337B
FindClose.KERNEL32(000000FF,004733A6,0047339F,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639,?), ref: 00473399

Strings

I, xrefs: 004730E9, 00473123, 004732E0

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Find$CloseFileNext
String ID: I
API String ID: 2066263336-1966777607
Opcode ID: 7ae4657df78877419f84db4ef8cd88fe7811264cd645d327851c1e60eb28fa9b
Instruction ID: 1af051264105f0c3ac5173717805306f181c97d1b343904b0a5707565e1f6f82
Opcode Fuzzy Hash: 7ae4657df78877419f84db4ef8cd88fe7811264cd645d327851c1e60eb28fa9b
Instruction Fuzzy Hash: F2C13C7490425DAFCF11DFA5C881ADEBBB9FF49304F5081AAE808A3351D7399A46CF54

Function 00455E74 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045600B,?,00000000,0045604B), ref: 00455F51

Strings

WININIT.INI, xrefs: 00455F80
PendingFileRenameOperations, xrefs: 00455EF0
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455ED4
PendingFileRenameOperations2, xrefs: 00455F20

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: 8be7122c243ce20522057dc2e2531da27295be9a62d17f0d53ccadd57aa7aa50
Instruction ID: cd3286cbb97796e9ecd700c4ab963dac99c65abdd87cbf21601b40f17af9d083
Opcode Fuzzy Hash: 8be7122c243ce20522057dc2e2531da27295be9a62d17f0d53ccadd57aa7aa50
Instruction Fuzzy Hash: 1551B930E001089FDB11EF61DC51ADEB7B9EF44705F5085BBE804A72D2DB39AE45CA58

Function 0047DEA0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047DFF6,?,?,00000000,0049D62C,00000000,00000000,?,00499E21,00000000,00499FCA,?,00000000), ref: 0047DF33
GetLastError.KERNEL32(00000000,00000000,00000000,0047DFF6,?,?,00000000,0049D62C,00000000,00000000,?,00499E21,00000000,00499FCA,?,00000000), ref: 0047DF3C

Strings

\_setup64.tmp, xrefs: 0047DFAE
_isetup, xrefs: 0047DF1E
Created temporary directory: , xrefs: 0047DED5

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup
API String ID: 1375471231-2952887711
Opcode ID: 11c41cff4b2e26d29b59e317b5d01f68a09a239768e9d902b03435ecaad13ccb
Instruction ID: ecaa8d991a706e785fb0a456308ec2ceb04ba6e672c042181299f5b248b5f278
Opcode Fuzzy Hash: 11c41cff4b2e26d29b59e317b5d01f68a09a239768e9d902b03435ecaad13ccb
Instruction Fuzzy Hash: A2414634A101099BCB01EF95DC81ADEB7B9EF44309F50847BE901B7392DB38AE05CB69

Function 0042E294 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042E2A0
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042E43B,00000000,0042E453,?,?,?,?,00000006,?,00000000,00499145), ref: 0042E2BB
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E2C1

Strings

advapi32.dll, xrefs: 0042E2B6
RegDeleteKeyExA, xrefs: 0042E2B1

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 588496660-1846899949
Opcode ID: ec6d5e68239a8fd64e2f61c23397c604527ea817bc29ae7d62183104243c5598
Instruction ID: a3ecee3a08e4bdafa542c89306e26d0a5ab5c090d3d5ae483566a3001d088d92
Opcode Fuzzy Hash: ec6d5e68239a8fd64e2f61c23397c604527ea817bc29ae7d62183104243c5598
Instruction Fuzzy Hash: B8E065B0740234EAD7142A66BC4AFA7260CEB54726F940877F10A661D187BC1C40D66C

Function 0046C7D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON

Download Yara Rule

Strings

NextButtonClick, xrefs: 0046C90C
Need to restart Windows? %s, xrefs: 0046CB55
PrepareToInstall failed: %s, xrefs: 0046CB2E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID:
String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
API String ID: 0-2329492092
Opcode ID: 48a18cf3e4ece820da987a55bd90d53010171917ae2cdbfb89dc97ba6e259d38
Instruction ID: 93777efb9077a0228fe374709ad1741880755db4a3f7640889f56f3bdeecc4c5
Opcode Fuzzy Hash: 48a18cf3e4ece820da987a55bd90d53010171917ae2cdbfb89dc97ba6e259d38
Instruction Fuzzy Hash: 9CD17F34A00108DFCB10EFA9C585AED7BF5EF49304F6444BAE444AB352E738AE45DB5A

Function 00484470 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,00000000,004847C1), ref: 00484594
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00484632

Strings

, xrefs: 004846EF
Need to restart Windows? %s, xrefs: 0048466F

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: a36d4d2325aca11e50613c3baf634984259e2acab097e48e72a037015c38f916
Instruction ID: cbf7044c9224e5df34f4324165486d78489046a6efa1a602e4c0c9b5677eb74d
Opcode Fuzzy Hash: a36d4d2325aca11e50613c3baf634984259e2acab097e48e72a037015c38f916
Instruction Fuzzy Hash: C591A334A042459FDB10FB66D885B9D77E0AF5A308F1444BBE800973A2D77CAD45CB5E

Function 00454868 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 200fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,00454AAE,?,00000000,00454B22,?,?,-00000001,00000000,?,0047E107,00000000,0047E054,00000000), ref: 00454A8A
FindClose.KERNEL32(000000FF,00454AB5,00454AAE,?,00000000,00454B22,?,?,-00000001,00000000,?,0047E107,00000000,0047E054,00000000,00000000), ref: 00454AA8

Strings

.H, xrefs: 00454B14, 004548F1, 00454902, 004548D4
.H, xrefs: 00454AB5, 00454A2F, 00454A32

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Find$CloseFileNext
String ID: .H$ .H
API String ID: 2066263336-1676226347
Opcode ID: b812543ddd1e95e384549bb7c1e7a692720bc7ce5864c938cf5b8a0bd1faa7d1
Instruction ID: 86a97b531f1ad2b4b7463d4220b8e0547854eedc1a857b6a9afda59406c2b972
Opcode Fuzzy Hash: b812543ddd1e95e384549bb7c1e7a692720bc7ce5864c938cf5b8a0bd1faa7d1
Instruction Fuzzy Hash: CF81A43490428DAFCF11DF65C8417EFBBB4AF89309F1440A6D8546B392C3399E8ACB58

Function 00470938 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 0042CC54: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CC78

GetLastError.KERNEL32(00000000,00470B35,?,?,0049E1E4,00000000), ref: 00470A12
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00470A8C
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00470AB1

Strings

Creating directory: %s, xrefs: 004709FA

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ChangeNotify$ErrorFullLastNamePath
String ID: Creating directory: %s
API String ID: 2451617938-483064649
Opcode ID: 31f421efa52e9648699e9d56291a46ed9d117f369a17eb341c08600e821ce678
Instruction ID: 27f0dcb835b35bf1686b0556d16ec1317b7bae4cbab61287d01ee882f408922b
Opcode Fuzzy Hash: 31f421efa52e9648699e9d56291a46ed9d117f369a17eb341c08600e821ce678
Instruction Fuzzy Hash: 0251FE74E01248ABDB01DFA5C982BDEB7F5AF48308F50856AE844B7382D7785F04CB59

Function 0045553C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 004555EA
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,004556B0), ref: 00455654

Strings

sfc.dll, xrefs: 004555AC
SfcIsFileProtected, xrefs: 004555E4

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID: SfcIsFileProtected$sfc.dll
API String ID: 2508298434-591603554
Opcode ID: f7e58a0fd106200e4f3bc04200b2cacc58717943215cb6059fe45d01fbc32bb5
Instruction ID: f46810b5b314b431af4f43299c3fabe32507941823b9175d405aae5aeba4d308
Opcode Fuzzy Hash: f7e58a0fd106200e4f3bc04200b2cacc58717943215cb6059fe45d01fbc32bb5
Instruction Fuzzy Hash: 9141A470A00618AFEB20DF55DC95BAD77B8AB04319F5080B7E90CA7292D7789F48CE1D

Function 00452C54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

74D41520.VERSION(00000000,?,?,?,?), ref: 00452C74
74D41500.VERSION(00000000,?,00000000,?,00000000,00452CEF,?,00000000,?,?,?,?), ref: 00452CA1
74D41540.VERSION(?,00452D18,?,?,00000000,?,00000000,?,00000000,00452CEF,?,00000000,?,?,?,?), ref: 00452CBB

Strings

)-E, xrefs: 00452CFF, 00452CC7

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: D41500D41520D41540
String ID: )-E
API String ID: 2153611984-3997256589
Opcode ID: 1e3fa64680b4daa2d15fd70f35a4d6916cc241641b57064dc1621c371eabb0d9
Instruction ID: 50707f88950aac898d8c4389756beb7c92bb5193b179b1fc1fca76f0aa7be7f8
Opcode Fuzzy Hash: 1e3fa64680b4daa2d15fd70f35a4d6916cc241641b57064dc1621c371eabb0d9
Instruction Fuzzy Hash: 2B219275A00648AFDB01DAA99D419AFB7FCEB4A301F554077FC00E3282D6B99E088769

Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
ExitProcess.KERNEL32 ref: 00404E0D

Strings

Runtime error at 00000000, xrefs: 00404DBE, 00404DD1
Error, xrefs: 00404DB9

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 6146da9580bef9965da9cda28fdf8b1f09917d9546c5f1af2fde060953d626be
Instruction ID: c00c8b1b907268fe45c84c5108a6570d36dd98a08fca56cdb76ff5d345661702
Opcode Fuzzy Hash: 6146da9580bef9965da9cda28fdf8b1f09917d9546c5f1af2fde060953d626be
Instruction Fuzzy Hash: 8F21D360E452418ADB10AB75ED8171A3B8097F930CF04817BE700B73E2C67CD84687AE

Function 00450390 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00450469,?,?,?,?,00000000,00000000), ref: 004503F8
LoadLibraryA.KERNEL32(00000000,00000000,00450469,?,?,?,?,00000000,00000000), ref: 0045043E

Part of subcall function 00450360: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00450378

Strings

RICHED20.DLL, xrefs: 004503E5
RICHED32.DLL, xrefs: 0045042B

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: LibraryLoad$DirectorySystem
String ID: RICHED20.DLL$RICHED32.DLL
API String ID: 2630572097-740611112
Opcode ID: 9fcc27b6184eb67fa55648afaa4eab07c2ec715cb05f6099bae96d6f0231ec87
Instruction ID: 45d93e0d121fe09c7a50066aca23a685df4873c559958f5edeb39e7b45036801
Opcode Fuzzy Hash: 9fcc27b6184eb67fa55648afaa4eab07c2ec715cb05f6099bae96d6f0231ec87
Instruction Fuzzy Hash: EB216374900108EFDB10FF61E846B5D77F8EB55319F50447BE500A6162D7785A49CF5C

Function 0042F188 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042F201

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D

GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042F1E4

Strings

shlwapi.dll, xrefs: 0042F1C1
SHAutoComplete, xrefs: 0042F1DE

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
String ID: SHAutoComplete$shlwapi.dll
API String ID: 395431579-1506664499
Opcode ID: ef2fe5795da2c79bebcfc8bc045bc88b8cffcc678c25b10b165038ef52182f9f
Instruction ID: f8fd25663858203a515409cfb2833324ac242db414aae85ffba9c986139a78a3
Opcode Fuzzy Hash: ef2fe5795da2c79bebcfc8bc045bc88b8cffcc678c25b10b165038ef52182f9f
Instruction Fuzzy Hash: 9701D274B00718EBE711DB65EC42B5E7BFCDB99704FE000B7B404A2291DAB99E48C62C

Function 004561AC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(?,00456217,?,00000001,00000000), ref: 0045620A

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004561B8
PendingFileRenameOperations2, xrefs: 004561EB
PendingFileRenameOperations, xrefs: 004561DC

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: 26aed6e5fe3ea03506abb76c46215ae559a4fd81786fee60218c8c29e953e84b
Instruction ID: 13f9a8dc2762523c9d5034016e8e0e4cf56d15ba7b570f5b98feacd54ef34b89
Opcode Fuzzy Hash: 26aed6e5fe3ea03506abb76c46215ae559a4fd81786fee60218c8c29e953e84b
Instruction Fuzzy Hash: F2F06271348204ABD714E6E69C13B5B739CD784B15FE284A6F80487982EA79AD14962C

Function 0046FC5C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,VtG,?,0049E1E4,?,0046FF73,?,00000000,00470532,?,_is1), ref: 0046FC7F

Strings

Inno Setup: Setup Version, xrefs: 0046FC7D
VtG, xrefs: 0046FC61
I, xrefs: 0046FC89, 0046FC8F

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Value
String ID: Inno Setup: Setup Version$VtG$I
API String ID: 3702945584-29442299
Opcode ID: 01fe2595a91c979785a9f0a3cbfdcbab837408d87d7a81537bd7bc401ac7c2bc
Instruction ID: 298cf4f1533d54ab550fd3d15e19e6a926ba71f9f01c0afe6301adb1283b93e4
Opcode Fuzzy Hash: 01fe2595a91c979785a9f0a3cbfdcbab837408d87d7a81537bd7bc401ac7c2bc
Instruction Fuzzy Hash: E7E06D713013043BD710AA2BAC85F5BAADCDF987A5F00403AB948DB392D578ED0542A8

Function 00481008 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,00481201), ref: 004810AE
FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,00481201), ref: 004810BB
FindNextFileA.KERNEL32(000000FF,?,00000000,004811D4,?,?,?,?,00000000,00481201), ref: 004811B0
FindClose.KERNEL32(000000FF,004811DB,004811D4,?,?,?,?,00000000,00481201), ref: 004811CE

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 56954df4aa532027655ea9e87aeadb7b453aeb4eaad063717caa07a8ffbd252c
Instruction ID: 32ce0b593b226a8a495a7b16ec3f8c392e3281c2b0d16565a73bd1b48714ff7d
Opcode Fuzzy Hash: 56954df4aa532027655ea9e87aeadb7b453aeb4eaad063717caa07a8ffbd252c
Instruction Fuzzy Hash: 95515E75A006489FCB10EF65CC45ADEB7BCEB89315F1045ABA808E7351D6389F86CF58

Function 004216C4 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 004217B1
SetMenu.USER32(00000000,00000000), ref: 004217CE
SetMenu.USER32(00000000,00000000), ref: 00421803
SetMenu.USER32(00000000,00000000), ref: 0042181F

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: a1d2f4484655de1d3fd0847b2328f430e3f40ab88dcc203f2c43afec94015a70
Instruction ID: 73b485f7b17ee0b128820b03b0310e3fef403fa1ec291b42cca88d6787b8c394
Opcode Fuzzy Hash: a1d2f4484655de1d3fd0847b2328f430e3f40ab88dcc203f2c43afec94015a70
Instruction Fuzzy Hash: 44419E3070426407DB21BF3AA98579B66D55FA0308F4811BFE8458F3A3CA7CCC4A82AD

Function 00416F92 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 00416FD4
SetTextColor.GDI32(?,00000000), ref: 00416FEE
SetBkColor.GDI32(?,00000000), ref: 00417008
CallWindowProcA.USER32(?,?,?,?,?), ref: 00417030

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: 2663e636a10a516644b319dd38bd24ec26a11bbb7cdbebd148a82c02926d9cca
Instruction ID: 97657bf4431c68cea31458eff6611b8cbcc4ca9acdd3171e17da9912607f4e93
Opcode Fuzzy Hash: 2663e636a10a516644b319dd38bd24ec26a11bbb7cdbebd148a82c02926d9cca
Instruction Fuzzy Hash: CE114CB1604600AFD710EE6ECD84E87B7ECDF48310B14882AB55ADB612C62CE8818B69

Function 00423ED4 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00423E6C), ref: 00423EF8
GetWindow.USER32(?,00000003), ref: 00423F0D
GetWindowLongA.USER32(?,000000EC), ref: 00423F1C
SetWindowPos.USER32(00000000,004245AC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004245FB,?,?,004241C3), ref: 00423F52

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: da7c6a1f1adb1243b5fa3636d4e877867cfe7b0e5d1887425f7f41af5dac74a2
Instruction ID: 800f3c7d6b650a9444741cf3b456662361ea129bec99247a5177c247b1bc03b7
Opcode Fuzzy Hash: da7c6a1f1adb1243b5fa3636d4e877867cfe7b0e5d1887425f7f41af5dac74a2
Instruction Fuzzy Hash: 5B117071B04610ABDB109F28ED85F5673F4EB08715F12026AF9649B2E2C37CDD40CB58

Function 00423518 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042356E
EnumFontsA.GDI32(00000000,00000000,004234B8,004108B0,00000000,?,?,00000000,?,00419423,00000000,?,?,?,00000001), ref: 00423581
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423589
ReleaseDC.USER32(00000000,00000000), ref: 00423594

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CapsDeviceEnumFontsRelease
String ID:
API String ID: 2698912916-0
Opcode ID: bb643e78eddffdc26f40f16d9b8672dcc85dc1c54bcbb46a45d6df83db9bb269
Instruction ID: 3e91f746c00fb2f600ae5fc17e333cd129bb14a9c5a67b8d5949c9a763c02f3d
Opcode Fuzzy Hash: bb643e78eddffdc26f40f16d9b8672dcc85dc1c54bcbb46a45d6df83db9bb269
Instruction Fuzzy Hash: 5C019EB17457102AE710BF6A5C82B9B37A49F0531DF40427FF908AB3C2DA7E990547AE

Function 004556E4 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,00000032), ref: 00455710
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00455732
GetExitCodeProcess.KERNEL32(?,?), ref: 00455741
CloseHandle.KERNEL32(?,0045576E,00455767,?,?,?,00000000,?,?,00455943,?,?,?,00000044,00000000,00000000), ref: 00455761

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: 0e2e22314dae304e5bf22728ddaa36dde328adca970e968fdbe7b68800f3fe31
Instruction ID: d914ecb4f604d225e93de076450c6742835d04a0b91abb11bcb899d5d614385b
Opcode Fuzzy Hash: 0e2e22314dae304e5bf22728ddaa36dde328adca970e968fdbe7b68800f3fe31
Instruction Fuzzy Hash: 6101B570A40A09FEEB20A7A58D16F7F7BADDB49760F610167F904D32C2C6789D00CA68

Function 0047E054 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0047E075
GetLastError.KERNEL32 ref: 0047E07F
GetTickCount.KERNEL32 ref: 0047E089
Sleep.KERNEL32(00000032), ref: 0047E099

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: 22ddb9d6ab121fa8b7aad317e9abd2d9173961abc661a66fb327fe759d7b9ec5
Instruction ID: 9be5390d37519caeffefa09d8943b7800c28e667e42796fceef54f4227176e6c
Opcode Fuzzy Hash: 22ddb9d6ab121fa8b7aad317e9abd2d9173961abc661a66fb327fe759d7b9ec5
Instruction Fuzzy Hash: 28E0E5213092A855C63035BB58C26AF45C9DA89768B244ABFE088D6283C89C4C05652E

Function 0040627C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 0040627F
GlobalUnlock.KERNEL32(00000000), ref: 00406286
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040628B
GlobalLock.KERNEL32(00000000), ref: 00406291

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
Instruction ID: 024a49765fc045a09389489d8ed5919b86daafa6bea6a005e9f609907830066e
Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
Instruction Fuzzy Hash: 64B009C6925A46B8EC0473B24C4BD3F041CE88472C3809A6E7554BA0839C7C9C002E3A

Function 0045CA60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00451070: SetEndOfFile.KERNEL32(?,?,0045CB3E,00000000,0045CCC9,?,00000000,00000002,00000002), ref: 00451077

FlushFileBuffers.KERNEL32(?), ref: 0045CC95

Strings

EndOffset range exceeded, xrefs: 0045CBC9
NumRecs range exceeded, xrefs: 0045CB92

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: 2260f6877304dea45ba359fb37d430195bc0a3511ff8112a2360352fa9564334
Instruction ID: 609741d3f79eabe780872f94ce4b5bf90fe53003262008b9b2f446b63576a9fa
Opcode Fuzzy Hash: 2260f6877304dea45ba359fb37d430195bc0a3511ff8112a2360352fa9564334
Instruction Fuzzy Hash: 6E615234A002588FDB25DF25D881BDAB7B5EF49305F0084DAED899B352D6B4AEC8CF54

Function 00484978 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00484B02,?,00000000,00484B43,?,?,?,?,00000000,00000000,00000000,?,0046CA59), ref: 004849B1
SetActiveWindow.USER32(?,00000000,00484B02,?,00000000,00484B43,?,?,?,?,00000000,00000000,00000000,?,0046CA59), ref: 004849C3

Strings

Will not restart Windows automatically., xrefs: 00484AE2

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$ActiveForeground
String ID: Will not restart Windows automatically.
API String ID: 307657957-4169339592
Opcode ID: e9fd9b813b1150c3656dd19ef81cb097417f0f4d1130d5c98022cf40aa9a9c5d
Instruction ID: e3ffbfa0a86cb08642d5b37a1a1eca219a4b332c0ee086946791bcc458de558f
Opcode Fuzzy Hash: e9fd9b813b1150c3656dd19ef81cb097417f0f4d1130d5c98022cf40aa9a9c5d
Instruction Fuzzy Hash: 64415930644245EFD714FFA6EC05B6E7BE4D795308F1948B7E8405B392E2BC9800971E

Function 0049A490 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049A49E), ref: 0040334B
Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049A49E), ref: 00403356

Part of subcall function 004063F4: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 0040640F
Part of subcall function 004063F4: GetVersion.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 00406416
Part of subcall function 004063F4: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040642B
Part of subcall function 004063F4: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406453

Part of subcall function 00406814: 6F551CD0.COMCTL32(0049A4AD), ref: 00406814

Part of subcall function 00410BB4: GetCurrentThreadId.KERNEL32 ref: 00410C02

Part of subcall function 00419490: GetVersion.KERNEL32(0049A4C6), ref: 00419490

Part of subcall function 0044FD1C: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049A4DA), ref: 0044FD57
Part of subcall function 0044FD1C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FD5D

Part of subcall function 004501E8: GetVersionExA.KERNEL32(0049D794,0049A4DF), ref: 004501F7

Part of subcall function 00453934: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453956
Part of subcall function 00453934: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045395C
Part of subcall function 00453934: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453970
Part of subcall function 00453934: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453976

Part of subcall function 00457850: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004578AA

Part of subcall function 00465214: LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,0046528A,?,?,?,?,00000000,00000000,?,0049A502), ref: 0046525F
Part of subcall function 00465214: GetProcAddress.KERNEL32(00000000,00000000), ref: 00465265

Part of subcall function 0046DAB0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046DAFB

Part of subcall function 00479E68: GetModuleHandleA.KERNEL32(kernel32.dll,?,0049A50C), ref: 00479E6E
Part of subcall function 00479E68: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00479E7B
Part of subcall function 00479E68: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00479E8B

Part of subcall function 00485374: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00485485

Part of subcall function 0049749C: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 004974B5

SetErrorMode.KERNEL32(00000001,00000000,0049A554), ref: 0049A526

Part of subcall function 0049A250: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049A530,00000001,00000000,0049A554), ref: 0049A25A
Part of subcall function 0049A250: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049A260

Part of subcall function 00424924: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424943

Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C

ShowWindow.USER32(?,00000005,00000000,0049A554), ref: 0049A587

Part of subcall function 004839B4: SetActiveWindow.USER32(?), ref: 00483A62

Strings

Setup, xrefs: 0049A56D

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc$HandleModule$VersionWindow$ActiveClipboardCommandCurrentErrorF551FormatLibraryLineLoadMessageModeRegisterSendShowTextThread
String ID: Setup
API String ID: 2300352135-3839654196
Opcode ID: cdfde2e51fe0698aa6b85e30c0a1c237bbea7d7fd99d79f8e074734ecee56c62
Instruction ID: 2627a5300f3eb19f067de96b875d46ae0be93d5911e26a22e66c9acfb87dca20
Opcode Fuzzy Hash: cdfde2e51fe0698aa6b85e30c0a1c237bbea7d7fd99d79f8e074734ecee56c62
Instruction Fuzzy Hash: AA31B3712046409EDB01BBB7AC1391D3BA8EB8971CB62487FF90486563DE3D5C24867F

Function 004775F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON

Download Yara Rule

APIs

LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,00477727,?,00000000,00477738,?,00000000,00477781), ref: 004776F8
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,00477727,?,00000000,00477738,?,00000000,00477781), ref: 0047770C

Strings

Extracting temporary file: , xrefs: 00477634

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FileTime$Local
String ID: Extracting temporary file:
API String ID: 791338737-4171118009
Opcode ID: 8d8d29b45fb9742880719863d89589a4356bfd1e7f13b2e05d84abbcd72ab195
Instruction ID: 13e9f88ccb8282ea38195536ff5c63a907cbb836f3d7a61bc1ee4cb3f854d839
Opcode Fuzzy Hash: 8d8d29b45fb9742880719863d89589a4356bfd1e7f13b2e05d84abbcd72ab195
Instruction Fuzzy Hash: 4041B774A04649AFCB01DF65CC91AEFBBB8EB09304F51847AF910A7391D678A901CB98

Function 0047A0E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(?,0047A1C6,?,?,00000001,00000000,00000000,0047A1E1), ref: 0047A1AF

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047A13A
%s\%s_is1, xrefs: 0047A158

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1598650737
Opcode ID: ed3c9ed544e9992b8fac624f4914d5ae006c7f9a390fec7504e0c8a2c970f41f
Instruction ID: 0d63d1a050f55a8da938840af3d9f6bfa62d29ba12cdbe4796c61ae60ad15f2e
Opcode Fuzzy Hash: ed3c9ed544e9992b8fac624f4914d5ae006c7f9a390fec7504e0c8a2c970f41f
Instruction Fuzzy Hash: 8E216474B042449FEB01DFA9CC516EEBBF8EB89704F90847AE404E7381D7789E158B59

Function 0045418C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0045427B,?,?,00000000,0049D62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004541D2
GetLastError.KERNEL32(00000000,00000000,?,00000000,0045427B,?,?,00000000,0049D62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004541DB

Strings

.tmp, xrefs: 004541BB

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 6f4460bb771477b2532cc418dcf8c2749320d1c4241bb26b34006b525e4e1938
Instruction ID: f8da180511d522ff1cc3db6e91f047bd7ddaecfb92c8c1642a91e8309ff3a61b
Opcode Fuzzy Hash: 6f4460bb771477b2532cc418dcf8c2749320d1c4241bb26b34006b525e4e1938
Instruction Fuzzy Hash: 19214E75A002189BDB01EFA1C8465DEB7BDEF44305F50457BF801B7382D67C5E458BA9

Function 00485374 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00484E68: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00484E79
Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00484E86
Part of subcall function 00484E68: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00484E94
Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00484E9C
Part of subcall function 00484E68: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00484EA8
Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00484EC9
Part of subcall function 00484E68: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00484EDC
Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00484EE2

Part of subcall function 00485194: GetVersionExA.KERNEL32(?,004853AA,00000000,004854AA,?,?,?,?,00000000,00000000,?,0049A511), ref: 004851A2
Part of subcall function 00485194: GetVersionExA.KERNEL32(0000009C,?,004853AA,00000000,004854AA,?,?,?,?,00000000,00000000,?,0049A511), ref: 004851F4

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D

GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00485485

Strings

SHGetKnownFolderPath, xrefs: 00485452
shell32.dll, xrefs: 0048546D

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc$HandleModuleSystemVersion$CurrentDirectoryErrorInfoLibraryLoadModeNativeProcess
String ID: SHGetKnownFolderPath$shell32.dll
API String ID: 1303913335-2936008475
Opcode ID: 8d9af6f5cb47815f3ef02b670df531d4aca205f4dd503ff5ab0741a2b0aad5e0
Instruction ID: 7070cd684f6103364e9f8a31a7d8965128adaac247882cc77746aeeddc076857
Opcode Fuzzy Hash: 8d9af6f5cb47815f3ef02b670df531d4aca205f4dd503ff5ab0741a2b0aad5e0
Instruction Fuzzy Hash: F9215E70600200ABC711FFAF995674E37A4EB9570CB51993FF400AB2D1D77DA8059B6E

Function 0045304C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,00000000,004530A9,?,-00000001,?), ref: 00453083
GetLastError.KERNEL32(00000000,00000000,004530A9,?,-00000001,?), ref: 0045308B

Strings

@8H, xrefs: 004530B9

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: @8H
API String ID: 2018770650-3762495883
Opcode ID: a1fb3666b45fe32249cf4b68f1752c0b17d8b18f48336da527a90bea16c05efb
Instruction ID: 483a50349848f844724b37c9089874c2f5155cc8dca7ffd3c90c1c5b4081c312
Opcode Fuzzy Hash: a1fb3666b45fe32249cf4b68f1752c0b17d8b18f48336da527a90bea16c05efb
Instruction Fuzzy Hash: 74F0C871A04708AFCB01DFB9AC4249EB7ECDB0975675045B7FC04E3282EB785F188599

Function 00453554 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RemoveDirectoryA.KERNEL32(00000000,00000000,004535B1,?,-00000001,00000000), ref: 0045358B
GetLastError.KERNEL32(00000000,00000000,004535B1,?,-00000001,00000000), ref: 00453593

Strings

@8H, xrefs: 004535C1

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID: @8H
API String ID: 377330604-3762495883
Opcode ID: ed9ee3e2dc24464d0c236720d007919d28e5762e289691b171a35ab4808c6178
Instruction ID: 7fd71ab76445d730fbf8dcc8275d2678ef65a3f2b88ec35f2c7a4b5c8e56db9b
Opcode Fuzzy Hash: ed9ee3e2dc24464d0c236720d007919d28e5762e289691b171a35ab4808c6178
Instruction Fuzzy Hash: B2F0C271A04608BBCB01EFB9AC4249EB7E8EB0975675049BBFC04E3242F7785F088598

Function 00457850 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004577E0: CoInitialize.OLE32(00000000), ref: 004577E6

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D

GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004578AA

Strings

shell32.dll, xrefs: 00457892
SHCreateItemFromParsingName, xrefs: 00457877

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressDirectoryErrorInitializeLibraryLoadModeProcSystem
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 1013667774-2320870614
Opcode ID: f768b6972bd4a9b7486ce10d9acfcd5e81d127b13faf4c2cc7ed9affc27adf63
Instruction ID: 9566a5db5de29e1f96e1247fa15de811f0c6c8f84fbefe9709ba2c3b4718617c
Opcode Fuzzy Hash: f768b6972bd4a9b7486ce10d9acfcd5e81d127b13faf4c2cc7ed9affc27adf63
Instruction Fuzzy Hash: 4DF03670604608BBE701FBA6E842F5D7BACDB45759F604477B800A6592D67CAE04C92D

Function 0046DAB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D

GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046DAFB

Strings

shell32.dll, xrefs: 0046DAE3
SHPathPrepareForWriteA, xrefs: 0046DAC8

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressDirectoryErrorLibraryLoadModeProcSystem
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2552568031-2683653824
Opcode ID: d5f4c7af768d16b3b5c6a86f87ef45a876fa3cc5c322967070caf22bd86c78e1
Instruction ID: 91b75a77547c13e1772f921c750cf7bd45708da1ec0dc58a0f4cb33c0377533c
Opcode Fuzzy Hash: d5f4c7af768d16b3b5c6a86f87ef45a876fa3cc5c322967070caf22bd86c78e1
Instruction Fuzzy Hash: B5F04430B04608BBD700EF52DC52F5DBBACEB45B14FA14076B40067595E678AE048A2D

Function 0047D8E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047DC36,00000000,0047DC4C), ref: 0047D946

Strings

RegisteredOwner, xrefs: 0047D923
RegisteredOrganization, xrefs: 0047D935

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: d4927c1d3794e351f7864a9843da2db15e63a7a3432c113007369929f19e5816
Instruction ID: 03cfcff152a519ea80d4f5543ba1c5a79f91faf414c5488bd5ec988fdc31f9f9
Opcode Fuzzy Hash: d4927c1d3794e351f7864a9843da2db15e63a7a3432c113007369929f19e5816
Instruction Fuzzy Hash: B6F0BBB0B042449BDB04D667AC93BDB37B9CB41308F24847BA2459B392D67C9D00D75D

Function 004763E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047661B), ref: 00476409
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047661B), ref: 00476420

Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07

Strings

CreateFile, xrefs: 00476415

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: CreateFile
API String ID: 2528220319-823142352
Opcode ID: dfe37b7c2a5045629fd8e0b2a77d405f8cad1a2ae405d18a87ba2f0597c9e29b
Instruction ID: 7bcc5fcb2fff494360280e2963ad1350d0a4ff74aab44489db68ce07f01780cc
Opcode Fuzzy Hash: dfe37b7c2a5045629fd8e0b2a77d405f8cad1a2ae405d18a87ba2f0597c9e29b
Instruction Fuzzy Hash: CDE06D302403447BEA20EB69DCC6F4A77D89B04738F108161FA48AF3E2C6B9EC408A5C

Function 0046FCCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0047034A,?,?,00000000,00470532,?,_is1,?), ref: 0046FCDF

Strings

NoModify, xrefs: 0046FCDD
I, xrefs: 0046FCE9, 0046FCEF

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Value
String ID: NoModify$I
API String ID: 3702945584-1047506205
Opcode ID: 3b8341a2778ff8ba3f6fd97ccb953c8a619a9620ee14e4a078d82245842b3605
Instruction ID: 74656710be1799963dacf24c43606be2f52e229709c8467fcc2139d849b5a3c3
Opcode Fuzzy Hash: 3b8341a2778ff8ba3f6fd97ccb953c8a619a9620ee14e4a078d82245842b3605
Instruction Fuzzy Hash: 1AE04FB0640308BFEB04DB55DD4AF6BB7ACDB48750F104059BA44DB381EA74FE008658

Function 00483068 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,00000000,004831A0), ref: 00483138
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00483149
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00483161

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Menu$Append$System
String ID:
API String ID: 1489644407-0
Opcode ID: b1581a0f06f3993262020228058a878573e1761b052ad4db3e08fed4fbd829c7
Instruction ID: 62bbcf7b8eda1c1d1fe504de26200215c04982407344b62899e0b3f82f18d8db
Opcode Fuzzy Hash: b1581a0f06f3993262020228058a878573e1761b052ad4db3e08fed4fbd829c7
Instruction Fuzzy Hash: 6431B0707083445AD710FF368C86B9E7A945B55B08F44593FB9009B3E3CA7D9E09876D

Function 0044B82C Relevance: 4.6, APIs: 3, Instructions: 74COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0044B8A1
SelectObject.GDI32(?,00000000), ref: 0044B8C4
ReleaseDC.USER32(00000000,?), ref: 0044B8F7

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ObjectReleaseSelect
String ID:
API String ID: 1831053106-0
Opcode ID: aebefea9080a2ffce71cc44d900bb6067fbd40711943de4e6aa6f899a124bbe5
Instruction ID: 488fbe92d3dbd6553530e1f28a7071e145c326c324a604cd7e83169de99d3e99
Opcode Fuzzy Hash: aebefea9080a2ffce71cc44d900bb6067fbd40711943de4e6aa6f899a124bbe5
Instruction Fuzzy Hash: B321A470E043086FEB05EFA5C841B9EBBB8EB48304F0184BAF504A6292D73CD940CB58

Function 0044B560 Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B5EC,?,004839CF,?,?), ref: 0044B5BE
DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B5D1
DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B605

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: DrawText$ByteCharMultiWide
String ID:
API String ID: 65125430-0
Opcode ID: 220ba5cac8d50b27136c7947ff428b4d5b30f8bb344e0136b885afe7086c5f85
Instruction ID: c4c5e2dbcf53f363daa0ac06871d419456bbfc1076f0fbe0a6f7c1d9791685bd
Opcode Fuzzy Hash: 220ba5cac8d50b27136c7947ff428b4d5b30f8bb344e0136b885afe7086c5f85
Instruction Fuzzy Hash: 1011CBB27045047FE711DB5A9C81D6FB7ECEB89714F10417BF514D72D0D6389E018669

Function 0042484C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424862
TranslateMessage.USER32(?), ref: 004248DF
DispatchMessageA.USER32(?), ref: 004248E9

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 1d5f45652bc976909b78a8fda5e55899e4ac3f100e933d79a059951e0026f3ac
Instruction ID: c7af1bd1b10d32b98fa997e15213bd70182e4a6faef26a56c53dd2d0e562e7a0
Opcode Fuzzy Hash: 1d5f45652bc976909b78a8fda5e55899e4ac3f100e933d79a059951e0026f3ac
Instruction Fuzzy Hash: 7111C4343143905AEA20F664A94179B73D4DFD1B04F81481FF8D947382D3BD9D49876B

Function 00416A94 Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

SetPropA.USER32(00000000,00000000), ref: 00416ABA
SetPropA.USER32(00000000,00000000), ref: 00416ACF
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 00416AF6

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Prop$Window
String ID:
API String ID: 3363284559-0
Opcode ID: 120d831fd0e7c0f5eedd88e24305ab6ef8b5e2b9243d669fe5121d0f27645725
Instruction ID: ba7ff3a79511e9fd345c6eb2e7309737472e1a66b8435aad7f351e84ed883601
Opcode Fuzzy Hash: 120d831fd0e7c0f5eedd88e24305ab6ef8b5e2b9243d669fe5121d0f27645725
Instruction Fuzzy Hash: 24F0B271701210ABD710AB698C85FA636ECAF0D755F16417ABA05EF286C679DC4087A8

Function 0041F2A4 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0041F2B4
IsWindowEnabled.USER32(?), ref: 0041F2BE
EnableWindow.USER32(?,00000000), ref: 0041F2E4

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$EnableEnabledVisible
String ID:
API String ID: 3234591441-0
Opcode ID: f8c63cb9eb03fe3057432f7fc847cbb230a844cb3caf0d06e376941515be7c19
Instruction ID: f88b3158499dd9289c75302ad3040ea965d59b676cda83e5cbf87f6be83bac28
Opcode Fuzzy Hash: f8c63cb9eb03fe3057432f7fc847cbb230a844cb3caf0d06e376941515be7c19
Instruction Fuzzy Hash: 56E06D74200200ABE310AB26ED81A56779CEB10314F118437A849AB293D63AD8458ABC

Function 00484808 Relevance: 4.5, APIs: 3, Instructions: 25threadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,?,?,0048486D,?,00484952,?,?,00000000), ref: 0048480E
GetWindowThreadProcessId.USER32(00000000,?), ref: 00484820
GetCurrentProcessId.KERNEL32(00000000,?,00000000,00000000,?,?,0048486D,?,00484952,?,?,00000000), ref: 00484829

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ProcessWindow$CurrentForegroundThread
String ID:
API String ID: 3477312055-0
Opcode ID: 9f51dd0a086dfbcb1114822517b22dcc69f79606d1d2df2038485f7abb79e1d8
Instruction ID: 1f5535e564554d04b279d15e2d0f53a7c3fa56dd59ea92930bb6cd4aac111565
Opcode Fuzzy Hash: 9f51dd0a086dfbcb1114822517b22dcc69f79606d1d2df2038485f7abb79e1d8
Instruction Fuzzy Hash: 79D01273506A2A7E6610F5E96D81CAFB39CD900758714017BF904A2241EA299E0486BD

Function 0046ABA0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 0046ACB1

Strings

PrepareToInstall, xrefs: 0046AC5B, 0046AD02

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ActiveWindow
String ID: PrepareToInstall
API String ID: 2558294473-1101760603
Opcode ID: cd5b1a0b912d67a437e6bbd69532862deafe0fefe239bb55885b848769b7218e
Instruction ID: fdee18710babf5e336c1910aeb408bf0e6a903f892d838ad66a8bf575b9628a0
Opcode Fuzzy Hash: cd5b1a0b912d67a437e6bbd69532862deafe0fefe239bb55885b848769b7218e
Instruction Fuzzy Hash: 90A10C74A00109DFCB00EF99D886E9EB7F5AF48304F5540B6E404AB366D738AE45DB5A

Function 0046D17C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

/:*?"<>|, xrefs: 0046D318, 0046D32F

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID:
String ID: /:*?"<>|
API String ID: 0-4078764451
Opcode ID: ceb3f76dddb8c4f3c05b9d1c15b0c50ece1c75124130fc1418fa8c0e44e40a18
Instruction ID: f677315d7a897bddb44220e636167c4a4d5a92338f94b0a6c85659efeb8beb4e
Opcode Fuzzy Hash: ceb3f76dddb8c4f3c05b9d1c15b0c50ece1c75124130fc1418fa8c0e44e40a18
Instruction Fuzzy Hash: 95719770F04208ABDB10EB66DC92F9E77A15B41308F1480A7F900BB392E6B99D45875F

Function 004839B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00483A62

Strings

InitializeWizard, xrefs: 004839FB

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ActiveWindow
String ID: InitializeWizard
API String ID: 2558294473-2356795471
Opcode ID: a861e86f873b0b524708e3a991eb87abaee121498e86a8c8c1a9999c172b55c2
Instruction ID: 9a8fbe648e99d25b3c1ebd2b051959da3f81131ff902f8f70686133b91dd172c
Opcode Fuzzy Hash: a861e86f873b0b524708e3a991eb87abaee121498e86a8c8c1a9999c172b55c2
Instruction Fuzzy Hash: BD119170608104DFD704EF2AFC85B597BE8E714718F22847BE544872A2EBB96D00DB6D

Function 0047E0A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0047E0F2

Strings

Failed to remove temporary directory: , xrefs: 0047E10B

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CountTick
String ID: Failed to remove temporary directory:
API String ID: 536389180-3544197614
Opcode ID: 9feb2f6085af5a8b024ba5244f206146ce975ac7a9d5adcf9a00534459b24a1c
Instruction ID: ac5e1a37918f7d070e72ace47ef54387b1d6805ebc6ff4ed15476670fa48ed12
Opcode Fuzzy Hash: 9feb2f6085af5a8b024ba5244f206146ce975ac7a9d5adcf9a00534459b24a1c
Instruction Fuzzy Hash: 5A017930604204AADB11EB73DC47FDA3798DB49709F6089BBB504B62E2DBBC9D04D55C

Function 0047D800 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047DA4C,00000000,0047DC4C), ref: 0047D845

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0047D815

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: 53df27f75c1619b18280fce424738c59cd53f5d3a215a116b7eac3c2b38ec33c
Instruction ID: 9e1ac37bc360ea69ca44dde089ba04ba4b826bb97de6a423fadd5e819c649f8f
Opcode Fuzzy Hash: 53df27f75c1619b18280fce424738c59cd53f5d3a215a116b7eac3c2b38ec33c
Instruction Fuzzy Hash: 09F08231B04114A7DB00B69A9C42BAEA7AC8F84758F20807BF519EB242D9B99E0143AD

Function 0042E26C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0042E286

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Open
String ID: System\CurrentControlSet\Control\Windows
API String ID: 71445658-1109719901
Opcode ID: ba599b357b8d4751e1ab922ebb55064d8a8854d38c942fc45e646e4ab9ecaa7b
Instruction ID: 65e6a506820a5022674633d18044d67bbd02e357da0c4a821f6ebd0b5300d4b8
Opcode Fuzzy Hash: ba599b357b8d4751e1ab922ebb55064d8a8854d38c942fc45e646e4ab9ecaa7b
Instruction Fuzzy Hash: B7D09272910228BBAB009A89DC41DFB77ADDB1A760F80806AF91897241D2B4AC519BF4

Function 0047F778 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,?,00000001,00000000,0047FA57,?,-0000001A,00481956,-00000010,?,00000004,0000001C,00000000,00481CA3,?,0045E364), ref: 0047F7EE

Part of subcall function 0042E76C: GetDC.USER32(00000000), ref: 0042E77B
Part of subcall function 0042E76C: EnumFontsA.GDI32(?,00000000,0042E758,00000000,00000000,0042E7C4,?,00000000,00000000,?,?,00000001,00000000,00000002,00000000,00482671), ref: 0042E7A6
Part of subcall function 0042E76C: ReleaseDC.USER32(00000000,?), ref: 0042E7BE

SendNotifyMessageA.USER32(00020450,00000496,00002711,-00000001), ref: 0047F9BE

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: EnumFontsMessageNotifyReleaseSend
String ID:
API String ID: 2649214853-0
Opcode ID: f63ddfb2871cf1e66e6cb65ad1930d9627398cbe91e727e5a4f1e93d11453290
Instruction ID: 2351f95844d6f0f86e4a4553bb1ee5652cba21286aa46acec5315b7e6dd2a420
Opcode Fuzzy Hash: f63ddfb2871cf1e66e6cb65ad1930d9627398cbe91e727e5a4f1e93d11453290
Instruction Fuzzy Hash: 865196B46001009BD710FF26D98179A37A9EB54309B50C53BA4099F3A7CB3CED4ACB9E

Function 0042E050 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042E188), ref: 0042E08C
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042E188), ref: 0042E0FC

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fb659fd4e3abd397cfb8b0300bb5eb5c22831bf077ba98013b241e0a6da047f3
Instruction ID: f9a1da9ca9b7937b0bb3d9b331acc3eaa2fb365deabda7ea02547e95fe34f262
Opcode Fuzzy Hash: fb659fd4e3abd397cfb8b0300bb5eb5c22831bf077ba98013b241e0a6da047f3
Instruction Fuzzy Hash: 77415E71E00129ABDB11DF92D881BBFB7B9EB01704F944576E814F7281D778AE01CBA9

Function 0042E310 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042E426,?,?,00000008,00000000,00000000,0042E453), ref: 0042E3BC
RegCloseKey.ADVAPI32(?,0042E42D,?,00000000,00000000,00000000,00000000,00000000,0042E426,?,?,00000008,00000000,00000000,0042E453), ref: 0042E420

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseEnum
String ID:
API String ID: 2818636725-0
Opcode ID: ba9fca61959f2a1fd28644f420a32ef2aa2387f9cea893e540c804915765ba19
Instruction ID: a18f9d464683a8b418f1d9d9c182c699679c3713f239d59a614a00dbe2042668
Opcode Fuzzy Hash: ba9fca61959f2a1fd28644f420a32ef2aa2387f9cea893e540c804915765ba19
Instruction Fuzzy Hash: 3E318670B04254AFDB11EBA3EC52BBFBBB9EB45305F90447BE500B3291D6785E01CA29

Function 00452F2C Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,?,?,00458A74,00000000,00458A5C,?,?,?,00000000,00452FA6,?,?,?,00000001), ref: 00452F80
GetLastError.KERNEL32(00000000,00000000,?,?,00458A74,00000000,00458A5C,?,?,?,00000000,00452FA6,?,?,?,00000001), ref: 00452F88

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID:
API String ID: 2919029540-0
Opcode ID: 1398244007b20135f5cbcb84ec70d62da1e947103cbbdaeddf7845a69a56a8f1
Instruction ID: 1642ece03f316e66375c060ca7626bc18a341a32778e3b1f8c5ba0bc81bd916e
Opcode Fuzzy Hash: 1398244007b20135f5cbcb84ec70d62da1e947103cbbdaeddf7845a69a56a8f1
Instruction Fuzzy Hash: E7112772A04208AF8B40DEA9ED41D9FB7ECEB4E310B11456BBD08D3241D678AD159B68

Function 0040B228 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040B242
FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B39F,00000000,0040B3B7,?,?,?,00000000), ref: 0040B253

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Resource$FindFree
String ID:
API String ID: 4097029671-0
Opcode ID: ccfb53ccaaecadb89aef38a6b87b21aaaa45f6b87b20848e9e6dd1c8ee0e0d8f
Instruction ID: 99f6b945ddddc3ffa7954b5b99b0f089effa67c77682540e1bcd22500dccd1d0
Opcode Fuzzy Hash: ccfb53ccaaecadb89aef38a6b87b21aaaa45f6b87b20848e9e6dd1c8ee0e0d8f
Instruction Fuzzy Hash: 9101F7717043006FE700EF69DC52D1A77ADDB89718711807AF500EB2D0D63D9C0196AD

Function 0041F2F4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F343
EnumThreadWindows.USER32(00000000,0041F2A4,00000000), ref: 0041F349

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: 26a01034718a754fac2428515d88d868d648ddf0343dd67eaafc6563d075de98
Instruction ID: ded2603fe903b3ccb75c053802ed51acc4a1ef0e0cc57bb05547c7342bcbb188
Opcode Fuzzy Hash: 26a01034718a754fac2428515d88d868d648ddf0343dd67eaafc6563d075de98
Instruction Fuzzy Hash: B2016D74A04B08BFD301CF66ED1195ABBF8F749724B22C877E854D3AA0E73459119E58

Function 004533C4 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 00453406
GetLastError.KERNEL32(00000000,00000000,00000000,0045342C), ref: 0045340E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorFileLastMove
String ID:
API String ID: 55378915-0
Opcode ID: 1548faf8a9677bd12e98f2e2d243f9d82652a592f520366f9bcd72908c48431c
Instruction ID: 0cc30b72992c59045a3cb8216ce3619e412531a307d766600c380e57d1775dbb
Opcode Fuzzy Hash: 1548faf8a9677bd12e98f2e2d243f9d82652a592f520366f9bcd72908c48431c
Instruction Fuzzy Hash: 6101D671B04204BB8701EFB9AC4249EB7ECDB49766760457BFC04E3242EA789F088558

Function 00452EB4 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00452F13), ref: 00452EED
GetLastError.KERNEL32(00000000,00000000,00000000,00452F13), ref: 00452EF5

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7cb2c570ac219d0ee22c88f96f5bf87a62d98c3fd0f6f1ca7cf3871b5df67843
Instruction ID: 89335b5e5455deb896f2d2efe83bb95299e3db0618b413de6719cdd134c6b725
Opcode Fuzzy Hash: 7cb2c570ac219d0ee22c88f96f5bf87a62d98c3fd0f6f1ca7cf3871b5df67843
Instruction Fuzzy Hash: CEF02872A04304BBCB01EF75AD0259EB3E8DB0A321B5045BBFC04E3282E7B94E049698

Function 00453224 Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00453283,?,?,00000000), ref: 0045325D
GetLastError.KERNEL32(00000000,00000000,00453283,?,?,00000000), ref: 00453265

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 93a4445a77e87f832db48cc37b7d9a5725dfb79c3c3b600bc74ddeadc40bd50e
Instruction ID: 5db4c9d18fff2c699384bf48158aad256892f70ed416b0cdc9347702aa33957f
Opcode Fuzzy Hash: 93a4445a77e87f832db48cc37b7d9a5725dfb79c3c3b600bc74ddeadc40bd50e
Instruction Fuzzy Hash: D5F0FC71A04B04ABCB10DFB9AD4249DB3A8DB49766B5046FBFC14E3682DB785F04859C

Function 0042368C Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00423699
LoadCursorA.USER32(00000000,00000000), ref: 004236C3

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: f140cec9cfa9b30dc2305244e4258a11cf30c4d8c1b352010c949b8b0dda8ca8
Instruction ID: 05fd857f6409e6a60644ea24615d01c87e42662e453bf4d6e4e1dfbb00014e4e
Opcode Fuzzy Hash: f140cec9cfa9b30dc2305244e4258a11cf30c4d8c1b352010c949b8b0dda8ca8
Instruction Fuzzy Hash: F2F0A7517002107ADA205E3E6CC0A2A72ADCBC1735B61437BFA2AE73D1C72D5D45556D

Function 0042E7E4 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 9b4fdb90dd8f6dfc429e23110810c204407b66d19ffb3595c1bc568b2ae7c347
Instruction ID: 76a16bdd6934cf9e499703eeb82aeaab1faf94a78ecb328ba4f7015bbedd62a6
Opcode Fuzzy Hash: 9b4fdb90dd8f6dfc429e23110810c204407b66d19ffb3595c1bc568b2ae7c347
Instruction Fuzzy Hash: 13F08270B14744BEDB116F779C6282BBBECE749B1079348B6F800A3A91E63C4C10C968

Function 00477E4C Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(6F5127E0,?,?,?,?), ref: 00477E79
CallWindowProcW.USER32(FFFF0466,?,?,?,?), ref: 00477E8A

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 3b3bcb1a515eb24d18246344862472c5999d5df4409f8f541189235709fabbb3
Instruction ID: e3cdc248f3d34916c976d05d9458007ce5e90364cfce0ac0a3cfd78eef4de0e7
Opcode Fuzzy Hash: 3b3bcb1a515eb24d18246344862472c5999d5df4409f8f541189235709fabbb3
Instruction Fuzzy Hash: 30F030B2114318BBDA00DA6ADC89CA777ACEF59360B00C637BD18933A0D178AD008678

Function 0046EE04 Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,0046EE9A), ref: 0046EE0E
CoCreateInstance.OLE32(0049BB9C,00000000,00000001,0049BBAC,?,?,0046EE9A), ref: 0046EE2A

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CreateInstanceVersion
String ID:
API String ID: 1462612201-0
Opcode ID: 780da2f8f06851a502736db72271cf8d77c3ee5523c6db3b3ed376e5da340fe9
Instruction ID: 784abeb2b863a263b0685f2ce256345c834679a9cfc70721c753cc97000ad865
Opcode Fuzzy Hash: 780da2f8f06851a502736db72271cf8d77c3ee5523c6db3b3ed376e5da340fe9
Instruction Fuzzy Hash: 2AF0E534241310EEFB11E72BDC4AB4A3BC4AB25714F14403BF144972A1E3EE94808B6F

Function 0041671A Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,?,?), ref: 00416731
GetClassInfoA.USER32(00000000,?,?), ref: 00416741

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: d17345ab9950f68f1f104603a375dc2c5e22966700f41ddff89a6cf19b5b6da3
Instruction ID: fd9875a215ec353102ef76963993ed989aa11c6eeb2d05a4b237c4ae5cfc76fd
Opcode Fuzzy Hash: d17345ab9950f68f1f104603a375dc2c5e22966700f41ddff89a6cf19b5b6da3
Instruction Fuzzy Hash: 97E012B26115115AD710DB98CD81EE736DCDB08314B110163BE08CB145D364DD0047A8

Function 0047DB95 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32(0049BD54,00008000,00000000,?), ref: 0047DBA5
CoTaskMemFree.OLE32(?,0047DBE8), ref: 0047DBDB

Strings

COMMAND.COM, xrefs: 0047DC27
cmd.exe, xrefs: 0047DC06
Failed to get path of 64-bit Common Files directory, xrefs: 0047DB18
SystemDrive, xrefs: 0047D9DF
\Program Files, xrefs: 0047DA67
CommonFilesDir, xrefs: 0047DA7A, 0047DAF6
ProgramFilesDir, xrefs: 0047DA40, 0047DAC7
Common Files, xrefs: 0047DAB1
Failed to get path of 64-bit Program Files directory, xrefs: 0047DAE9

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 40c9fceec1849ef55c2d9e9b165fa2d81ca6f89bfe3325e062340eef34f4dc70
Instruction ID: 547cb950fcd41f41a68947569da9652c82defc7c7397c5e87919afd81bca1a0c
Opcode Fuzzy Hash: 40c9fceec1849ef55c2d9e9b165fa2d81ca6f89bfe3325e062340eef34f4dc70
Instruction Fuzzy Hash: F5E06534714640BEEB119A619D12B5977B8EB85B04FB28476F50496690D678A9009A18

Function 0045103C Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470FA5,?,00000000), ref: 00451052
GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470FA5,?,00000000), ref: 0045105A

Part of subcall function 00450DF8: GetLastError.KERNEL32(00450C14,00450EBA,?,00000000,?,00499714,00000001,00000000,00000002,00000000,00499875,?,?,00000005,00000000,004998A9), ref: 00450DFB

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 57e3a47998fe8597b6042e5f5bf28c6be865df3206a1389c22972bb96d3862bd
Instruction ID: e16622de0e040581c0824a6ac5d1d77e375427595308dce999b5737054ed6bda
Opcode Fuzzy Hash: 57e3a47998fe8597b6042e5f5bf28c6be865df3206a1389c22972bb96d3862bd
Instruction Fuzzy Hash: 86E012B5344201ABE700FAB599C1F2B22DCDB44755F10846AF944DA187D674DC498B35

Function 0048483C Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00484846
GetTickCount.KERNEL32 ref: 0048483D

Part of subcall function 00484808: GetForegroundWindow.USER32(00000000,00000000,?,?,0048486D,?,00484952,?,?,00000000), ref: 0048480E
Part of subcall function 00484808: GetWindowThreadProcessId.USER32(00000000,?), ref: 00484820
Part of subcall function 00484808: GetCurrentProcessId.KERNEL32(00000000,?,00000000,00000000,?,?,0048486D,?,00484952,?,?,00000000), ref: 00484829

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CountProcessTickWindow$CurrentForegroundThread
String ID:
API String ID: 711787588-0
Opcode ID: b5012c5d5f67b50791137d02010e47c7c65d22dc99dd8034a83b9399e6e836ec
Instruction ID: 15379a2e01471303efff648884838df7c38ffaa6109914de87cf785516410688
Opcode Fuzzy Hash: b5012c5d5f67b50791137d02010e47c7c65d22dc99dd8034a83b9399e6e836ec
Instruction Fuzzy Hash: 76D0A94C61028305CD00BBB3828622D01409FC031DF000C3FB80A9B283DE1C8100833F

Function 0041F444 Relevance: 3.0, APIs: 2, Instructions: 16threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F45E
EnumThreadWindows.USER32(00000000,0041F3E0,00000000), ref: 0041F464

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: 714e2587f2e5118136e687c91d65361c8421099981035becec4dff953f00131f
Instruction ID: 68741bc32d62e3c0e2143af6d8bcd4559dc66fbf958b0e80957fbdef8d5f35d8
Opcode Fuzzy Hash: 714e2587f2e5118136e687c91d65361c8421099981035becec4dff953f00131f
Instruction Fuzzy Hash: 92E04CB1A00600AFDB10EF35FF4575A37E4E720718F16483BA884D21A1D3745844DA9C

Function 0040626C Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 0040626E
GlobalLock.KERNEL32(00000000), ref: 00406274

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Global$AllocLock
String ID:
API String ID: 15508794-0
Opcode ID: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
Instruction ID: 56019af84ea84d57b40f02c4528a45173e4f1cdf38a2be340d0d32551c2e1a06
Opcode Fuzzy Hash: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
Instruction Fuzzy Hash: 699002C4C01A00A4DC0072B20C0BD3F101CD8C072C3D1486F7044B6483887C88000979

Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7e62aa1badbe9b7bec7abb2084251aae76f03f49734707af951965b808a3b35c
Instruction ID: a6323659c4e3f22e280215c11bf30f87fcb27bed7f3312751ebcd43238c0638b
Opcode Fuzzy Hash: 7e62aa1badbe9b7bec7abb2084251aae76f03f49734707af951965b808a3b35c
Instruction Fuzzy Hash: CCF08272A0063067EB60596A4C81B5359849BC5794F154076FD09FF3E9D6B58C0142A9

Function 00408A2C Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408B62), ref: 00408A4B

Part of subcall function 0040723C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00407259

Part of subcall function 004089B8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049D4C4,00000001,?,00408A83,?,00000000,00408B62), ref: 004089D6

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: bb57ecfbcf6c99401787c1e244de85808a7a992296f2a947b18206caa06ad51e
Instruction ID: 2280d21d464d6860fad4d2303e4b2489916fa30e512bd771d5ffef80d8a4ef38
Opcode Fuzzy Hash: bb57ecfbcf6c99401787c1e244de85808a7a992296f2a947b18206caa06ad51e
Instruction Fuzzy Hash: F6315275E001099BCF00EF95C8819EEB779EF84314F51857BE815BB385E738AE058B99

Function 0041FFEC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetScrollInfo.USER32(00000000,?,?,00000001), ref: 00420089

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: InfoScroll
String ID:
API String ID: 629608716-0
Opcode ID: 3edf798da742a1a67383ead948891c4ca252191c32eeff7b634738f170ced4ea
Instruction ID: a69ccf46589f52d523cedfa5b555af8e95575bce60e7416ef6aeac4177a5bf43
Opcode Fuzzy Hash: 3edf798da742a1a67383ead948891c4ca252191c32eeff7b634738f170ced4ea
Instruction Fuzzy Hash: BA2151B1604755AFD340DF39A440767BBE4BB48344F04892EE098C3342E775E995CBD6

Function 0046D110 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0041F2F4: GetCurrentThreadId.KERNEL32 ref: 0041F343
Part of subcall function 0041F2F4: EnumThreadWindows.USER32(00000000,0041F2A4,00000000), ref: 0041F349

SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046D16E,?,00000000,?,?,0046D380,?,00000000,0046D3F4), ref: 0046D152

Part of subcall function 0041F3A8: IsWindow.USER32(?), ref: 0041F3B6
Part of subcall function 0041F3A8: EnableWindow.USER32(?,00000001), ref: 0041F3C5

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
String ID:
API String ID: 3319771486-0
Opcode ID: 9f032309dcde971134040d123568164e642ddd2cabc1e4735cf40f63c5ed8cf9
Instruction ID: b16b0b1c8f0f43ce2eded6e4310be42afa410753b2a581968e322ef2fdc8cd52
Opcode Fuzzy Hash: 9f032309dcde971134040d123568164e642ddd2cabc1e4735cf40f63c5ed8cf9
Instruction Fuzzy Hash: EFF0BEB1B08344BFFB05DB72EC56B6AB7A8E30A714F61447BF404861A0EAF95840852E

Function 0042CC54 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CC78

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FullNamePath
String ID:
API String ID: 608056474-0
Opcode ID: 428d784e0bfc7ea914628290b6176d02b3cebe94b5205d1ffc685c49e669826c
Instruction ID: a2a3468b7bc3cfdf25810f87908f7fe28db096dc5188f9b8c4dedd834d11342f
Opcode Fuzzy Hash: 428d784e0bfc7ea914628290b6176d02b3cebe94b5205d1ffc685c49e669826c
Instruction Fuzzy Hash: BFE0EC6170051023D611556F6CC15BF518C8BD4375F04013BB95CDB3D1DABDCE45019E

Function 004169A0 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 004169D5

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 055c9416affa8369aca5a52daf2b71abecd104a899c95fff13876bf4c34adbe4
Instruction ID: 76b9729045c620b17443a4bfae3f317f1f80b082859ffabd1d53e10c409eed5a
Opcode Fuzzy Hash: 055c9416affa8369aca5a52daf2b71abecd104a899c95fff13876bf4c34adbe4
Instruction Fuzzy Hash: FEF025B2600510AFDB84CF9CD8C0F9373ECEB0C210B0881A6FA08CF21AD220EC108BB0

Function 00414E04 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 00414E3F

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91

Function 00450F08 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450F48

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 00d3b0e571f0f9799c9202ce425a31b8579894210baf7755ca9a5e27d392a7a4
Instruction ID: 8219f7e09200e9d280371fd8822ce49b3febf2e1364c7dcaf59ee2aef9f1cf3d
Opcode Fuzzy Hash: 00d3b0e571f0f9799c9202ce425a31b8579894210baf7755ca9a5e27d392a7a4
Instruction Fuzzy Hash: E2E0EDB53541483ED6809AAD7D42F9667DCD71A724F008033B998D7241D5619D158BE8

Function 0042D11C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0042D164,?,00000001,?,?,00000000,?,0042D1B6,00000000,00453169,00000000,0045318A,?,00000000), ref: 0042D147

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 52a97f63493a2405b18f7ceeeb4c5583b1fc3ffb9d272bcba16263c996160de7
Instruction ID: 9806b9c164805e7544688198397d180b04c1e4ca63c7d3d80aa3ce68cdb407ca
Opcode Fuzzy Hash: 52a97f63493a2405b18f7ceeeb4c5583b1fc3ffb9d272bcba16263c996160de7
Instruction Fuzzy Hash: 74E09271704704BFD701EF62DC53E6BBBECDB89B18BA14876B400E7692D6789E10D468

Function 0042ED18 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004539D7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED37

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 09ac2101c8e17b0b2705a927b8a5b1ff093a5eaf49e610a8aec8846a662564db
Instruction ID: 20bfa46e39afc277729b0f592bdc1926ad718625f52f7f76be7811270f12921f
Opcode Fuzzy Hash: 09ac2101c8e17b0b2705a927b8a5b1ff093a5eaf49e610a8aec8846a662564db
Instruction Fuzzy Hash: 0DE0206179471216F2351416AC47B77530E43C0704F944436BF50DD3E3D6AED906465E

Function 004062F8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,00423ACC,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00406321

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9dc46ec25ca5ecaaaae1fbad39bdca196911fb58cef97937ba07dcb482697fa8
Instruction ID: 1e3b386673cc32b76f3712ab4659b14af7d7742474b1f2ca80afcc4f691b27f6
Opcode Fuzzy Hash: 9dc46ec25ca5ecaaaae1fbad39bdca196911fb58cef97937ba07dcb482697fa8
Instruction Fuzzy Hash: 26E002B221430DBFDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972528675AC608B71

Function 0042E234 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042E260

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5347a797c781b98567e2e52ffd135a3f9820974f1ad95a252eafdff03c881ffc
Instruction ID: 1b6ad3e9ff9242377371a87229ab788a86a92e19cf0220c3a89558970fe9bf90
Opcode Fuzzy Hash: 5347a797c781b98567e2e52ffd135a3f9820974f1ad95a252eafdff03c881ffc
Instruction Fuzzy Hash: 58E07EB6600119AF9B40DE8DDC81EEB37ADAB5D360F444016FA48E7200C2B8EC519BB4

Function 00455360 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,000000FF,0047194C,00000000,00472768,?,00000000,004727B1,?,00000000,004728EA,?,00000000,?,00000000,I), ref: 00455376

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 36cd9f84857256ac69cfb0465bd1e7b3074f7074ae305d1ba71a48d654773a12
Instruction ID: 8b71881552422ad0faea9fb58b8cbe3f8cf10286c40a53e64c89ff98b22cfa58
Opcode Fuzzy Hash: 36cd9f84857256ac69cfb0465bd1e7b3074f7074ae305d1ba71a48d654773a12
Instruction Fuzzy Hash: 74E09BB0504A004BC714DF7A848132A77D15F84321F04C96ABC9CCB7D7E67C84154667

Function 00414ACC Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(004972CE,?,004972F0,?,?,00000000,004972CE,?,?), ref: 00414AEB

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0

Function 00407360 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407374

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3a95ec999e214528a4642a0263e4bef887c4bff4fae810559ecd64d74c978ed9
Instruction ID: 7137799a8a619894c36928dc497025c8ae4ce5b7c347e91e7b4e2a044eac2fb2
Opcode Fuzzy Hash: 3a95ec999e214528a4642a0263e4bef887c4bff4fae810559ecd64d74c978ed9
Instruction Fuzzy Hash: CFD05B723082507BE320A55B5C44EAB6BDCCBC5774F10063EF958D31C1D6349C01C675

Function 00423A9C Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00423A48: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 00423A5D

ShowWindow.USER32(004108B0,00000009,?,00000000,0041F1F4,00423D8A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00423AB7

Part of subcall function 00423A78: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423A94

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: b1c2cd61143bf12a0bef37db47b635a6d3ef0f027e429c080d83374e888f6fa5
Instruction ID: b4979a057c5364df20928e0f8112b75834207fc47edce7a1cb621b48fadbe9ee
Opcode Fuzzy Hash: b1c2cd61143bf12a0bef37db47b635a6d3ef0f027e429c080d83374e888f6fa5
Instruction Fuzzy Hash: E4D0A7137811703143117BB738469BF46EC4DD26AB38808BBB5C0DB303E91E8E051278

Function 00424714 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 0042472C

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 0f798d55b4a563aaf07053da431746ff1fcbe1b34a54896860b3a53b831deb59
Instruction ID: 0401e0c0b6f3d46f422729750133087b7afca2a32056b90ced50410e3746bfe3
Opcode Fuzzy Hash: 0f798d55b4a563aaf07053da431746ff1fcbe1b34a54896860b3a53b831deb59
Instruction Fuzzy Hash: 17D05EE27011602BCB01BAAD54C4ACA67CC8B8936AB1440BBF908EF257C638CE458398

Function 0042D1BC Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,00453399,00000000,004533B2,?,-00000001,00000000), ref: 0042D1C7

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7c6ebe174506a89767f7ee592df00eb0c72a5955deab68b848f445c8102e14c6
Instruction ID: bf35e0695d646f252302ae8c05399a3b1551c06c76099583daea3b520eb86f7d
Opcode Fuzzy Hash: 7c6ebe174506a89767f7ee592df00eb0c72a5955deab68b848f445c8102e14c6
Instruction Fuzzy Hash: 3ED022D071121001DE10A0BC28C533711880B74336BA41A33BD69E26E3C33D8823542C

Function 0042D174 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00451D0F,00000000), ref: 0042D17F

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 176281895ea3e42f60d60676608de6346bb49bc8ae14b0fa01ac27964d7a3955
Instruction ID: 86baad2ceceaa6a85e65f17f0286784d9b66173697f2cc348ab0aa8737b1e759
Opcode Fuzzy Hash: 176281895ea3e42f60d60676608de6346bb49bc8ae14b0fa01ac27964d7a3955
Instruction Fuzzy Hash: C9C080D0711210155E10A5BD1CC556703C849543793540F37B068D66D2D13D8466202C

Function 004677CC Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00468491,00000000,00000000,00000000,0000000C,00000000), ref: 004677E4

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0

Function 00407310 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040AB24,0040D0D0,?,00000000,?), ref: 0040732D

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 209b0ba7fd8c5b4a24ef9a539f4d873392a5060120ce01350303422817e34c0d
Instruction ID: a78e408fffc15bc8d0ee8a54c686fbaa4e2694f5c3f88f37cecd524e454749ad
Opcode Fuzzy Hash: 209b0ba7fd8c5b4a24ef9a539f4d873392a5060120ce01350303422817e34c0d
Instruction Fuzzy Hash: ADC048B13C130032F93025A61C87F1604889714B1AE60943AB740BE1C2D8E9A818016C

Function 0041F7EC Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,00000000), ref: 0041F800

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50
Instruction ID: 48f25c4fc7afed193c39a16cc91a0304f94a1296cd048c63733264e3b5f0309e
Opcode Fuzzy Hash: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50
Instruction Fuzzy Hash: D2D0C932100108AFDB018E94AC018677B69EB48210B148815FD0485221D633E831AA91

Function 004504A8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,004506B4,00000000,?,00469063,0000000C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?), ref: 004504C6

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 26d24d78127bedaa8bd94fa6176c523188c8219f80ea813ea250164edc493aa3
Instruction ID: d31243997fce6a081680f754dd08e5339b9cfa2d37494deb9f472b2c5ff9ad0f
Opcode Fuzzy Hash: 26d24d78127bedaa8bd94fa6176c523188c8219f80ea813ea250164edc493aa3
Instruction Fuzzy Hash: 1AD092B1925244AECB10AB26EA0430232B0E364316F404037E60095163C33988958F8C

Function 00451070 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,?,0045CB3E,00000000,0045CCC9,?,00000000,00000002,00000002), ref: 00451077

Part of subcall function 00450DF8: GetLastError.KERNEL32(00450C14,00450EBA,?,00000000,?,00499714,00000001,00000000,00000002,00000000,00499875,?,?,00000005,00000000,004998A9), ref: 00450DFB

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 46bffcc4190b32f1737510e309765b0f9d847fb6a3bc417c92e668a4702f1f8e
Instruction ID: c64e7bd530bf7aca0fb3f38fdfe864b922b4b7832701085435935f337d1370ec
Opcode Fuzzy Hash: 46bffcc4190b32f1737510e309765b0f9d847fb6a3bc417c92e668a4702f1f8e
Instruction Fuzzy Hash: 0BC04CA5340140578F40A6AE85C1A1663DC9E193493504066B904DF657D669D8484A15

Function 004073A0 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,0049D62C,00499FD9,00000000,0049A02E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073AB

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 591f449e1d77daae53b1a5aa43bd251db5a728a4dd1e5d8efdcf407e7d8efb90
Instruction ID: b32d93fc701aa1162a174406e7d11ef14f94d69b7075bb962530761d6eacc69a
Opcode Fuzzy Hash: 591f449e1d77daae53b1a5aa43bd251db5a728a4dd1e5d8efdcf407e7d8efb90
Instruction Fuzzy Hash: 5BB012E13D320A26CA0079FE4CC191B00CC46297063405A3A3406E71C3DC3CC8180414

Function 004076F8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(00000000,?,004996A2,00000000,00499875,?,?,00000005,00000000,004998A9,?,?,00000000), ref: 00407703

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: f8e5bc84ed77a990345a18ebfce7b3b4d36d471a9523976a67f94f28f3ebd8b5
Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
Opcode Fuzzy Hash: f8e5bc84ed77a990345a18ebfce7b3b4d36d471a9523976a67f94f28f3ebd8b5
Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514

Function 0047E3D0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00482E1B), ref: 0047E3E6

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 6c53cdab159c99083d4d98b8786732a30233f1b333e0139ad3d8075ed81d35ad
Instruction ID: be2fe49a244c431ec9946715e535269e6deba234050b303873a188c7b9bcae40
Opcode Fuzzy Hash: 6c53cdab159c99083d4d98b8786732a30233f1b333e0139ad3d8075ed81d35ad
Instruction Fuzzy Hash: C5C00271511210AED750DFBA9D4C75637D4A71832AF068477F40CC3160F6344840CB09

Function 0042E83F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,0042E85D), ref: 0042E850

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: bbf0f8014a804afebd1604ab393a38912dcaab738292d82ddfa54d7cc6c30dd0
Instruction ID: 289f6c2202f902c5fbbb0b24ee8d848b414576690a26c35d590b8c03c3951524
Opcode Fuzzy Hash: bbf0f8014a804afebd1604ab393a38912dcaab738292d82ddfa54d7cc6c30dd0
Instruction Fuzzy Hash: A7B09B76B0C6005DF705D6D5745152D63D4D7C57203E1457BF454D35C0D93C58004918

Function 00483058 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00483060

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6898b449f02840bdaf07bdabea8d5b644a8965388b8fc92a769e6b1c60158538
Instruction ID: a049f017766f74ee94b83235d94ec2d7737a3ea42143ca09c2755b46fea829eb
Opcode Fuzzy Hash: 6898b449f02840bdaf07bdabea8d5b644a8965388b8fc92a769e6b1c60158538
Instruction Fuzzy Hash: 7FA002343D530430F47463510D13F4400402744F15EE1409573053D0C304D82424201D

Function 00416A3C Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 00416A43

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: 7c218e59c1dd1ff03dc8e849b9cf22d0cf8864dd38f6abff84783c2b34ac62d8
Instruction ID: 951f12253bcdbe2be33f1d7372765b1b3ebb510443260a24e1bbd496af9ec3c9
Opcode Fuzzy Hash: 7c218e59c1dd1ff03dc8e849b9cf22d0cf8864dd38f6abff84783c2b34ac62d8
Instruction Fuzzy Hash: AFA002755015409ADB10E7A5C84DF7A2298BF44204FD905FA714CA7052C53CD9008A55

Function 0047F09C Relevance: 1.4, APIs: 1, Instructions: 157COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047F287,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047F241

Part of subcall function 0042CE50: GetSystemMetrics.USER32(0000002A), ref: 0042CE62

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ByteCharMetricsMultiSystemWide
String ID:
API String ID: 224039744-0
Opcode ID: f52afbad91b667b6f6308f5f7be5f2f829de3790a0e249e9b62606124138a6e4
Instruction ID: 496bb1a5f94cf580fd05206e04ab07141ed402b11bdf28edaa456749bafa96dd
Opcode Fuzzy Hash: f52afbad91b667b6f6308f5f7be5f2f829de3790a0e249e9b62606124138a6e4
Instruction Fuzzy Hash: 1D51B670600245FFDB10DFA6D884B9AB7F8EB19308F518077E804A73A2D778AD49CB59

Function 0041F814 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F1F4,?,00423CDF,0042405C,0041F1F4), ref: 0041F832

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3cd9b2b82d3c03bb1042e3aec431f22b9c9f9b479e5e8d2dc048638413a345c3
Instruction ID: 12b252a98648104a36852bc9e66bdd9c626d3d2234b6f24232172dde86ff5d2a
Opcode Fuzzy Hash: 3cd9b2b82d3c03bb1042e3aec431f22b9c9f9b479e5e8d2dc048638413a345c3
Instruction Fuzzy Hash: FA1148746007059BCB10DF19C880B82FBE4EB98350F10C53AE9588B385D374E849CBA8

Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,?,?,00401973), ref: 00401766

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c75a05877fa6d12c6d50048bf692a8cb9b872a1b30c0c7aeae6369689fd3dcf9
Instruction ID: 191f0f4b7cd680364798b3dc381f6aadc2f07e0dbee61be3c45a65ffd8c3a871
Opcode Fuzzy Hash: c75a05877fa6d12c6d50048bf692a8cb9b872a1b30c0c7aeae6369689fd3dcf9
Instruction Fuzzy Hash: 9E01FC766442148FC3109E29DCC0E2677E8D794378F15453EDA85673A1D37A7C4187D8

Function 00453708 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00453771), ref: 00453753

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 23d18d59897e39bc4499862bac3fc6016057085f4d4fb8d535a9825dcce29caf
Instruction ID: c77a4f58350eb22b54b4dfaca8229fa0e9126d3262ef2898ea61e0989ca8d5dd
Opcode Fuzzy Hash: 23d18d59897e39bc4499862bac3fc6016057085f4d4fb8d535a9825dcce29caf
Instruction Fuzzy Hash: 24014CB5A042046B8701DF69A8114AEFBE8DB4D3617208277FC64D3342D7345E059764

Function 00401340 Relevance: 1.3, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,0049D450,004013A3,?,?,00401443,?,?,?,?,?,00401983), ref: 00401353

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 78b51a20f87013a2b8d738b98d0019fb6e38c968b046018860c7d69c9a759dbb
Instruction ID: 3837c305931925427e5917c24a6cbe5f1a74ecb476a9df88ea36e45ee8dad041
Opcode Fuzzy Hash: 78b51a20f87013a2b8d738b98d0019fb6e38c968b046018860c7d69c9a759dbb
Instruction Fuzzy Hash: 0CF05E71B012018FE724CF29D880656B7E1EBA9365F20807EE5C5D7760D3359C418B54

Non-executed Functions

Function 0041F568 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00419440,00000000,?,?,?,00000001), ref: 0041F576
SetErrorMode.KERNEL32(00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F592
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F59E
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F5AC
GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F5DC
GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F605
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F61A
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F62F
GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F644
GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F659
GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F66E
GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F683
GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F698
GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6AD
FreeLibrary.KERNEL32(00000001,?,00419440,00000000,?,?,?,00000001), ref: 0041F6BF

Strings

Ctl3dUnAutoSubclass, xrefs: 0041F678
Ctl3DColorChange, xrefs: 0041F68D
Ctl3dAutoSubclass, xrefs: 0041F663
Ctl3dSubclassCtl, xrefs: 0041F60F
Ctl3dCtlColorEx, xrefs: 0041F64E
Ctl3dUnregister, xrefs: 0041F5FA
BtnWndProc3d, xrefs: 0041F6A2
Ctl3dDlgFramePaint, xrefs: 0041F639
Ctl3dSubclassDlgEx, xrefs: 0041F624
CTL3D32.DLL, xrefs: 0041F599
Ctl3dRegister, xrefs: 0041F5D1

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 2323315520-3614243559
Opcode ID: 7f93fe397e684a103bce9d62382bab99a389729839f73a4ae53f62d0e5e878ce
Instruction ID: 05ddd3b6a7babc3b5f2b58818bfec20f43c940fb7309246182468bed43dc01b1
Opcode Fuzzy Hash: 7f93fe397e684a103bce9d62382bab99a389729839f73a4ae53f62d0e5e878ce
Instruction Fuzzy Hash: C93104B1A00604BBD710EF75BD46A6933A4F728B28B59093BB148D71A2E77C9C468F5C

Function 00458DC4 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00458E2B
QueryPerformanceCounter.KERNEL32(00000000,00000000,004590BE,?,?,00000000,00000000,?,004597BA,?,00000000,00000000), ref: 00458E34
GetSystemTimeAsFileTime.KERNEL32(00000000,00000000), ref: 00458E3E
GetCurrentProcessId.KERNEL32(?,00000000,00000000,004590BE,?,?,00000000,00000000,?,004597BA,?,00000000,00000000), ref: 00458E47
CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458EBD
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,00000000,00000000), ref: 00458ECB
CreateFileA.KERNEL32(00000000,C0000000,00000000,0049BB24,00000003,00000000,00000000,00000000,0045907A), ref: 00458F13
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00459069,?,00000000,C0000000,00000000,0049BB24,00000003,00000000,00000000,00000000,0045907A), ref: 00458F4C

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458FF5
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045902B
CloseHandle.KERNEL32(000000FF,00459070,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00459063

Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07

Strings

Starting 64-bit helper process., xrefs: 00458DF9
CreateNamedPipe, xrefs: 00458EDB
helper %d 0x%x, xrefs: 00458FD4
64-bit helper EXE wasn't extracted, xrefs: 00458E1F
i, xrefs: 00458FA8
Helper process PID: %u, xrefs: 00459048
CreateProcess, xrefs: 00458FFE
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00458E93
CreateFile, xrefs: 00458F21
Cannot utilize 64-bit features on this version of Windows, xrefs: 00458E0C
SetNamedPipeHandleState, xrefs: 00458F55
D, xrefs: 00458F6E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: 588258891636d6961f6f973a73ca3d63e7b3c2cb37b3ea655e6ca71426862519
Instruction ID: c4bf9a6304175502231bb311a6f33329fdfd9ee29416440b986483e0f2b1c780
Opcode Fuzzy Hash: 588258891636d6961f6f973a73ca3d63e7b3c2cb37b3ea655e6ca71426862519
Instruction Fuzzy Hash: 9071F270A00654DADB10DF65CC46B9E7BF8EB05705F1045AAF908FB282DB785D448F69

Function 0047974C Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 004795B8: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,021579E0,?,?,?,021579E0,0047977C,00000000,0047989A,?,?,?,?), ref: 004795D1
Part of subcall function 004795B8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004795D7
Part of subcall function 004795B8: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021579E0,?,?,?,021579E0,0047977C,00000000,0047989A,?,?,?,?), ref: 004795EA
Part of subcall function 004795B8: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021579E0,?,?,?,021579E0), ref: 00479614
Part of subcall function 004795B8: CloseHandle.KERNEL32(00000000,?,?,?,021579E0,0047977C,00000000,0047989A,?,?,?,?), ref: 00479632

Part of subcall function 00479690: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00479722,?,?,?,021579E0,?,00479784,00000000,0047989A,?,?,?,?), ref: 004796C0

ShellExecuteEx.SHELL32(0000003C), ref: 004797D4
GetLastError.KERNEL32(00000000,0047989A,?,?,?,?), ref: 004797DD
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0047982A
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 0047984E
CloseHandle.KERNEL32(00000000,0047987F,00000000,00000000,000000FF,000000FF,00000000,00479878,?,00000000,0047989A,?,?,?,?), ref: 00479872

Strings

<, xrefs: 00479793
GetExitCodeProcess, xrefs: 00479857
ShellExecuteEx, xrefs: 004797EE
runas, xrefs: 004797A1
ShellExecuteEx returned hProcess=0, xrefs: 004797FE
MsgWaitForMultipleObjects, xrefs: 00479837

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 883996979-221126205
Opcode ID: f75691c6988614191e08cddca8c11734c2160cae10b5dfc7f4e0ecb506ded385
Instruction ID: ef977962423105e2be3f30a06cf623b0e2f7e3d3d4ebd630472f9d2e264b432c
Opcode Fuzzy Hash: f75691c6988614191e08cddca8c11734c2160cae10b5dfc7f4e0ecb506ded385
Instruction Fuzzy Hash: 35314471910204AADB10FFAA88416DEBAB8EF45314F51857FF518F7281D77C8D058B1A

Function 004187D4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004187E3
GetWindowPlacement.USER32(?,0000002C), ref: 00418800
GetWindowRect.USER32(?), ref: 0041881C
GetWindowLongA.USER32(?,000000F0), ref: 0041882A
GetWindowLongA.USER32(?,000000F8), ref: 0041883F
ScreenToClient.USER32(00000000), ref: 00418848
ScreenToClient.USER32(00000000,?), ref: 00418853

Strings

,, xrefs: 004187EC

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: b787cf8406b328f9ec3a8af6233a206f78ef01905e488829e8331a9627355685
Instruction ID: c8128d77bd0d7ceb2c04d713c679bf83e48da9b619e6265fa23865d78167b210
Opcode Fuzzy Hash: b787cf8406b328f9ec3a8af6233a206f78ef01905e488829e8331a9627355685
Instruction Fuzzy Hash: 1B111971505201ABDB00EF69C885E9B77E8AF48314F140A7EB958DB286C738D900CB65

Function 0042F71C Relevance: 13.6, APIs: 9, Instructions: 108windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0042F744
GetWindowLongA.USER32(?,000000F0), ref: 0042F758
GetWindowLongA.USER32(?,000000EC), ref: 0042F76F
GetActiveWindow.USER32 ref: 0042F778
MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F7A5
SetActiveWindow.USER32(?,0042F8D5,00000000,?), ref: 0042F7C6

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$ActiveLong$IconicMessage
String ID:
API String ID: 1633107849-0
Opcode ID: 49306f5a5aea126db747c93f7e274e0cd8a3885b454e69ee071c1ce4e6e90790
Instruction ID: 4c2db8bb30fa69d0e852579bfabd785c91e73d104037fd1269e13a33cc275b58
Opcode Fuzzy Hash: 49306f5a5aea126db747c93f7e274e0cd8a3885b454e69ee071c1ce4e6e90790
Instruction Fuzzy Hash: 0D31B170A00654AFDB01EFB5DC52D6EBBF8EB09704B9244BBF804E7291D6389D04CB18

Function 00455D80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00455D8F
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00455D95
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455DAE
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455DD5
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455DDA
ExitWindowsEx.USER32(00000002,00000000), ref: 00455DEB

Strings

SeShutdownPrivilege, xrefs: 00455DA7

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 082306ff38d6c760ea0c9f1032eabff53d8a831f0171a5046667534f49f86738
Instruction ID: 02e3d1fa5e569da00b44776faf89310fbaa28c239a726f1a6525e170f6cce7ee
Opcode Fuzzy Hash: 082306ff38d6c760ea0c9f1032eabff53d8a831f0171a5046667534f49f86738
Instruction Fuzzy Hash: 55F06871294B02BAE650A6718C1BF7B21A8DB40749F50892ABD41EA1C3D7BDD40C8A7A

Function 0049998C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00499ACA,?,?,00000000,0049D62C,?,00499C54,00000000,00499CA8,?,?,00000000,0049D62C), ref: 004999E3
SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00499A66
FindNextFileA.KERNEL32(000000FF,?,00000000,00499AA2,?,00000000,?,00000000,00499ACA,?,?,00000000,0049D62C,?,00499C54,00000000), ref: 00499A7E
FindClose.KERNEL32(000000FF,00499AA9,00499AA2,?,00000000,?,00000000,00499ACA,?,?,00000000,0049D62C,?,00499C54,00000000,00499CA8), ref: 00499A9C

Strings

isRS-, xrefs: 00499A03
isRS-???.tmp, xrefs: 004999CD

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: cfb3a4e8891647e25ddb47f72537cfc9ca7752bf6e817f453b672b1491ac9f16
Instruction ID: e7bbbac40fef3dfc3cc8058b31a588cc53a4b1370f1491e53b11de7997221e0f
Opcode Fuzzy Hash: cfb3a4e8891647e25ddb47f72537cfc9ca7752bf6e817f453b672b1491ac9f16
Instruction Fuzzy Hash: 98318871A015586FDF10EF66CC41ADEBBBCDB45304F5184BBA808A32A1DA389F45CE58

Function 00457D90 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457E0D
PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457E34
SetForegroundWindow.USER32(?), ref: 00457E45
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,0045811D,?,00000000,00458159), ref: 00458108

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 00457F88

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: 1bafb29eaa387cf621c65735d6d6e09d1b320a36b208eca102bc359f3f595fb9
Instruction ID: fc8679ff921622e129be82b5c7b8b9d6156041410e322bf9d6052ebf871bd799
Opcode Fuzzy Hash: 1bafb29eaa387cf621c65735d6d6e09d1b320a36b208eca102bc359f3f595fb9
Instruction Fuzzy Hash: E8911234604204DFDB15CF55D952F1ABBF9EB88700F2180BAED04AB792CB79AE05CB58

Function 00418120 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0041815F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0041817D
GetWindowPlacement.USER32(?,0000002C), ref: 004181B3
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004181DA

Strings

,, xrefs: 004181A1

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 3939ae1d6e1c590614f47c3d4bcf148a2532e1c37498b01d3d2c2056b4d5783c
Instruction ID: 655d5dfc889397085a04c255a013ff48624dbcd9c32011b5bbe491b24769000a
Opcode Fuzzy Hash: 3939ae1d6e1c590614f47c3d4bcf148a2532e1c37498b01d3d2c2056b4d5783c
Instruction Fuzzy Hash: 3C211D72600204ABDF00EF69CCC1ADA77E8AF49314F55456AFD18DF246CB78D9458BA8

Function 004648D0 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,00464A8D), ref: 00464901
FindFirstFileA.KERNEL32(00000000,?,00000000,00464A60,?,00000001,00000000,00464A8D), ref: 00464990
FindNextFileA.KERNEL32(000000FF,?,00000000,00464A42,?,00000000,?,00000000,00464A60,?,00000001,00000000,00464A8D), ref: 00464A22
FindClose.KERNEL32(000000FF,00464A49,00464A42,?,00000000,?,00000000,00464A60,?,00000001,00000000,00464A8D), ref: 00464A3C

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: ecc694449efe8ee83bfae755dd805d638537151d1d8e40a4bbd8c6577bf73ccd
Instruction ID: ae00aa0afc7aa582470d59ca75ba9400823c3a1943f8949d3747a5def8a0c8eb
Opcode Fuzzy Hash: ecc694449efe8ee83bfae755dd805d638537151d1d8e40a4bbd8c6577bf73ccd
Instruction Fuzzy Hash: B541C570A00658AFDF11EFA5DC45ADEB7B8EB89305F4044BAF404E7381E63C9E488E19

Function 00464D4C Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,00464F33), ref: 00464DC1
FindFirstFileA.KERNEL32(00000000,?,00000000,00464EFE,?,00000001,00000000,00464F33), ref: 00464E07
FindNextFileA.KERNEL32(000000FF,?,00000000,00464EE0,?,00000000,?,00000000,00464EFE,?,00000001,00000000,00464F33), ref: 00464EBC
FindClose.KERNEL32(000000FF,00464EE7,00464EE0,?,00000000,?,00000000,00464EFE,?,00000001,00000000,00464F33), ref: 00464EDA

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 42490d7e0f8b90401ef2b5897176ab16b990b317db0059791a95fa77735b0182
Instruction ID: 8e27f6cc4c7e55bed8f6d5ebd72a4c3c722eac7afebeb0f1b00dc6af3d7f2fe3
Opcode Fuzzy Hash: 42490d7e0f8b90401ef2b5897176ab16b990b317db0059791a95fa77735b0182
Instruction Fuzzy Hash: 31416535A006589FCB11EFA5CD859DEB7B9FBC8305F5044AAF804E7341EB389E448E59

Function 0042ED84 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDA6
DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042EDD1
GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDDE
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDE6
SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDEC

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: 060edd20a8b9ef3e5187fa71c6153c8dffa7266a06f07a40ca48e996766aa3cd
Instruction ID: d5f14a2582f403684e4f7b299b1070748df424b87161b08669007267f0031b9d
Opcode Fuzzy Hash: 060edd20a8b9ef3e5187fa71c6153c8dffa7266a06f07a40ca48e996766aa3cd
Instruction Fuzzy Hash: 21F0F0723A07203AF620B17A6C82F7F018CC784B68F10423AF704FF1D1D9A84D0515AD

Function 00484D28 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00484D66
GetWindowLongA.USER32(00000000,000000F0), ref: 00484D84
ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049E0AC,00484242,00484276,00000000,00484296,?,?,?,0049E0AC), ref: 00484DA6
ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049E0AC,00484242,00484276,00000000,00484296,?,?,?,0049E0AC), ref: 00484DBA

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: 6d02ab3679acd20c13477f6129401e215db0be7c9c4dcc708735b62ecc99512f
Instruction ID: c453c85064c149f2f8de5328ae0569b6634ad2f96c4c2f1b45344ef68f201c80
Opcode Fuzzy Hash: 6d02ab3679acd20c13477f6129401e215db0be7c9c4dcc708735b62ecc99512f
Instruction Fuzzy Hash: 3D015E706002129EDB10FB769D89B9A22D95B50344F19083FB8449B2E2CB7C9841975C

Function 00463344 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00463418), ref: 0046339C
FindNextFileA.KERNEL32(000000FF,?,00000000,004633F8,?,00000000,?,00000000,00463418), ref: 004633D8
FindClose.KERNEL32(000000FF,004633FF,004633F8,?,00000000,?,00000000,00463418), ref: 004633F2

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: a3f6158ced67ec73cb67a532b72ad96bc9113b626d4d7b4c1370e1b046e46ec6
Instruction ID: 0500e82312f9f08261d57c94a6d9b1f58695be5d4d7593f033a5dbf80f84d4fc
Opcode Fuzzy Hash: a3f6158ced67ec73cb67a532b72ad96bc9113b626d4d7b4c1370e1b046e46ec6
Instruction Fuzzy Hash: 1421DB315046886FDB11DF66CC41ADEB7ACDB49305F5084F7B808D3251EA389F44C959

Function 0042462C Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00424634
SetActiveWindow.USER32(?,?,?,?,0046DA13), ref: 00424641

Part of subcall function 00423A9C: ShowWindow.USER32(004108B0,00000009,?,00000000,0041F1F4,00423D8A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00423AB7

Part of subcall function 00423F64: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021525AC,0042465A,?,?,?,?,0046DA13), ref: 00423F9F

SetFocus.USER32(00000000,?,?,?,?,0046DA13), ref: 0042466E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: f6b17c850702daf3fe2f22264f5d8e983b40a127641bef431db8629b7e0b9e45
Instruction ID: 5ae1608fbac1b61a262bbd8080f57afdf1b64e8a1d97d82fcb33e84f02d7d1dc
Opcode Fuzzy Hash: f6b17c850702daf3fe2f22264f5d8e983b40a127641bef431db8629b7e0b9e45
Instruction Fuzzy Hash: DBF0D07170122187CB00BFA9D9C5A9633A8AF48714B56407BBD09DF25BC67CDC458768

Function 0042F254 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationCOMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 0042F261
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000001), ref: 0042F271
CreateMutexA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042F299

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: DescriptorSecurity$CreateDaclInitializeMutex
String ID:
API String ID: 3525989157-0
Opcode ID: 296a65e85b4cf530d2912259c248fa0dd98adb1b483a3bccc15e2a953cf47158
Instruction ID: b330794617a7040f76ad0da05c7b1ee5a1856395dd3e8d048ce20caf316d4231
Opcode Fuzzy Hash: 296a65e85b4cf530d2912259c248fa0dd98adb1b483a3bccc15e2a953cf47158
Instruction Fuzzy Hash: 18E0C0B16443007EE200EE758C82F5F76DCDB48714F00483AB654DB1C1E679D9489B96

Function 0041811E Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0041815F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0041817D
GetWindowPlacement.USER32(?,0000002C), ref: 004181B3
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004181DA

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: add44dc6c1a8246b0274be2cc60e43faf0e8d0d1d4c3491e9dc610c53a27efe0
Instruction ID: b17f17ea660f77e7302433a0225cb82371cce2f83056bcd31e3690383aca5fbc
Opcode Fuzzy Hash: add44dc6c1a8246b0274be2cc60e43faf0e8d0d1d4c3491e9dc610c53a27efe0
Instruction Fuzzy Hash: E5012C72300104BBDF10EE69CCC1EEB7798AB55364F55416AFD18DF242DA38ED8287A8

Function 004179E8 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417A13
GetCapture.USER32 ref: 00417A1C

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 373e0a40ab0d4ea76f69d1688ff4f953920e4e837af208d8a25afaf4faa000c4
Instruction ID: c42435c704d87005acf5b6d7044dd68bff31d3bfeee1bac994fdbb5906758c2c
Opcode Fuzzy Hash: 373e0a40ab0d4ea76f69d1688ff4f953920e4e837af208d8a25afaf4faa000c4
Instruction Fuzzy Hash: 79F049313446014BD720A72DC889AAF62F99F84394B1C643BE41AC7756EB7DDDC48758

Function 004245E4 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004245EB

Part of subcall function 00423ED4: EnumWindows.USER32(00423E6C), ref: 00423EF8
Part of subcall function 00423ED4: GetWindow.USER32(?,00000003), ref: 00423F0D
Part of subcall function 00423ED4: GetWindowLongA.USER32(?,000000EC), ref: 00423F1C
Part of subcall function 00423ED4: SetWindowPos.USER32(00000000,004245AC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004245FB,?,?,004241C3), ref: 00423F52

SetActiveWindow.USER32(?,?,?,004241C3,00000000,004245AC), ref: 004245FF

Part of subcall function 00423A9C: ShowWindow.USER32(004108B0,00000009,?,00000000,0041F1F4,00423D8A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00423AB7

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: 1a354955b864757cfaa5613f9b306845f8d366a619694d2750710a135c8cdae9
Instruction ID: 0eb0e95855424de6865fa4d756a676c77cd5728601e575884a8a50090c80911a
Opcode Fuzzy Hash: 1a354955b864757cfaa5613f9b306845f8d366a619694d2750710a135c8cdae9
Instruction Fuzzy Hash: 3BE01A6070010187DB00EFAAE8C4B8622A8BF88305F55017ABC08CF24BDA3CDC048728

Function 00412A28 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00412C25), ref: 00412C13

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: de892e97fbd68e1bb7582f7974717f862a539d23c567f166e41cd9819a8f42aa
Instruction ID: cdfe5c129d614e166dcfab814c58775b37bd24f4e82d9105b90a581207f53ed6
Opcode Fuzzy Hash: de892e97fbd68e1bb7582f7974717f862a539d23c567f166e41cd9819a8f42aa
Instruction Fuzzy Hash: 0451C2316082058FC720DF6AD781A9AF3E5EF98304B2086ABD904C7351EAB9ED91C74D

Function 00479D08 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00479E56

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 462738d441aef1136b86fc8094aec41bc4a49bb6b5bf6afc55cbfc6645c50547
Instruction ID: 77384fbc8b33c5310ab19163c687e45bac72601044cd1e9f95c219b02d082465
Opcode Fuzzy Hash: 462738d441aef1136b86fc8094aec41bc4a49bb6b5bf6afc55cbfc6645c50547
Instruction Fuzzy Hash: 71414A75604105EFCB20CF99C6808AAB7F5EB48310B74C9A6E849DB745D338EE41DB94

Function 0042F9C0 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F9DC

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 2621fde08b5d071fc730d3c03362a0ac5d2de45ee12ad7e5c10e42539110ff87
Instruction ID: 416a4692ed3cb8c0a12f59f0b22837e163b9cfd3c66ebd18f18690eb3ad7abe4
Opcode Fuzzy Hash: 2621fde08b5d071fc730d3c03362a0ac5d2de45ee12ad7e5c10e42539110ff87
Instruction Fuzzy Hash: 07D0A7B220010C7FDB00DE98D840D6B33BC9B8C700B90C826F945C7241D234EDA0CBB8

Function 0044BB28 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 282libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044BAA4: GetVersionExA.KERNEL32(00000094), ref: 0044BAC1

Part of subcall function 0044BAF8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0044BB10

LoadLibraryA.KERNEL32(00000000,00000000,0044BF0B,?,?,?,?,00000000,00000000,?,0044FD4D,0049A4DA), ref: 0044BB8A
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BBA2
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BBB4
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BBC6
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BBD8
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBEA
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBFC
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BC0E
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BC20
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BC32
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BC44
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BC56
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BC68
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BC7A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044BC8C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044BC9E
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044BCB0
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044BCC2
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044BCD4
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044BCE6
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044BCF8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044BD0A
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044BD1C
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044BD2E
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044BD40
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044BD52
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044BD64
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044BD76
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044BD88
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044BD9A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044BDAC
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044BDBE
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044BDD0
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044BDE2
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044BDF4
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044BE06
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044BE18
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044BE2A
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044BE3C
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044BE4E
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044BE60
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044BE72
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044BE84
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044BE96
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044BEA8
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044BEBA
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044BECC
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044BEDE

Strings

EnableThemeDialogTexture, xrefs: 0044BE58
SetThemeAppProperties, xrefs: 0044BE8E
GetThemeTextExtent, xrefs: 0044BC18
GetThemeSysFont, xrefs: 0044BDEC
GetThemeTextMetrics, xrefs: 0044BC2A
GetThemePosition, xrefs: 0044BD14
GetThemeRect, xrefs: 0044BD38
GetThemeAppProperties, xrefs: 0044BE7C
GetThemeDocumentationProperty, xrefs: 0044BEB2
GetThemePartSize, xrefs: 0044BC06
IsThemeDialogTextureEnabled, xrefs: 0044BE6A
IsThemeBackgroundPartiallyTransparent, xrefs: 0044BC96
GetCurrentThemeName, xrefs: 0044BEA0
GetThemeEnumValue, xrefs: 0044BD02
GetThemeSysColorBrush, xrefs: 0044BDB6
GetThemeBool, xrefs: 0044BCDE
uxtheme.dll, xrefs: 0044BB77
GetThemeSysBool, xrefs: 0044BDC8
GetWindowTheme, xrefs: 0044BE46
CloseThemeData, xrefs: 0044BBAC
DrawThemeBackground, xrefs: 0044BBBE
HitTestThemeBackground, xrefs: 0044BC4E
GetThemeIntList, xrefs: 0044BD5C
DrawThemeParentBackground, xrefs: 0044BEC4
IsAppThemed, xrefs: 0044BE34
DrawThemeText, xrefs: 0044BBD0
GetThemePropertyOrigin, xrefs: 0044BD6E
EnableTheming, xrefs: 0044BED6
OpenThemeData, xrefs: 0044BB9A
GetThemeSysColor, xrefs: 0044BDA4
GetThemeFont, xrefs: 0044BD26
GetThemeBackgroundRegion, xrefs: 0044BC3C
GetThemeColor, xrefs: 0044BCA8
GetThemeMetric, xrefs: 0044BCBA
SetWindowTheme, xrefs: 0044BD80
GetThemeMargins, xrefs: 0044BD4A
GetThemeSysSize, xrefs: 0044BDDA
GetThemeBackgroundContentRect, xrefs: 0044BBE2, 0044BBF4
GetThemeString, xrefs: 0044BCCC
IsThemeActive, xrefs: 0044BE22
DrawThemeEdge, xrefs: 0044BC60
GetThemeFilename, xrefs: 0044BD92
GetThemeSysString, xrefs: 0044BDFE
DrawThemeIcon, xrefs: 0044BC72
GetThemeSysInt, xrefs: 0044BE10
GetThemeInt, xrefs: 0044BCF0
IsThemePartDefined, xrefs: 0044BC84

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystemVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2754715182-2910565190
Opcode ID: 2001b9481bd4323523c3a6d9ee5d3feebd5ce703d364f315cb0e33d3a930df2d
Instruction ID: 345b4916510d3cb7c096cba84ec2b1d1bd9d6ff2ab3c947e91cb1c242a843473
Opcode Fuzzy Hash: 2001b9481bd4323523c3a6d9ee5d3feebd5ce703d364f315cb0e33d3a930df2d
Instruction Fuzzy Hash: 49A16AB0A41A50EBEB00EFF5DC86A2A37A8EB15B14B1405BBB444EF295D678DC048F5D

Function 00493FEC Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,00000000,004944E1,?,?,?,?,00000000,00000000,00000000), ref: 0049402C
FindWindowA.USER32(00000000,00000000), ref: 0049405D

Strings

FINDWINDOWBYCLASSNAME, xrefs: 00494039
SENDMESSAGE, xrefs: 004940B1
CALLDLLPROC, xrefs: 00494351
CHARTOOEMBUFF, xrefs: 00494482
REGISTERWINDOWMESSAGE, xrefs: 004941BF
POSTBROADCASTMESSAGE, xrefs: 00494247
OEMTOCHARBUFF, xrefs: 0049443F
FREEDLL, xrefs: 004943D8
POSTMESSAGE, xrefs: 00494107
SENDNOTIFYMESSAGE, xrefs: 00494163
CREATEMUTEX, xrefs: 0049440D
LOADDLL, xrefs: 004942EF
FINDWINDOWBYWINDOWNAME, xrefs: 00494075
SLEEP, xrefs: 00494016
SENDBROADCASTNOTIFYMESSAGE, xrefs: 0049429B
SENDBROADCASTMESSAGE, xrefs: 004941F9

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: 834d3c12a7b8cb1b7f9a51084d0e5a3396d1cd2c1371b045a5ef52030d7eb881
Instruction ID: aaf63752e06fee66a7d05b71673dc8e7902340e663ecb0da5339ca9489632561
Opcode Fuzzy Hash: 834d3c12a7b8cb1b7f9a51084d0e5a3396d1cd2c1371b045a5ef52030d7eb881
Instruction Fuzzy Hash: 7EC14060B0421027DB14FB7ACC4692E5A999BD4704750CA3FB40AEB78BDE3CDC0B4799

Function 0041CE5C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0041CE90
CreateCompatibleDC.GDI32(?), ref: 0041CE9C
CreateBitmap.GDI32(0041AD94,?,00000001,00000001,00000000), ref: 0041CEC0
CreateCompatibleBitmap.GDI32(?,0041AD94,?), ref: 0041CED0
SelectObject.GDI32(0041D28C,00000000), ref: 0041CEEB
FillRect.USER32(0041D28C,?,?), ref: 0041CF26
SetTextColor.GDI32(0041D28C,00000000), ref: 0041CF3B
SetBkColor.GDI32(0041D28C,00000000), ref: 0041CF52
PatBlt.GDI32(0041D28C,00000000,00000000,0041AD94,?,00FF0062), ref: 0041CF68
CreateCompatibleDC.GDI32(?), ref: 0041CF7B
SelectObject.GDI32(00000000,00000000), ref: 0041CFAC
SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CFC4
RealizePalette.GDI32(00000000), ref: 0041CFCD
SelectPalette.GDI32(0041D28C,00000000,00000001), ref: 0041CFDC
RealizePalette.GDI32(0041D28C), ref: 0041CFE5
SetTextColor.GDI32(00000000,00000000), ref: 0041CFFE
SetBkColor.GDI32(00000000,00000000), ref: 0041D015
BitBlt.GDI32(0041D28C,00000000,00000000,0041AD94,?,00000000,00000000,00000000,00CC0020), ref: 0041D031
SelectObject.GDI32(00000000,?), ref: 0041D03E
DeleteDC.GDI32(00000000), ref: 0041D054

Part of subcall function 0041A4A8: GetSysColor.USER32(?), ref: 0041A4B2

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
String ID:
API String ID: 269503290-0
Opcode ID: 5e0ecd7f746a94368510dc98cd5b3d13ae19e4ca4739b00519ae71ef4424a664
Instruction ID: f3cd37e79d0242250547ce8a95e3067296a2558137ee74c5e82542f4c8f5946c
Opcode Fuzzy Hash: 5e0ecd7f746a94368510dc98cd5b3d13ae19e4ca4739b00519ae71ef4424a664
Instruction Fuzzy Hash: 6F61CD71A44604AFDB10EBE9DC46FAFB7B8EF48704F10446AF504E7281C67CA9418B69

Function 00499CB8 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,0049A050,?,?,00000000,?,00000000,00000000,?,0049A407,00000000,0049A411,?,00000000), ref: 00499D3B
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049A050,?,?,00000000,?,00000000,00000000,?,0049A407,00000000), ref: 00499D4E
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049A050,?,?,00000000,?,00000000,00000000), ref: 00499D5E
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00499D7F
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049A050,?,?,00000000,?,00000000), ref: 00499D8F

Part of subcall function 0042D89C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D92A,?,?,?,00000001,?,0045681A,00000000,00456882), ref: 0042D8D1

Strings

Setup, xrefs: 00499D27
/REG, xrefs: 00499CED
/REGU, xrefs: 00499D11
.msg, xrefs: 00499DB2
.lst, xrefs: 00499DCC
Inno-Setup-RegSvr-Mutex, xrefs: 00499D45

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 2000705611-3672972446
Opcode ID: 925e690ebd037e7923dbbcefbad47493d482e32af6c3f83e886948a8d640b5b4
Instruction ID: 24b702ce4587ab849973673670b37801b9677cadbfb3bf4f1077f7c12e9ac28d
Opcode Fuzzy Hash: 925e690ebd037e7923dbbcefbad47493d482e32af6c3f83e886948a8d640b5b4
Instruction Fuzzy Hash: 5591C430A04205AFDF11EF69C852BAEBBB4EB49304F51447AF500AB792C63DAC05CB6D

Function 0045AED4 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045B190,?,?,?,?,?,00000006,?,00000000,00499145,?,00000000,004991E8), ref: 0045B042

Strings

The file appears to be in use (%d). Will delete on restart., xrefs: 0045B08B
Failed to delete the file; it may be in use (%d)., xrefs: 0045B131
.gid, xrefs: 0045AF24
Failed to strip read-only attribute., xrefs: 0045B027
.lnk, xrefs: 0045AFAF
Stripped read-only attribute., xrefs: 0045B01B
Deleting file: %s, xrefs: 0045AFE1
.chw, xrefs: 0045AF89
.hlp, xrefs: 0045AF0B
.fts, xrefs: 0045AF48
.chm, xrefs: 0045AF70

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: c6f54f5b50df562880ca518316ccafa31a629e74388fdf67c77d9c44612f3ce0
Instruction ID: 1722664f16d817fc675012576ec738190a07adef69c32437d7057340c1fc2b4b
Opcode Fuzzy Hash: c6f54f5b50df562880ca518316ccafa31a629e74388fdf67c77d9c44612f3ce0
Instruction Fuzzy Hash: 3271AE307006445BDB01EB6A88927AE7BA5EF49755F50846BFC01EB383CB7C8E49879D

Function 0045D3BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0045D3D6
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045D3F6
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045D403
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045D410
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045D41E

Part of subcall function 0045D2C4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045D363,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045D33D

AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D611,?,?,00000000), ref: 0045D4D7
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D611,?,?,00000000), ref: 0045D4E0

Strings

advapi32.dll, xrefs: 0045D3F1
SetNamedSecurityInfoW, xrefs: 0045D40A
W, xrefs: 0045D4EE
GetNamedSecurityInfoW, xrefs: 0045D3FD
SetEntriesInAclW, xrefs: 0045D418

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
API String ID: 59345061-4263478283
Opcode ID: 0336fb35fd749793045182d1361f828010284629c3cee937cf748adbc12729e9
Instruction ID: 1fdbc06bdf38f6500452038ca5d2f44928d617c4984e35671f0aa61f53d98d16
Opcode Fuzzy Hash: 0336fb35fd749793045182d1361f828010284629c3cee937cf748adbc12729e9
Instruction Fuzzy Hash: D35183B1D00208EFDB20DF99C841BAEB7B8EF49315F14806AF904B7382D6789945CF69

Function 0041B7FC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0041B813
CreateCompatibleDC.GDI32(00000000), ref: 0041B81D
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B82F
CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B846
GetDC.USER32(00000000), ref: 0041B852
CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B87F
ReleaseDC.USER32(00000000,00000000), ref: 0041B8A5
SelectObject.GDI32(00000000,?), ref: 0041B8C0
SelectObject.GDI32(?,00000000), ref: 0041B8CF
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B8FB
SelectObject.GDI32(00000000,00000000), ref: 0041B909
SelectObject.GDI32(?,00000000), ref: 0041B917
DeleteDC.GDI32(00000000), ref: 0041B920
DeleteDC.GDI32(?), ref: 0041B929

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: 545e798d89bfd874ee53134500b0446245b84f374f10eb2ff5fc30c629433f8f
Instruction ID: 5456327a1e321ce8c2b8187df1c916a831ebe275c46a8a968a344784d91ca00b
Opcode Fuzzy Hash: 545e798d89bfd874ee53134500b0446245b84f374f10eb2ff5fc30c629433f8f
Instruction Fuzzy Hash: FC419F71E44609ABDB10EAE9C845FEFB7BCEB08704F104466F614F7281D7786D418BA8

Function 00454FDC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegQueryValueExA.ADVAPI32(0045B366,00000000,00000000,?,00000000,?,00000000,00455275,?,0045B366,00000003,00000000,00000000,004552AC), ref: 004550F5

Part of subcall function 0042ED18: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004539D7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED37

RegQueryValueExA.ADVAPI32(0045B366,00000000,00000000,00000000,?,00000004,00000000,004551BF,?,0045B366,00000000,00000000,?,00000000,?,00000000), ref: 00455179
RegQueryValueExA.ADVAPI32(0045B366,00000000,00000000,00000000,?,00000004,00000000,004551BF,?,0045B366,00000000,00000000,?,00000000,?,00000000), ref: 004551A8

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045504C
RegOpenKeyEx, xrefs: 00455078
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00455013
, xrefs: 00455066

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: 650b60b503d74eca58cf70ec9562748bdb23163610bc239b6f24371e85c1222d
Instruction ID: 06452bf81ef06fa34888f2ab1cc7b3841a1100f4c60e90cd60a05f06e497d7d6
Opcode Fuzzy Hash: 650b60b503d74eca58cf70ec9562748bdb23163610bc239b6f24371e85c1222d
Instruction Fuzzy Hash: E0913371D04608ABDB10DFA5C952BEEB7F8EB08305F50406BF904F7282D6799E088B69

Function 00459C54 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00459B60: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459C9D,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459BAD

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459CFB
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459D65

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459DCC

Strings

SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459D7F
.NET Framework version %s not found, xrefs: 00459E05
.NET Framework not found, xrefs: 00459E19
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00459CAE
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00459D18
v2.0.50727, xrefs: 00459D57
v4.0.30319, xrefs: 00459CED
v1.1.4322, xrefs: 00459DBE

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Close$Open
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 2976201327-446240816
Opcode ID: 8b9e0b07a6d71abb33b342f656cf4b7e33db3fac7b3c8c62fd281b3a753bfe81
Instruction ID: 13a12a4b366685baa8d6a2e304724611cbcec49206d2204e0959de5a5d6478e2
Opcode Fuzzy Hash: 8b9e0b07a6d71abb33b342f656cf4b7e33db3fac7b3c8c62fd281b3a753bfe81
Instruction Fuzzy Hash: 6451B235A04104EFCB04DB66D862BEE77BADB49305F1844BBA941D7382E7799E0D8B18

Function 00459240 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00459277
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00459293
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004592A1
GetExitCodeProcess.KERNEL32(?), ref: 004592B2
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004592F9
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00459315

Strings

Helper process exited, but failed to get exit code., xrefs: 004592EB
Helper process exited with failure code: 0x%x, xrefs: 004592DF
Helper process exited., xrefs: 004592C1
Helper isn't responding; killing it., xrefs: 00459283
Stopping 64-bit helper process. (PID: %u), xrefs: 00459269

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 230b5ddc3981dfca21d5636881bab7241834d3e40b9cb852e8f413207b64b114
Instruction ID: 475b633a8f1197f12a32b7740e8dffccf3703e2e74a756bc360da45c31bde27f
Opcode Fuzzy Hash: 230b5ddc3981dfca21d5636881bab7241834d3e40b9cb852e8f413207b64b114
Instruction Fuzzy Hash: 7B215C70604700EAC720EA7DC486B5B77D49F49305F048D2EB899DB693DA7CEC489B2A

Function 00454C90 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E234: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042E260

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00454E67,?,00000000,00454F2B), ref: 00454DB7
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00454E67,?,00000000,00454F2B), ref: 00454EF3

Part of subcall function 0042ED18: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004539D7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED37

Strings

RegCreateKeyEx, xrefs: 00454D2B
, xrefs: 00454D19
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454CCF
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454CFF

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: 2d07f13e4db519d4e9e36b01427add84eda95a74c7e6f0e57b2001e2f306a931
Instruction ID: 61cb1c98edcfe528623c145d9993427f2b00fea00e486b8f0244815ce8f04fab
Opcode Fuzzy Hash: 2d07f13e4db519d4e9e36b01427add84eda95a74c7e6f0e57b2001e2f306a931
Instruction Fuzzy Hash: 18810175900209ABDB01DFD5C942BDEB7B8FB49709F50442AF900FB282D7789A49CB69

Function 00498538 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00454024: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454113
Part of subcall function 00454024: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454123

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004985B5
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00498709), ref: 004985D6
CreateWindowExA.USER32(00000000,STATIC,00498718,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 004985FD
SetWindowLongA.USER32(?,000000FC,00497D90), ref: 00498610
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004986DC,?,?,000000FC,00497D90,00000000,STATIC,00498718), ref: 00498640
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004986B4
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004986DC,?,?,000000FC,00497D90,00000000), ref: 004986C0

Part of subcall function 00454498: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0045457F

DestroyWindow.USER32(?,004986E3,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004986DC,?,?,000000FC,00497D90,00000000,STATIC), ref: 004986D6

Strings

/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 0049866F
STATIC, xrefs: 004985F6

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 1549857992-2312673372
Opcode ID: 33f0aa1e6c66ba33127d106aa60bf689e86794d53dcbda2b1297c66d72ebb552
Instruction ID: 19a9ac76a87cbdbac9fefc72f4bc8d66673aab5a8439699f4ab81f25108c8d39
Opcode Fuzzy Hash: 33f0aa1e6c66ba33127d106aa60bf689e86794d53dcbda2b1297c66d72ebb552
Instruction Fuzzy Hash: 78414771A54204AFDF00EBA5CC42F9E7BF8EB09714F51457AF500FB291DA799E048B58

Function 0042E868 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E96D,?,00000000,0047F9E0,00000000), ref: 0042E891
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E897
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E96D,?,00000000,0047F9E0,00000000), ref: 0042E8E5

Strings

Locale, xrefs: 0042E8D4
hE, xrefs: 0042E927, 0042E92F, 0042E93A, 0042E95C
.DEFAULT\Control Panel\International, xrefs: 0042E8BC
kernel32.dll, xrefs: 0042E88C
GetUserDefaultUILanguage, xrefs: 0042E887
Control Panel\Desktop\ResourceLocale, xrefs: 0042E8F4

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll$hE
API String ID: 4190037839-2100363064
Opcode ID: 58c30dd9f85b062d47b06f98ac05074f4c591b85530fc523b77ad03276e46551
Instruction ID: 343416b7bfae85f45959abe8e21461bd4048f30ead5244c3b453dfa896624356
Opcode Fuzzy Hash: 58c30dd9f85b062d47b06f98ac05074f4c591b85530fc523b77ad03276e46551
Instruction Fuzzy Hash: 06214470B00229EBDB50EAA7DC42BAE77A8EB44314F904477A500E7281DB7C9E45DB1C

Function 004635E4 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 004635F0
GetModuleHandleA.KERNEL32(user32.dll), ref: 00463604
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00463611
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0046361E
GetWindowRect.USER32(?,00000000), ref: 0046366A
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 004636A8

Strings

(, xrefs: 00463649
GetMonitorInfoA, xrefs: 00463618
user32.dll, xrefs: 004635FF
MonitorFromWindow, xrefs: 0046360B

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: 5d54fb813e64eee8d2e1fd1d869d3f84fcc541412d8aec38238ce219d7c6ea2a
Instruction ID: 23225dc964baf5770c03b9449d190f9fd0809e25ab0c2f23061680c52a7637e8
Opcode Fuzzy Hash: 5d54fb813e64eee8d2e1fd1d869d3f84fcc541412d8aec38238ce219d7c6ea2a
Instruction Fuzzy Hash: AE21C2B17006446BD320EE68CC45F3B76D9EB84B05F09452EF944DB3C1EA78DD004B5A

Function 0042F614 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042F620
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F634
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F641
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F64E
GetWindowRect.USER32(?,00000000), ref: 0042F69A
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F6D8

Strings

GetMonitorInfoA, xrefs: 0042F648
user32.dll, xrefs: 0042F62F
MonitorFromWindow, xrefs: 0042F63B
(, xrefs: 0042F679

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: 9e18f176ca51f207d9f48e4ded0b32e3445f45e6b18c2f86467d84d44384674f
Instruction ID: 8e363f887434259cf3ecd6bfca6d9ac669349ab4594bae960fb014309ef79425
Opcode Fuzzy Hash: 9e18f176ca51f207d9f48e4ded0b32e3445f45e6b18c2f86467d84d44384674f
Instruction Fuzzy Hash: BC21C2B27006146FD600EA68DC85F3B72A9EB84704F89463AF944DB391DA78DC098B59

Function 00459418 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004595F7,?,00000000,0045965A,?,?,00000000,00000000), ref: 00459475
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000,00000001,00000000,00000000,00000000,004595F7), ref: 004594D2
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000,00000001,00000000,00000000,00000000,004595F7), ref: 004594DF
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0045952B
GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00459565,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000), ref: 00459551
GetLastError.KERNEL32(?,?,00000000,00000001,00459565,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000), ref: 00459558

Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07

Strings

TransactNamedPipe, xrefs: 004594EB
CreateEvent, xrefs: 00459483

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: 8c882674e4e7badbb1dce3e2dfa1fdcbe7e98f1f80990b5ca878147d0da0e0cb
Instruction ID: 77fbb71d8e7aac064b87aac98c1c55f9fcb2258c1561d492b861e589c0c855dd
Opcode Fuzzy Hash: 8c882674e4e7badbb1dce3e2dfa1fdcbe7e98f1f80990b5ca878147d0da0e0cb
Instruction Fuzzy Hash: CF418B71A00208FFDB11DF99C981F9EB7F9EB48710F5040AAF904E7282D6789E54CB68

Function 004574BC Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00457621,?,?,00000031,?), ref: 004574E4
GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 004574EA
LoadTypeLib.OLEAUT32(00000000,?), ref: 00457537

Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07

Strings

UnRegisterTypeLib, xrefs: 004575A3
GetProcAddress, xrefs: 004574F7
ITypeLib::GetLibAttr, xrefs: 0045756D
OLEAUT32.DLL, xrefs: 004574DF
LoadTypeLib, xrefs: 00457542
UnRegisterTypeLib, xrefs: 004574DA

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: b2a57cb5d0d4215bed9739cbf0b7be67a86da8044cbf193a82d044f72dd204c0
Instruction ID: 559faf3bdf9cccbe36ab56d48fd8e4aa4276a02661c60707683b87f46ce48c1c
Opcode Fuzzy Hash: b2a57cb5d0d4215bed9739cbf0b7be67a86da8044cbf193a82d044f72dd204c0
Instruction Fuzzy Hash: 8131B471A04604BFCB01EFAADC01D5FB7BEEB8975571044B6BD04D3652EA38DD04CA68

Function 004171D0 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 00417263
SaveDC.GDI32(?), ref: 00417277
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0041729A
RestoreDC.GDI32(?,?), ref: 004172B5
CreateSolidBrush.GDI32(00000000), ref: 00417335
FrameRect.USER32(?,?,?), ref: 00417368
DeleteObject.GDI32(?), ref: 00417372
CreateSolidBrush.GDI32(00000000), ref: 00417382
FrameRect.USER32(?,?,?), ref: 004173B5
DeleteObject.GDI32(?), ref: 004173BF

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 53338b723e60019b0e5d7787f83bb0eaf38aae583f1cfacba6e60a06ab1a3e99
Instruction ID: 6654575de22a121332528345891e4d9aada139d791074539051cb87a9fd886f5
Opcode Fuzzy Hash: 53338b723e60019b0e5d7787f83bb0eaf38aae583f1cfacba6e60a06ab1a3e99
Instruction Fuzzy Hash: 30515D712086455FDB50EF69C8C0B9B7BE8AF48314F1455AAFD588B286C738EC81CB99

Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
GetFileType.KERNEL32(?,000000F5), ref: 00404C11
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
GetLastError.KERNEL32(000000F5), ref: 00404C46

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D

Function 00422638 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 00422683
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004226A1
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226AE
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226BB
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226C8
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 004226D5
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004226E2
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004226EF
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0042270D
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422729

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 28c3c26aa58a7b1d0b737a17757400c93c751d32761aa9437bbdc0a385d65993
Instruction ID: df9c0873c136ddd24b8aa988775969986c1613bec62327c4069b14a2c43cb384
Opcode Fuzzy Hash: 28c3c26aa58a7b1d0b737a17757400c93c751d32761aa9437bbdc0a385d65993
Instruction Fuzzy Hash: 5F2156743847047AE721E724CD8BF9B7BD89B54748F144069B6487F2D3C6FCAA40869C

Function 00462174 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004621AF
GetActiveWindow.USER32 ref: 00462213
CoInitialize.OLE32(00000000), ref: 00462227
SHBrowseForFolder.SHELL32(?), ref: 0046223E
CoUninitialize.OLE32(0046227F,00000000,?,?,?,?,?,00000000,00462303), ref: 00462253
SetActiveWindow.USER32(?,0046227F,00000000,?,?,?,?,?,00000000,00462303), ref: 00462269
SetActiveWindow.USER32(?,?,0046227F,00000000,?,?,?,?,?,00000000,00462303), ref: 00462272

Strings

A, xrefs: 004621E7

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
String ID: A
API String ID: 2684663990-3554254475
Opcode ID: caefdfe045defb9a034f2c4a917009fdef53ece79d7542ea0497d69e424cd409
Instruction ID: 1e82777cc352b96db12449cf8796706bfa71e84f11e11660080683620fe74db3
Opcode Fuzzy Hash: caefdfe045defb9a034f2c4a917009fdef53ece79d7542ea0497d69e424cd409
Instruction Fuzzy Hash: E23130B0E04208AFDB00EFB5D945ADEBBF8EB09304F51447AF914E7251E7789A04CB59

Function 0045DAB0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045DAB9
GetProcAddress.KERNEL32(00000000,inflate), ref: 0045DAC9
GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045DAD9
GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045DAE9

Strings

inflateReset, xrefs: 0045DAE3
inflateInit_, xrefs: 0045DAB3
inflate, xrefs: 0045DAC3
inflateEnd, xrefs: 0045DAD3

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 190572456-3516654456
Opcode ID: 5abc5c05f731a0f84057b652f47985810eed84a0374322df604e0c431af132d1
Instruction ID: 9991d33b7b3f44c4a287d390de66c621eb38f0a325e11cae05c3c9c0ae6f74c7
Opcode Fuzzy Hash: 5abc5c05f731a0f84057b652f47985810eed84a0374322df604e0c431af132d1
Instruction Fuzzy Hash: ED016CB0D00710DAE324DF335C827223AA79B94306F1584376B4853266D3FC184DCE2D

Function 0041AD2C Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,00000000), ref: 0041AE09
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041AE43
SetBkColor.GDI32(?,?), ref: 0041AE58
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AEA2
SetTextColor.GDI32(00000000,00000000), ref: 0041AEAD
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AEBD
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AEFC
SetTextColor.GDI32(00000000,00000000), ref: 0041AF06
SetBkColor.GDI32(00000000,?), ref: 0041AF13

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: b2e79564dac12e93c58a92479de6674996e515196b856df7b31fa3c4552ba36b
Instruction ID: 4ec4bb7d7ecd06ab75a809c898bbb7394ceff3bd51f581de865bbf99f3132505
Opcode Fuzzy Hash: b2e79564dac12e93c58a92479de6674996e515196b856df7b31fa3c4552ba36b
Instruction Fuzzy Hash: E761A6B5A01605EFC740EFADE985E9AB7F9EF08318B108566F518DB251C734ED408F98

Function 004588C0 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458A74,?, /s ",?,regsvr32.exe",?,00458A74), ref: 004589E6

Strings

Spawning 64-bit RegSvr32: , xrefs: 0045894B
CreateProcess, xrefs: 004589D8
regsvr32.exe", xrefs: 00458907
Spawning 32-bit RegSvr32: , xrefs: 0045896D
/s ", xrefs: 0045892F
D, xrefs: 0045899C
/u, xrefs: 00458922
0x%x, xrefs: 00458A09

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: 155819c64c430fb45d55460a0d10478e2dbda3fe00918e678cc052cf01514edf
Instruction ID: 5e566bfdb395c8031f807e0e6dfcda5b961088fbae7d5a2ae3caad0b9f5d9a1a
Opcode Fuzzy Hash: 155819c64c430fb45d55460a0d10478e2dbda3fe00918e678cc052cf01514edf
Instruction Fuzzy Hash: 94410770A003486BDB10EFE5C842B9DB7F9AF45305F50407FA914BB296DF789E098B59

Function 0044D750 Relevance: 13.6, APIs: 9, Instructions: 90COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044D781
GetSysColor.USER32(00000014), ref: 0044D788
SetTextColor.GDI32(00000000,00000000), ref: 0044D7A0
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D7C9
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D7D3
GetSysColor.USER32(00000010), ref: 0044D7DA
SetTextColor.GDI32(00000000,00000000), ref: 0044D7F2
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D81B
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D846

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: c732eae71167dd8aa6631ccdc206b1dcbb1a1316a8d8e9d7e0f026f0b59abdf9
Instruction ID: 83f763003a0c4173e52025d9049416b14570b2719a823760897ab970dc451d42
Opcode Fuzzy Hash: c732eae71167dd8aa6631ccdc206b1dcbb1a1316a8d8e9d7e0f026f0b59abdf9
Instruction Fuzzy Hash: B221ACB46015047FC710FB2ACD8AE8AB7DC9F59319B00857BB918EB3A3C67CDE444669

Function 00497DDC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00451070: SetEndOfFile.KERNEL32(?,?,0045CB3E,00000000,0045CCC9,?,00000000,00000002,00000002), ref: 00451077

Part of subcall function 004073A0: DeleteFileA.KERNEL32(00000000,0049D62C,00499FD9,00000000,0049A02E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073AB

GetWindowThreadProcessId.USER32(00000000,?), ref: 00497E6D
OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00497E81
SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00497E9B
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00497EA7
CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00497EAD
Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00497EC0

Strings

Deleting Uninstall data files., xrefs: 00497DE3

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 1570157960-2568741658
Opcode ID: 76f4a073d4d431fcb8e24e0d71c40f55804fe31760389f23b01cbf0fd8bd04be
Instruction ID: 7989a93d4f85e89f9f4a8d52eef74e044f35551c753dc98037dc67a034be62a8
Opcode Fuzzy Hash: 76f4a073d4d431fcb8e24e0d71c40f55804fe31760389f23b01cbf0fd8bd04be
Instruction Fuzzy Hash: 78213270718204BEEF10EBB6AC42B5737A8E755758F15497BF500961E2EA7C5C048B1D

Function 00471058 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471155,?,?,?,?,00000000), ref: 004710BF
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471155), ref: 004710D6
AddFontResourceA.GDI32(00000000), ref: 004710F3
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00471107

Strings

AddFontResource, xrefs: 00471111
Failed to set value in Fonts registry key., xrefs: 004710C8
Failed to open Fonts registry key., xrefs: 004710DD

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseFontMessageNotifyOpenResourceSendValue
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 955540645-649663873
Opcode ID: 7c4e9ce8899c50156beb29e6a4f0c1fb68aa66f584b13ae4b867648ef350e078
Instruction ID: e530b8863bd5b0940b7b47d45e6c2b04f0dd933a31ed90210a2cbfb1d5868c86
Opcode Fuzzy Hash: 7c4e9ce8899c50156beb29e6a4f0c1fb68aa66f584b13ae4b867648ef350e078
Instruction Fuzzy Hash: 3821B27074024477D710EA6A9C42F9A77ACCB09708F60C43BBA04EB3D2DA7CDE05862D

Function 00463A24 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00416860: GetClassInfoA.USER32(00400000,?,?), ref: 004168CF
Part of subcall function 00416860: UnregisterClassA.USER32(?,00400000), ref: 004168FB
Part of subcall function 00416860: RegisterClassA.USER32(?), ref: 0041691E

GetVersion.KERNEL32 ref: 00463A54
SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00463A92
SHGetFileInfo.SHELL32(00463B30,00000000,?,00000160,00004011), ref: 00463AAF
LoadCursorA.USER32(00000000,00007F02), ref: 00463ACD
SetCursor.USER32(00000000,00000000,00007F02,00463B30,00000000,?,00000160,00004011), ref: 00463AD3
SetCursor.USER32(?,00463B13,00007F02,00463B30,00000000,?,00000160,00004011), ref: 00463B06

Strings

Explorer, xrefs: 00463A6E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
String ID: Explorer
API String ID: 2594429197-512347832
Opcode ID: 08ef91ce8ca4084e417ba220884df78b79a66e01962786801913a20119982a52
Instruction ID: 0956d246c88e4b13c617490cc10e92cdb10fa67267cb1644ec11604dcab5a564
Opcode Fuzzy Hash: 08ef91ce8ca4084e417ba220884df78b79a66e01962786801913a20119982a52
Instruction Fuzzy Hash: 6A212C307403446AE710BFB58C47F9A76989B08708F5000BFBA09EE1C3EABD9D4586AD

Function 004795B8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,021579E0,?,?,?,021579E0,0047977C,00000000,0047989A,?,?,?,?), ref: 004795D1
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004795D7
GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021579E0,?,?,?,021579E0,0047977C,00000000,0047989A,?,?,?,?), ref: 004795EA
CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021579E0,?,?,?,021579E0), ref: 00479614
CloseHandle.KERNEL32(00000000,?,?,?,021579E0,0047977C,00000000,0047989A,?,?,?,?), ref: 00479632

Strings

GetFinalPathNameByHandleA, xrefs: 004795C7
kernel32.dll, xrefs: 004795CC

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FileHandle$AddressAttributesCloseCreateModuleProc
String ID: GetFinalPathNameByHandleA$kernel32.dll
API String ID: 2704155762-2318956294
Opcode ID: 1947a9aaa15eabe4036a12787753409495eb16ca8dbead4cdc7f2695ecfe1c22
Instruction ID: 19ddb68189d16dccfde8b10573e35333770f7cebea86a77b7f1be6907437da3a
Opcode Fuzzy Hash: 1947a9aaa15eabe4036a12787753409495eb16ca8dbead4cdc7f2695ecfe1c22
Instruction Fuzzy Hash: CC01D26034470436E52131BA4C86FBB248C8B50768F148237BA1CEA2E2EDAD9E0601AE

Function 0045A608 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045A78A,?,00000000,00000000,00000000,?,00000006,?,00000000,00499145,?,00000000,004991E8), ref: 0045A6CE

Part of subcall function 00454B5C: FindClose.KERNEL32(000000FF,00454C52), ref: 00454C41

Strings

Failed to strip read-only attribute., xrefs: 0045A69C
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0045A6A8
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0045A743
Stripped read-only attribute., xrefs: 0045A690
Failed to delete directory (%d)., xrefs: 0045A764
Deleting directory: %s, xrefs: 0045A657
Failed to delete directory (%d). Will retry later., xrefs: 0045A6E7

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: ae42777790169d4ff6edf5fab0230c903d40739da18b61ae09ca68f4304208a4
Instruction ID: 6800a92dfaec35f14ad088af188abd42280c19cea7490fe80134e7d3278dcbe3
Opcode Fuzzy Hash: ae42777790169d4ff6edf5fab0230c903d40739da18b61ae09ca68f4304208a4
Instruction Fuzzy Hash: 62418630A002485ACB10EB6988017AE7AF59B4D306F55867FAC11A7393DB7CCE1D875B

Function 004298D0 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004298DA
GetTextMetricsA.GDI32(00000000), ref: 004298E3

Part of subcall function 0041A638: CreateFontIndirectA.GDI32(?), ref: 0041A6F7

SelectObject.GDI32(00000000,00000000), ref: 004298F2
GetTextMetricsA.GDI32(00000000,?), ref: 004298FF
SelectObject.GDI32(00000000,00000000), ref: 00429906
ReleaseDC.USER32(00000000,00000000), ref: 0042990E
GetSystemMetrics.USER32(00000006), ref: 00429933
GetSystemMetrics.USER32(00000006), ref: 0042994D

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
String ID:
API String ID: 1583807278-0
Opcode ID: 493c3e02d1035430593376a4cfe0bac28c29019347665ee68c3eba71a2dbb902
Instruction ID: 0ef879b540a67ceb128a5e1141d84f2d1524799c58b88ee5a2ee57f477153a9f
Opcode Fuzzy Hash: 493c3e02d1035430593376a4cfe0bac28c29019347665ee68c3eba71a2dbb902
Instruction Fuzzy Hash: 8401A19170971127F310667A9CC2B6F6688DB54368F44053EFA86963E3D96C8C81876E

Function 0041E274 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0041E277
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041E281
ReleaseDC.USER32(00000000,00000000), ref: 0041E28E
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041E29D
GetStockObject.GDI32(00000007), ref: 0041E2AB
GetStockObject.GDI32(00000005), ref: 0041E2B7
GetStockObject.GDI32(0000000D), ref: 0041E2C3
LoadIconA.USER32(00000000,00007F00), ref: 0041E2D4

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ObjectStock$CapsDeviceIconLoadRelease
String ID:
API String ID: 225703358-0
Opcode ID: db53187b583683c3da25eb47fc51b38c63e1255722fbf2352793706f85574c6b
Instruction ID: 718266ba1944efb5b46721f14e799226cd24d8dfc19287898d5783b558d94fa9
Opcode Fuzzy Hash: db53187b583683c3da25eb47fc51b38c63e1255722fbf2352793706f85574c6b
Instruction Fuzzy Hash: 1111FB70A453015AE340BFA69D52BAA3691D724709F00813BF608EF3D2DB7D5C809BAD

Function 00463E34 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 00463F38
SetCursor.USER32(00000000,00000000,00007F02,00000000,00463FCD), ref: 00463F3E
SetCursor.USER32(?,00463FB5,00007F02,00000000,00463FCD), ref: 00463FA8

Strings

Internal error: Item already expanding, xrefs: 00463ED5
, xrefs: 004641CE
, xrefs: 004641B3

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $Internal error: Item already expanding
API String ID: 1675784387-1948079669
Opcode ID: 2e72c9ebfc19e7403a65945d55937a119cc11725f60109d9f94943b84faf3f65
Instruction ID: aa82ab3995de3935e6727d947cb2bd0e3876d59c6d9623ce98a17a39b04bf081
Opcode Fuzzy Hash: 2e72c9ebfc19e7403a65945d55937a119cc11725f60109d9f94943b84faf3f65
Instruction Fuzzy Hash: 67B1E230A00244DFDB14DF65C549B9EBBF1AF45304F1584AAE8459B392E778EE84CB0A

Function 00454498 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0045457F

Strings

[rename], xrefs: 004545E2, 0045461E
NUL, xrefs: 00454641
.tmp, xrefs: 0045453B
MoveFileEx, xrefs: 0045478F
WININIT.INI, xrefs: 0045452D

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: 7fc08df52904c59b3176bd425c815c443ddc94d3e7b0bfcf8c3a045116732771
Instruction ID: e87d0749b1697b84d3b9cc82c23e20e51564d8fa8ce324392089b518a873d649
Opcode Fuzzy Hash: 7fc08df52904c59b3176bd425c815c443ddc94d3e7b0bfcf8c3a045116732771
Instruction Fuzzy Hash: B8913334E001499BDB01EFA5D882BDEB7B5EF49309F508467E900BB292D77C9E49CB58

Function 0047E980 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0047EAF4,?,?,?,?,00000000,0047EC49,?,?,?,00000000,?,0047ED58), ref: 0047EAD0
FindClose.KERNEL32(000000FF,0047EAFB,0047EAF4,?,?,?,?,00000000,0047EC49,?,?,?,00000000,?,0047ED58,00000000), ref: 0047EAEE

Strings

TG, xrefs: 0047E9C0, 0047E9D7
TG, xrefs: 0047EB72, 0047EA9F, 0047EAA5, 0047EB75

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Find$CloseFileNext
String ID: TG$TG
API String ID: 2066263336-2531790037
Opcode ID: e11fe1f409109a0bb18fd9fab999c4355e57a24987c5da876cabd545c71bdb31
Instruction ID: 49c023a3d40347f396a503d53546bb693b8cfca30f5629bd36de7deb8458e88f
Opcode Fuzzy Hash: e11fe1f409109a0bb18fd9fab999c4355e57a24987c5da876cabd545c71bdb31
Instruction Fuzzy Hash: F5812C7490024D9FDF11DF96C841ADFBBB9EF4D304F1081EAE508A7291D6399A46CF54

Function 00408B70 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408DB8,?,?,?,?,00000000,00000000,00000000,?,00409DBF,00000000,00409DD2), ref: 00408B8A

Part of subcall function 004089B8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049D4C4,00000001,?,00408A83,?,00000000,00408B62), ref: 004089D6

Part of subcall function 00408A04: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00408C06,?,?,?,00000000,00408DB8), ref: 00408A17

Strings

AMPM, xrefs: 00408D55
mmmm d, yyyy, xrefs: 00408C7B
:mm, xrefs: 00408D6C
:mm:ss, xrefs: 00408D86
m/d/yy, xrefs: 00408C59

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: c69c3147cd56940e9f4fd8337a0fbc887525be67d32930313bc35b703755f031
Instruction ID: a8d7ab9d838d1b353a0e5ff474912d8a0235132b07344be0acb9e4c83fee81e1
Opcode Fuzzy Hash: c69c3147cd56940e9f4fd8337a0fbc887525be67d32930313bc35b703755f031
Instruction Fuzzy Hash: D8513D34B001486BDB01FBA5DA41A9F77A9DB98308F50947FB181BB7C6CE3CDA068759

Function 00411B44 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,00411D49), ref: 00411BDC
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 00411C9A

Part of subcall function 00411EFC: CreatePopupMenu.USER32 ref: 00411F16

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00411D26

Part of subcall function 00411EFC: CreateMenu.USER32 ref: 00411F20

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00411D0D

Strings

,, xrefs: 00411BEF
?, xrefs: 00411BF6

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: c987c748b65508a950cf3f2169e5bd87e5634fb74b346734da7ef3b4f05fb7f7
Instruction ID: 125356fab78159fbe3d4b3b77ff780d7a0eb3536e5c02055c9c5492709250fea
Opcode Fuzzy Hash: c987c748b65508a950cf3f2169e5bd87e5634fb74b346734da7ef3b4f05fb7f7
Instruction Fuzzy Hash: 7D512674A001049BDB10EF6AED815EE7BF9EF08304B1141BAFA04E73A2E738D941CB58

Function 0041C2B3 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041C378
GetObjectA.GDI32(?,00000018,?), ref: 0041C387
GetBitmapBits.GDI32(?,?,?), ref: 0041C3D8
GetBitmapBits.GDI32(?,?,?), ref: 0041C3E6
DeleteObject.GDI32(?), ref: 0041C3EF
DeleteObject.GDI32(?), ref: 0041C3F8
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041C415

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: 8204310b78e8d6a6cf9899529667619705c527fa466c5b93b01e90bd2c764378
Instruction ID: 7028de2688ff158aa25c0b8276400e232655bb6670dd4605646626e5bfc1af4e
Opcode Fuzzy Hash: 8204310b78e8d6a6cf9899529667619705c527fa466c5b93b01e90bd2c764378
Instruction Fuzzy Hash: F651F671E002199FCB50DFE9C8819EEB7F9EB48314B218066F914E7295D638AD81CB68

Function 0041D328 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041D34E
GetDeviceCaps.GDI32(00000000,00000026), ref: 0041D36D
SelectPalette.GDI32(?,?,00000001), ref: 0041D3D3
RealizePalette.GDI32(?), ref: 0041D3E2
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D44C
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D48A
SelectPalette.GDI32(?,?,00000001), ref: 0041D4AF

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
String ID:
API String ID: 2222416421-0
Opcode ID: 11edf0dba9517228aa32d7039567d0e1bdcd43b434536bf7bada936ddc7c4efc
Instruction ID: 60201597840efc574cdf5035eb35bbfd27a544e021146ecd029e3556dfc27432
Opcode Fuzzy Hash: 11edf0dba9517228aa32d7039567d0e1bdcd43b434536bf7bada936ddc7c4efc
Instruction Fuzzy Hash: 305121B0A00604AFD714DFA9C985F9AB7F9EF08304F14859AB944D7392C778ED80CB58

Function 00457AD8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,?,?), ref: 00457B2A

Part of subcall function 004246CC: GetWindowTextA.USER32(?,?,00000100), ref: 004246EC

Part of subcall function 0041F2F4: GetCurrentThreadId.KERNEL32 ref: 0041F343
Part of subcall function 0041F2F4: EnumThreadWindows.USER32(00000000,0041F2A4,00000000), ref: 0041F349

Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457B91
TranslateMessage.USER32(?), ref: 00457BAF
DispatchMessageA.USER32(?), ref: 00457BB8

Strings

[Paused] , xrefs: 00457B60

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
String ID: [Paused]
API String ID: 1007367021-4230553315
Opcode ID: 8f39b929066e5dde17ef7bf9f49813106d9eceee4e0607b45077cfdd9f9bed8a
Instruction ID: d952aa0340fda6d06c899081e645d661bac1146de2c671e539639067201b9655
Opcode Fuzzy Hash: 8f39b929066e5dde17ef7bf9f49813106d9eceee4e0607b45077cfdd9f9bed8a
Instruction Fuzzy Hash: BB3196309082445EDB11DFB9E845FDE7BF8DB49318F5180B7E814E7292D67CA909CB29

Function 0046C0E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON

Download Yara Rule

APIs

GetCursor.USER32(00000000,0046C21F), ref: 0046C19C
LoadCursorA.USER32(00000000,00007F02), ref: 0046C1AA
SetCursor.USER32(00000000,00000000,00007F02,00000000,0046C21F), ref: 0046C1B0
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046C21F), ref: 0046C1BA
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046C21F), ref: 0046C1C0

Strings

CheckPassword, xrefs: 0046C144

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: c2fe5332046b00ec619954058f05e209d56247e563ca7958298a020a06cd3411
Instruction ID: ee4704442a97aa51a819b3d11b93b6eea7a80086b594a8aac8f18d25b90f0006
Opcode Fuzzy Hash: c2fe5332046b00ec619954058f05e209d56247e563ca7958298a020a06cd3411
Instruction Fuzzy Hash: 063175346402449FD711EF69C8C9F9E7BE4AF49304F5580BAB9449B3E2E7789E40CB49

Function 00478EB4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00478DDC: GetWindowThreadProcessId.USER32(00000000), ref: 00478DE4
Part of subcall function 00478DDC: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00478EDB,0049E0AC,00000000), ref: 00478DF7
Part of subcall function 00478DDC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00478DFD

SendMessageA.USER32(00000000,0000004A,00000000,0047926E), ref: 00478EE9
GetTickCount.KERNEL32 ref: 00478F2E
GetTickCount.KERNEL32 ref: 00478F38
MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00478F8D

Strings

CallSpawnServer: Unexpected status: %d, xrefs: 00478F76
CallSpawnServer: Unexpected response: $%x, xrefs: 00478F1E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
API String ID: 613034392-3771334282
Opcode ID: b2e1d8d59d79f67ca6a224e872d53bca437999279a7be28f50c91e0342c7e9be
Instruction ID: 2b74b3330966d0da2430542d23b63ad4dc4eec681a1128910255243e8f8c0985
Opcode Fuzzy Hash: b2e1d8d59d79f67ca6a224e872d53bca437999279a7be28f50c91e0342c7e9be
Instruction Fuzzy Hash: E0319374F502149ADB10EBB9884A7EE76A19F48304F50843EF148EB382DA7C4D0187A9

Function 00459F80 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045A03B

Strings

CreateAssemblyCache, xrefs: 0045A032
.NET Framework CreateAssemblyCache function failed, xrefs: 0045A05E
Failed to load .NET Framework DLL "%s", xrefs: 0045A020
Fusion.dll, xrefs: 00459FDB
Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045A046

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc
String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
API String ID: 190572456-3990135632
Opcode ID: d95d5d40fddf0b6030493c953464f742ef4760e894d11a5ea04ccacfdf112554
Instruction ID: ac224aa19d502af52a8aeeb8631c7515eb40ef1487658bef2565bb8923ebe5d4
Opcode Fuzzy Hash: d95d5d40fddf0b6030493c953464f742ef4760e894d11a5ea04ccacfdf112554
Instruction Fuzzy Hash: 7931A971E006059FDB10EFA5C88169EB7B4AF44715F50867BE814E7382D7389E18C79A

Function 0041C598 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C498: GetObjectA.GDI32(?,00000018), ref: 0041C4A5

GetFocus.USER32 ref: 0041C5B8
GetDC.USER32(?), ref: 0041C5C4
SelectPalette.GDI32(?,?,00000000), ref: 0041C5E5
RealizePalette.GDI32(?), ref: 0041C5F1
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C608
SelectPalette.GDI32(?,00000000,00000000), ref: 0041C630
ReleaseDC.USER32(?,?), ref: 0041C63D

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Palette$Select$BitsFocusObjectRealizeRelease
String ID:
API String ID: 3303097818-0
Opcode ID: 13ad04b8ebeec00c1d7dbe87a4843d5f0ce23703817d7fa7e30356844582fb0f
Instruction ID: 5608d60df95c2c9a4937b8f20fdaccdf81dd4bf5f719291f5ec9f8ce647d196e
Opcode Fuzzy Hash: 13ad04b8ebeec00c1d7dbe87a4843d5f0ce23703817d7fa7e30356844582fb0f
Instruction Fuzzy Hash: 00116DB1A00619BBDF10DBA9CC85FAFB7FCEF48700F14446AB614E7281D67899008B28

Function 004190A4 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000E), ref: 004190C0
GetSystemMetrics.USER32(0000000D), ref: 004190C8
6F532980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 004190CE

Part of subcall function 00410C48: 6F52C400.COMCTL32(?,000000FF,00000000,004190FC,00000000,00419158,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 00410C4C

6F59CB00.COMCTL32(?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 0041911E
6F59C740.COMCTL32(00000000,?,?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00419129
6F59CB00.COMCTL32(?,00000001,?,?,00000000,?,?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000), ref: 0041913C
6F530860.COMCTL32(?,0041915F,?,00000000,?,?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000,0000000E), ref: 00419152

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: MetricsSystem$C400C740F530860F532980
String ID:
API String ID: 209721339-0
Opcode ID: 3537cdd0f738fbfcd60e26d14cefecc9ad32e9dd8feb771d9bbef366dd2eac9a
Instruction ID: 9903b46d79d4c0b31f098cc3390b5efedd2ad94e5cf824da9eef417fc70482b9
Opcode Fuzzy Hash: 3537cdd0f738fbfcd60e26d14cefecc9ad32e9dd8feb771d9bbef366dd2eac9a
Instruction Fuzzy Hash: 0611B971B44204BBEB14EFA5CC87F9E73B9EB09704F504166B604EB2C1E5B99D848B58

Function 00485058 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00485110), ref: 004850F5

Strings

ProductType, xrefs: 00485094
System\CurrentControlSet\Control\ProductOptions, xrefs: 0048507C
WinNT, xrefs: 004850A5
LanmanNT, xrefs: 004850BF
ServerNT, xrefs: 004850D9

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseOpen
String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 47109696-2530820420
Opcode ID: f7ac7d87b6566833f8f94ca2fdfd92b371a3bfc49258f80580d53ac0ca8de827
Instruction ID: 02a49102d00d8724c0d73e8972acf5231ddb46999e19ea23a0f5791770e41de6
Opcode Fuzzy Hash: f7ac7d87b6566833f8f94ca2fdfd92b371a3bfc49258f80580d53ac0ca8de827
Instruction Fuzzy Hash: FE11B230A04644ABDB00F766DC56B5F7BA8DB42744F508877A800DB782D73D9E41975D

Function 0044CD48 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044CD18: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0044CD30

LoadLibraryA.KERNEL32(00000000,00000000,0044CE0A,?,?,?,?,00000000,00000000), ref: 0044CD92
GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044CDA3
GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044CDB3

Strings

LresultFromObject, xrefs: 0044CD9D
CreateStdAccessibleObject, xrefs: 0044CDAD
oleacc.dll, xrefs: 0044CD7F

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2141747552-1050967733
Opcode ID: ea022944773ab25f9a4076fd398f24179dfceb8cd9828e0392caa77096e119c9
Instruction ID: 55534d0cd89e21a5042de7d2cb1dd0110792ae2e246426a933e63f936c6ed6e6
Opcode Fuzzy Hash: ea022944773ab25f9a4076fd398f24179dfceb8cd9828e0392caa77096e119c9
Instruction Fuzzy Hash: 361151B0A01704AFF710EFA1DCC2B5A7BA8E758719F64047BE400666A1DBBD9D448A1C

Function 00496DF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00496E01

Part of subcall function 0041A638: CreateFontIndirectA.GDI32(?), ref: 0041A6F7

SelectObject.GDI32(00000000,00000000), ref: 00496E23
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,004973A1), ref: 00496E37
GetTextMetricsA.GDI32(00000000,?), ref: 00496E59
ReleaseDC.USER32(00000000,00000000), ref: 00496E76

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00496E2E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 2948443157-222967699
Opcode ID: aae36943e4c039aea34424998f68ade3a8833365680bc7432fe66356b3d4646c
Instruction ID: 569e85929f3d385eaff6f9e1b1d1d5c6dd8a65a34f46b30b3a8bef4bdf425d44
Opcode Fuzzy Hash: aae36943e4c039aea34424998f68ade3a8833365680bc7432fe66356b3d4646c
Instruction Fuzzy Hash: 36018476A04608AFDB05DBE9CC41F5FB7ECDB49704F11047ABA04E7281D678AE008B68

Function 0041B8B2 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 0041B8C0
SelectObject.GDI32(?,00000000), ref: 0041B8CF
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B8FB
SelectObject.GDI32(00000000,00000000), ref: 0041B909
SelectObject.GDI32(?,00000000), ref: 0041B917
DeleteDC.GDI32(00000000), ref: 0041B920
DeleteDC.GDI32(?), ref: 0041B929

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: c5d1e2e3ff328356a4e4238c7f450765dbf7839f38aeea7c0d55facf19ccd353
Instruction ID: b8528283d587f8f5f7158778d976388ea9280e6d202ec49eeb693ac58173ed71
Opcode Fuzzy Hash: c5d1e2e3ff328356a4e4238c7f450765dbf7839f38aeea7c0d55facf19ccd353
Instruction Fuzzy Hash: 5A118EB2F04619ABDB10D6DDC885FEFB7BCEB08314F044415B614FB241C678AD418B54

Function 004237E4 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 004237FF
WindowFromPoint.USER32(?,?), ref: 0042380C
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042381A
GetCurrentThreadId.KERNEL32 ref: 00423821
SendMessageA.USER32(00000000,00000084,?,?), ref: 0042383A
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423851
SetCursor.USER32(00000000), ref: 00423863

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: bca67253d695687129505d4dd6b4be75de0481567bd8dbfc76009214d22bf118
Instruction ID: d55a13ab3e3fc67d9c1f0c697d1027359b93869cc9afd0973a071b09e334c979
Opcode Fuzzy Hash: bca67253d695687129505d4dd6b4be75de0481567bd8dbfc76009214d22bf118
Instruction Fuzzy Hash: 9901D42230521036D6207B7A5C86E2F22E8CBC5B65F51443FB609BF282D93D8C01976D

Function 00496C14 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 00496C24
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00496C31
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00496C3E

Strings

MonitorFromRect, xrefs: 00496C2B
GetMonitorInfoA, xrefs: 00496C38
user32.dll, xrefs: 00496C1F

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: 1a62ebb246959f38fae6f97a16ae9b6e3f147e8fdc483f677f644595477796c0
Instruction ID: 0100053a3692f287516410ec157e21cb1b88c24c6f2ed11ec452f60a58bd69cd
Opcode Fuzzy Hash: 1a62ebb246959f38fae6f97a16ae9b6e3f147e8fdc483f677f644595477796c0
Instruction Fuzzy Hash: 5AF0F692701B1526DA1025764C81B7B698CCBC27A0F060037BD85A7382E9AD9C0552AD

Function 0045D984 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,ISCryptGetVersion), ref: 0045D98D
GetProcAddress.KERNEL32(00000000,ArcFourInit), ref: 0045D99D
GetProcAddress.KERNEL32(00000000,ArcFourCrypt), ref: 0045D9AD

Strings

ArcFourInit, xrefs: 0045D997
ISCryptGetVersion, xrefs: 0045D987
ArcFourCrypt, xrefs: 0045D9A7

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 190572456-508647305
Opcode ID: a120c3d2ef62b36cbcf1f94c94fb794ce275c00622819f97a022044a312cbe17
Instruction ID: 0705cba7109997b41c54f5ec5154c4026f190107a5f336fc7dc4235633f43cad
Opcode Fuzzy Hash: a120c3d2ef62b36cbcf1f94c94fb794ce275c00622819f97a022044a312cbe17
Instruction Fuzzy Hash: E9F030F1901620EBF314EF77AC457273695EBA4302F14843BA445E11B2D7BA085AEA2C

Function 0045DE84 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045DE8D
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045DE9D
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045DEAD

Strings

BZ2_bzDecompress, xrefs: 0045DE97
BZ2_bzDecompressEnd, xrefs: 0045DEA7
BZ2_bzDecompressInit, xrefs: 0045DE87

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 190572456-212574377
Opcode ID: 69782b4271ac4a522c1cbf050024bd159fbeab52ed8ba1f2270972ee26ec74bc
Instruction ID: ffc1661d06bbefe96a91e36acebf6432405697aaa326f86a6f465272ccde7cfc
Opcode Fuzzy Hash: 69782b4271ac4a522c1cbf050024bd159fbeab52ed8ba1f2270972ee26ec74bc
Instruction Fuzzy Hash: 84F01DB1D00A18DED724DF37AC4A72736D5EF74316F08843BA9465A2A2D7B80858DF1D

Function 0042EE6C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,0049B934,004579ED,00457D90,00457944,00000000,00000B06,00000000,00000000,00000000,00000002,00000000,00482671), ref: 0042EE85
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE8B
InterlockedExchange.KERNEL32(0049D66C,00000001), ref: 0042EE9C

Part of subcall function 0042EDFC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EEC0,00000004,0049B934,004579ED,00457D90,00457944,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042EE12
Part of subcall function 0042EDFC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE18
Part of subcall function 0042EDFC: InterlockedExchange.KERNEL32(0049D664,00000001), ref: 0042EE29

ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,0049B934,004579ED,00457D90,00457944,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042EEB0

Strings

ChangeWindowMessageFilterEx, xrefs: 0042EE7B
user32.dll, xrefs: 0042EE80

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 142928637-2676053874
Opcode ID: 147ab314087a4e3dcf6e16000bf7a92f8a6b53821ee1abd9afb0821482d3c5ed
Instruction ID: d923442659e3b0e51499426f76f6993fec2ee5a704375d7ef0c30b5e995126c2
Opcode Fuzzy Hash: 147ab314087a4e3dcf6e16000bf7a92f8a6b53821ee1abd9afb0821482d3c5ed
Instruction Fuzzy Hash: 1AE06DF1B40724AAEF107B766C86B9B2668EB50769F55003BF104A61E1C7FD0C408A6C

Function 00479E68 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0049A50C), ref: 00479E6E
GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00479E7B
GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00479E8B

Strings

kernel32.dll, xrefs: 00479E69
VerifyVersionInfoW, xrefs: 00479E85
VerSetConditionMask, xrefs: 00479E75

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
API String ID: 667068680-222143506
Opcode ID: 4eb8c5683a80416fa23ca28207be772c3a68f7a3a60c78b74a0383d4a233a3f9
Instruction ID: 2eb801612c02c2f681ec2550ef92dd2b82403b3208254216f30f7223daafca7c
Opcode Fuzzy Hash: 4eb8c5683a80416fa23ca28207be772c3a68f7a3a60c78b74a0383d4a233a3f9
Instruction Fuzzy Hash: BFC0C9E1680710A9D600F7725C82DBB2548D510B25310883FB499651D2E7BD0C144A2C

Function 0041BABC Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041BB95
GetDC.USER32(?), ref: 0041BBA1
SelectPalette.GDI32(00000000,?,00000000), ref: 0041BBD6
RealizePalette.GDI32(00000000), ref: 0041BBE2
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC10
SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BC44

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Palette$Select$BitmapCreateFocusRealize
String ID:
API String ID: 3275473261-0
Opcode ID: 2f364fcd98ee6a1d62b7c654a57492f5fb96a9e1e42606f87797115b42be741f
Instruction ID: d5c29bb792210f064481fc70285f12689ccfb8d13ad776c980584781b3891df8
Opcode Fuzzy Hash: 2f364fcd98ee6a1d62b7c654a57492f5fb96a9e1e42606f87797115b42be741f
Instruction Fuzzy Hash: E4511E74A002099FCF11DFA9C895AEEBBB5FF49704F10406AF500A7790D779AD81CBA9

Function 0041BD8C Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041BE67
GetDC.USER32(?), ref: 0041BE73
SelectPalette.GDI32(00000000,?,00000000), ref: 0041BEAD
RealizePalette.GDI32(00000000), ref: 0041BEB9
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BEDD
SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BF11

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Palette$Select$BitmapCreateFocusRealize
String ID:
API String ID: 3275473261-0
Opcode ID: 6a42abb991037a6bf202db87d3771568c300b6986fb43c24206afdf92edcb334
Instruction ID: 6bf5c6e251c24ad455d3524f1730cbba616f151bd8f8db37d5e0169c444cf9bf
Opcode Fuzzy Hash: 6a42abb991037a6bf202db87d3771568c300b6986fb43c24206afdf92edcb334
Instruction Fuzzy Hash: FD511875A002089FCB11DFA9C891AAEBBF5FF49700F11846AF504EB390D7789D40CBA8

Function 0041B958 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B9CE
GetDC.USER32(?), ref: 0041B9DA
GetDeviceCaps.GDI32(?,00000068), ref: 0041B9F6
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA13
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA2A
ReleaseDC.USER32(?,?), ref: 0041BA76

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
String ID:
API String ID: 2502006586-0
Opcode ID: aaad342ca44b07dec6af6486a8a42c1cb8d3efc41e270446eeb3d15c1de1c0ff
Instruction ID: 59801f7e5fcc4ac8ef53bb63f5e7b2fd9dc64a74171921ba3453a8653c00992f
Opcode Fuzzy Hash: aaad342ca44b07dec6af6486a8a42c1cb8d3efc41e270446eeb3d15c1de1c0ff
Instruction Fuzzy Hash: A941C371A042189FCB10DFB9C885A9FBBB4EF49740F1484AAF940EB351D2389D11CBA5

Function 0045D848 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,00000000,0045D914,?,?,?,?,00000000), ref: 0045D8B3
SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D980,?,00000000,0045D914,?,?,?,?,00000000), ref: 0045D8F2

Strings

MACHINE, xrefs: 0045D896
CLASSES_ROOT, xrefs: 0045D878
CURRENT_USER, xrefs: 0045D887
USERS, xrefs: 0045D8A5

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: bceaa7c9d38e855be30fb0ce12922fb4a40a0d74626b7c5ce76b3f9998da2675
Instruction ID: 7ee2480e64cf5dcc37247868779a06df4fe5ff89f2b42202383772de8024ccfa
Opcode Fuzzy Hash: bceaa7c9d38e855be30fb0ce12922fb4a40a0d74626b7c5ce76b3f9998da2675
Instruction Fuzzy Hash: 4811BB75A04204AFE731EBE1C941B9E76ADDF44306F604077AD0496383D67C5F0A952D

Function 0041C1DC Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041C225
GetSystemMetrics.USER32(0000000C), ref: 0041C22F
GetDC.USER32(00000000), ref: 0041C239
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041C260
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041C26D
ReleaseDC.USER32(00000000,00000000), ref: 0041C2A6

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: 3e92d3a5d6c5ecb792e0ebd5600fae34c9b68402c42568e6e1a494463c386ac3
Instruction ID: bd62dbbe377736d475eb9c8390e540ebf9edbe2df99a0055a8dbd9c6863756d8
Opcode Fuzzy Hash: 3e92d3a5d6c5ecb792e0ebd5600fae34c9b68402c42568e6e1a494463c386ac3
Instruction Fuzzy Hash: CA214A74E44608AFEB00EFE9C942BEEB7B4EB48700F10806AF514B7381D6785940CB69

Function 00474770 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0045D848: SetLastError.KERNEL32(00000057,00000000,0045D914,?,?,?,?,00000000), ref: 0045D8B3

GetLastError.KERNEL32(00000000,00000000,00000000,00474844,?,?,0049E1E4,00000000), ref: 004747FD
GetLastError.KERNEL32(00000000,00000000,00000000,00474844,?,?,0049E1E4,00000000), ref: 00474813

Strings

Could not set permissions on the registry key because it currently does not exist., xrefs: 00474807
Setting permissions on registry key: %s\%s, xrefs: 004747C2
Failed to set permissions on registry key (%d)., xrefs: 00474824
I, xrefs: 00474785

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLast
String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s$I
API String ID: 1452528299-1959139981
Opcode ID: fa1a9a8d389e764d463da442ef7f1c9e05787aef6c03ccc219f4a1874d89d582
Instruction ID: 89f83d431bb9d789a293ecef52b9ab2aae7d8ed3921fa29d9781309811a141fd
Opcode Fuzzy Hash: fa1a9a8d389e764d463da442ef7f1c9e05787aef6c03ccc219f4a1874d89d582
Instruction Fuzzy Hash: 15217774A042485FDB00EBA9C8416FEBBE8DB89314F51817BE414E7392DB785D058BAA

Function 0047FA5C Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0047FA6A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046DA09), ref: 0047FA90
GetWindowLongA.USER32(?,000000EC), ref: 0047FAA0
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047FAC1
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047FAD5
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047FAF1

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: abe530f147a2c3f98821beb69050e02df951cc1f08551c366297f014f152c27b
Instruction ID: ffd9c37a1d4b3a018da72acb707aca8a1d598a80d0625303fdebb2ead6bb840a
Opcode Fuzzy Hash: abe530f147a2c3f98821beb69050e02df951cc1f08551c366297f014f152c27b
Instruction Fuzzy Hash: D301E9B6A54210ABD600DB78CD41F6637E8AB0C310F0A4776FA5DDF3E3C679D8048A08

Function 0041B6C0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041AB30: CreateBrushIndirect.GDI32 ref: 0041AB9B

UnrealizeObject.GDI32(00000000), ref: 0041B6CC
SelectObject.GDI32(?,00000000), ref: 0041B6DE
SetBkColor.GDI32(?,00000000), ref: 0041B701
SetBkMode.GDI32(?,00000002), ref: 0041B70C
SetBkColor.GDI32(?,00000000), ref: 0041B727
SetBkMode.GDI32(?,00000001), ref: 0041B732

Part of subcall function 0041A4A8: GetSysColor.USER32(?), ref: 0041A4B2

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 591f5e0a38fc1ca3dbe863e806ec08e439b2c286ec032ca355b2d19c4403f824
Instruction ID: 4060aa1d5abe481981ad85160ceff6bfe730d60da31349b060da60163fdb8f1a
Opcode Fuzzy Hash: 591f5e0a38fc1ca3dbe863e806ec08e439b2c286ec032ca355b2d19c4403f824
Instruction Fuzzy Hash: AAF0CD75601100ABDE04FFBADACAE4B77989F043097048057B908DF197CA7CE8A08B3A

Function 00499644 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C

ShowWindow.USER32(?,00000005,00000000,004998A9,?,?,00000000), ref: 0049967A

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

Part of subcall function 004076F8: SetCurrentDirectoryA.KERNEL32(00000000,?,004996A2,00000000,00499875,?,?,00000005,00000000,004998A9,?,?,00000000), ref: 00407703

Part of subcall function 0042D89C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D92A,?,?,?,00000001,?,0045681A,00000000,00456882), ref: 0042D8D1

Strings

.msg, xrefs: 004996E0
Uninstall, xrefs: 00499660
.dat, xrefs: 004996C1
IMsg, xrefs: 0049974E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: b59174c22afc0cb4d84e45ba041c7c5ab1d45157887829cd53cd9da25efcf179
Instruction ID: 4da38b6a349b60b5a60df07f01633cb26419001f7db46277bbb3aa66fc0d4d29
Opcode Fuzzy Hash: b59174c22afc0cb4d84e45ba041c7c5ab1d45157887829cd53cd9da25efcf179
Instruction Fuzzy Hash: A1313074A10114AFCB01FFAACC5295E7B75FB49318B51887AF800A7352EB39AD04CB59

Function 0042EEF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EF2A
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EF30
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EF59

Strings

ShutdownBlockReasonCreate, xrefs: 0042EF20
user32.dll, xrefs: 0042EF25

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressByteCharHandleModuleMultiProcWide
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 828529508-2866557904
Opcode ID: 0a1a7f0b35af10bec52672da06a2906d532a44599cf47327945e1bb0849fc05d
Instruction ID: 50bd107db23699165094570332042a9a2090c4fb9dd7a9a9ac1c8e9692f1be1d
Opcode Fuzzy Hash: 0a1a7f0b35af10bec52672da06a2906d532a44599cf47327945e1bb0849fc05d
Instruction Fuzzy Hash: D7F0F0E134062237E620B27FAC86F7F55CC8F94729F150036B608EA2C2EA7C9905426F

Function 004587F4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458824
GetExitCodeProcess.KERNEL32(?,?), ref: 00458845
CloseHandle.KERNEL32(?,00458878), ref: 0045886B

Strings

GetExitCodeProcess, xrefs: 0045884E
MsgWaitForMultipleObjects, xrefs: 00458831

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: b59af786c083e6c34fb912d8588e02e36760330094b26c60bb33ca54220cd61b
Instruction ID: 4c05e8df3edacc9d455a33c3a45c96e3e51f685ffe720196e50d624f784124f1
Opcode Fuzzy Hash: b59af786c083e6c34fb912d8588e02e36760330094b26c60bb33ca54220cd61b
Instruction Fuzzy Hash: 3E01A274A00204AFDB10FBA98C52A1E73A8EB45715FA0057AFD10F73D2DE39AD048A28

Function 0042EDFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EEC0,00000004,0049B934,004579ED,00457D90,00457944,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042EE12
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE18
InterlockedExchange.KERNEL32(0049D664,00000001), ref: 0042EE29

Strings

ChangeWindowMessageFilter, xrefs: 0042EE08
user32.dll, xrefs: 0042EE0D

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 3478007392-2498399450
Opcode ID: 2ae9261505c9f67baa706182e7b3239f9e45ce3b55a3ca64683e2b7ae62260b5
Instruction ID: 37ab6c1781d9ace597be808b0f82a5ae7151ca86b9dce60fc565c366ef428a29
Opcode Fuzzy Hash: 2ae9261505c9f67baa706182e7b3239f9e45ce3b55a3ca64683e2b7ae62260b5
Instruction Fuzzy Hash: 76E0ECB1B41320AAEA1137726C8AF5726559B2471DF950437F108671E2C6FC1C84C91D

Function 00478DDC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00478DE4
GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00478EDB,0049E0AC,00000000), ref: 00478DF7
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00478DFD

Strings

user32.dll, xrefs: 00478DF2
AllowSetForegroundWindow, xrefs: 00478DED

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressHandleModuleProcProcessThreadWindow
String ID: AllowSetForegroundWindow$user32.dll
API String ID: 1782028327-3855017861
Opcode ID: baaddf851ddbcde89e908f2650d0d7dd5a96bc2ff5b27e890b2c54087906d01e
Instruction ID: c95bb4f0dd120990503e7052118a19d741abdcedadff55ee9c16c600a1fe714f
Opcode Fuzzy Hash: baaddf851ddbcde89e908f2650d0d7dd5a96bc2ff5b27e890b2c54087906d01e
Instruction Fuzzy Hash: EFD09EB168060165E910B3B69D4AE9B235C89847647248C3FB458E2586DF7CD894457D

Function 0041707C Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 004170A2
SaveDC.GDI32(?), ref: 004170D3
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00417195), ref: 00417134
RestoreDC.GDI32(?,?), ref: 0041715B
EndPaint.USER32(00000000,?,0041719C,00000000,00417195), ref: 0041718F

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: d3cb791d7785fb4fc35c1181fb0c895e71633609ec102f90fedaf0bd5e116ec9
Instruction ID: 2d0e89e5730252ba578d2efb55dda1d595b63161fefa896777b830b1b9f6ffa1
Opcode Fuzzy Hash: d3cb791d7785fb4fc35c1181fb0c895e71633609ec102f90fedaf0bd5e116ec9
Instruction Fuzzy Hash: 9B412170A08204AFDB04DFA5C985FAA77F9FF48314F1544AEE4059B362C7789D85CB18

Function 00414C50 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 00414C86
MulDiv.KERNEL32(?,?,?), ref: 00414CA0
MulDiv.KERNEL32(?,?,?), ref: 00414CC9
MulDiv.KERNEL32(?,?,?), ref: 00414CF4
MulDiv.KERNEL32(00000000,?,00000000), ref: 00414D3C

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea1a8f7c9869be2cd73ede4559f3beb1d50bc075a71ac7122178a7397227914
Instruction ID: f067b59d413d1c4671d71e094a7f62e666ee1dcd53ee7561759f320ec3b01eff
Opcode Fuzzy Hash: eea1a8f7c9869be2cd73ede4559f3beb1d50bc075a71ac7122178a7397227914
Instruction Fuzzy Hash: 6F314F70605740AFC720EF69D984BABB7E8AF89314F04891EF9D5C7751D638EC808B59

Function 0041C008 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041C01A
GetSystemMetrics.USER32(0000000C), ref: 0041C024
GetDC.USER32(00000000), ref: 0041C062
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041C0A9
DeleteObject.GDI32(00000000), ref: 0041C0EA

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: MetricsSystem$BitmapCreateDeleteObject
String ID:
API String ID: 1095203571-0
Opcode ID: e9779dfffb4f21f61e506df0ae377518d2b748fc237c0f7807fdb933fd26a7eb
Instruction ID: f919feb2cfdf9cb53746996a9db251afb7e4286801c3fccb61a5d2ca1bdc7bf1
Opcode Fuzzy Hash: e9779dfffb4f21f61e506df0ae377518d2b748fc237c0f7807fdb933fd26a7eb
Instruction Fuzzy Hash: A3313E74A40205EFDB04DFA5C981AAEB7F5EB48704F11856AF510AB381D7789E80DB98

Function 00429C1C Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429C58
SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429C87
SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429CA3
SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 00429CCE
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00429CEC

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5ef5cab32e95011e4c7cfb0abff5a7214c11a7d164d3b5ed8cb8a22c4c4654b6
Instruction ID: 0478e77fbb77d274a7bfb783d11adee83c5a4069cdde94f0426c34ba09fc350e
Opcode Fuzzy Hash: 5ef5cab32e95011e4c7cfb0abff5a7214c11a7d164d3b5ed8cb8a22c4c4654b6
Instruction Fuzzy Hash: 222190707107147AE710AFA7DC82F4B76EC9B40704F90443E7906AB2D2DAB8ED41861D

Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 67daf853af92f19bd36af3157ccd0aae30d6e3cf77030be0de76c974993ddc75
Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
Opcode Fuzzy Hash: 67daf853af92f19bd36af3157ccd0aae30d6e3cf77030be0de76c974993ddc75
Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D

Function 00414830 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414869
RealizePalette.GDI32(00000000), ref: 00414871
SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414885
RealizePalette.GDI32(00000000), ref: 0041488B
ReleaseDC.USER32(00000000,00000000), ref: 00414896

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Palette$RealizeSelect$Release
String ID:
API String ID: 2261976640-0
Opcode ID: fa3b9403a46652b92fdf4541f93f936de0ad42420f7af6617674ce52f43e61da
Instruction ID: aeb03e62d8ddadf83c94429ec28f403801e3a8d1cb621d3e7bfc21001d019430
Opcode Fuzzy Hash: fa3b9403a46652b92fdf4541f93f936de0ad42420f7af6617674ce52f43e61da
Instruction Fuzzy Hash: 3201DF7520C3806AD600B63D8C85A9F6BEC9FCA314F15946EF484DB3C2CA7AC8018761

Function 004073F4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON

Download Yara Rule

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407453
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 004074CD
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 00407525

Strings

Z, xrefs: 0040748C

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: ef725f5677505cc1ece444b72ce86a205eac34b3eeee73834d2775d04d947be5
Instruction ID: 2310e9831ee7c99a0a8649866770d0a98cc310fb2cf5807583ec8a4e9daa3455
Opcode Fuzzy Hash: ef725f5677505cc1ece444b72ce86a205eac34b3eeee73834d2775d04d947be5
Instruction Fuzzy Hash: 41519070E04208AFDB11DF99C845A9EBBB9EB49314F1448BAE400B72D1D778AE418B5A

Function 0044D598 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0044D626
DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D651
DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D6D9

Strings

, xrefs: 0044D60B

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: 118ce66f65fc30a3616beabd50b84bb536d9a0cd1ba8fe4db387a67cc8cfb132
Instruction ID: 5f00bac91b28cdab45bfb944687f04cfacea2c0ae70fe3b1c590f7ffbabf3d5b
Opcode Fuzzy Hash: 118ce66f65fc30a3616beabd50b84bb536d9a0cd1ba8fe4db387a67cc8cfb132
Instruction Fuzzy Hash: 7C517271E00248AFDB11DFA9C885BDEBBF8AF49304F15847AE805EB252D7389944CB64

Function 0042F400 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042F42A

Part of subcall function 0041A638: CreateFontIndirectA.GDI32(?), ref: 0041A6F7

SelectObject.GDI32(?,00000000), ref: 0042F44D
ReleaseDC.USER32(00000000,?), ref: 0042F52C

Strings

...\, xrefs: 0042F4DE

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CreateFontIndirectObjectReleaseSelect
String ID: ...\
API String ID: 3133960002-983595016
Opcode ID: d1b66580af5f8b118005d8afe4c27e7b3c53fe3fbe43e40283f5066ed8c29eea
Instruction ID: 21909acc4746510f695b318a8719c62c66087a48e53e42bcbae852ee139bb065
Opcode Fuzzy Hash: d1b66580af5f8b118005d8afe4c27e7b3c53fe3fbe43e40283f5066ed8c29eea
Instruction Fuzzy Hash: E1314270B00229ABDB11EF9AD851BAEB7F9EB48308F90447BF410A7291C7785E45CA59

Function 00454024 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454113
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454123

Strings

.tmp, xrefs: 004540C7
_iu, xrefs: 004540B5

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$_iu
API String ID: 3498533004-10593223
Opcode ID: 2a078343c1ee0e1e426b7682a7e14f96dd8f6dbcb1786daf15018a65187b9764
Instruction ID: 59545500d2eeb09234598e35ee9a1648d273934097dc79d2b475452d37d3be57
Opcode Fuzzy Hash: 2a078343c1ee0e1e426b7682a7e14f96dd8f6dbcb1786daf15018a65187b9764
Instruction Fuzzy Hash: 8431C570E00209ABCF11EB95C942BEEBBB5AF54309F20452AF900BB3D2D7385F459759

Function 00416860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,?,?), ref: 004168CF
UnregisterClassA.USER32(?,00400000), ref: 004168FB
RegisterClassA.USER32(?), ref: 0041691E

Strings

@, xrefs: 00416879

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 972889012e988871c021c5b3915c115c32e7dca9cc0b0972fc7e6fa2a96e2fd7
Instruction ID: c7ae62685634f2feb307fa6559a912500e41153472d9d2bb59c10c8b55fc2cbc
Opcode Fuzzy Hash: 972889012e988871c021c5b3915c115c32e7dca9cc0b0972fc7e6fa2a96e2fd7
Instruction Fuzzy Hash: C6318E706043008BDB10EF68C885B9B77E9AB89308F00457FF985DB392DB39DD458B5A

Function 00499AF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,0049A448,00000000,00499BEE,?,?,00000000,0049D62C), ref: 00499B68
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,0049A448,00000000,00499BEE,?,?,00000000,0049D62C), ref: 00499B91
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00499BAA

Strings

isRS-%.3u.tmp, xrefs: 00499B47

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: 88eac6fa2fd00287dbaa55a3b9bd3a1b65409462b653a3bc96acdfff81af7d31
Instruction ID: 0b841a000e743cb9e8da0cfb8565bc532e10ded45a2cf007f5af54a585f9ef1c
Opcode Fuzzy Hash: 88eac6fa2fd00287dbaa55a3b9bd3a1b65409462b653a3bc96acdfff81af7d31
Instruction Fuzzy Hash: 54212171D14119ABCF00EBA9D881AAFBBB8BB58314F11457EA814B72D1D63C6E018A59

Function 00457398 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042CC54: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CC78

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004573EC
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00457419

Strings

LoadTypeLib, xrefs: 004573F7
RegisterTypeLib, xrefs: 00457424

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: 18df84fe9d86e2862f6386675fb05e4dd3e507c86707e069f339337bab75705e
Instruction ID: 195147ed2e8b8ae7ced7006412bb8845aee82bd7b9f018cfdf51d436bcb33606
Opcode Fuzzy Hash: 18df84fe9d86e2862f6386675fb05e4dd3e507c86707e069f339337bab75705e
Instruction Fuzzy Hash: C911D630B04204BFDB01DFA6DC51A4EBBADEB4A305F108076FD04D3652DA389E04C618

Function 00457950 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045796A
SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00457A07

Strings

Failed to create DebugClientWnd, xrefs: 004579D0
Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00457996

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
API String ID: 3850602802-3720027226
Opcode ID: 96d37884a0109ccc9dd8bbdd55bd34cbe6755c3aabe39c11de9650ea9973cdf2
Instruction ID: b12cfe17c44d9b7297a0742d7ace06ebf4c30bfebd2037bde928bbf0dce3c7c1
Opcode Fuzzy Hash: 96d37884a0109ccc9dd8bbdd55bd34cbe6755c3aabe39c11de9650ea9973cdf2
Instruction Fuzzy Hash: 1311C4B16082509BE310AB299C81B5F77949B54319F04443BF9849F383D3B99C18C7AE

Function 00479934 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C

GetFocus.USER32 ref: 0047999F
GetKeyState.USER32(0000007A), ref: 004799B1
WaitMessage.USER32(?,00000000,004799D8,?,00000000,004799FF,?,?,00000001,00000000,?,?,0048174F,00000000,00482671), ref: 004799BB

Strings

Wnd=$%x, xrefs: 00479983

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: c7714a687ecd515da0b3d99d6b7bbb34f6b1e8ac2199ab9b74b109a4a99a3c73
Instruction ID: 0ce6ec70c77c992717eb959f135b56f98f7128e6f958ad4e09c8363bf76ba6b5
Opcode Fuzzy Hash: c7714a687ecd515da0b3d99d6b7bbb34f6b1e8ac2199ab9b74b109a4a99a3c73
Instruction Fuzzy Hash: 0511A3B0604244AFDB00FF69D842ADEB7B8EB49704B51C5BBF508E7381D738AD00CA69

Function 0046F428 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?), ref: 0046F430
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046F43F

Strings

(invalid), xrefs: 0046F4C2
%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 0046F4B4

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: b3309c05ae6708dc9511693656f5da53199351be95235e45feba58672e8eaade
Instruction ID: b1f3f51ab816b97a6d4fd488e4796d5760ecc8acc51059d8482d4647201c4143
Opcode Fuzzy Hash: b3309c05ae6708dc9511693656f5da53199351be95235e45feba58672e8eaade
Instruction Fuzzy Hash: F111F5A040C3919AD340DF2AC44072BBAE4AB99708F44896FF9C8D6381E779C948DB67

Function 004546DE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004546EB

Part of subcall function 004073A0: DeleteFileA.KERNEL32(00000000,0049D62C,00499FD9,00000000,0049A02E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073AB

MoveFileA.KERNEL32(00000000,00000000), ref: 00454710

Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07

Strings

DeleteFile, xrefs: 004546FC
MoveFile, xrefs: 00454719

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: DeleteFile$MoveFile
API String ID: 3024442154-139070271
Opcode ID: cd51b7d6411f51ddff926bfb4089fa62fb2906befb808aa5ea3769e8c14f62c4
Instruction ID: 274a2e09890dd6abd1f20e60e4879b25532b4b8e44e7f96c1dbb1ac345d4d7c6
Opcode Fuzzy Hash: cd51b7d6411f51ddff926bfb4089fa62fb2906befb808aa5ea3769e8c14f62c4
Instruction Fuzzy Hash: 53F08B746141445BE701FBA5D94265FA7ECEB8431EF50403BB800BB6C3DB3C9D08492D

Function 00484FB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00484FF1
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00485014

Strings

System\CurrentControlSet\Control\Windows, xrefs: 00484FBE
CSDVersion, xrefs: 00484FE8

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3677997916-1910633163
Opcode ID: 8d7ca411ea9e754ca79f01cf2f30b9d2c9f8e2d0c9492ca206519446712ee48d
Instruction ID: 3d9820a6fde95d05ac542d305ffe0a0e534a7c1f4e1b62a11fb8fb702f882c01
Opcode Fuzzy Hash: 8d7ca411ea9e754ca79f01cf2f30b9d2c9f8e2d0c9492ca206519446712ee48d
Instruction Fuzzy Hash: E7F04975A40608E6DF10FAD18C55BDF73BCAB05704F604967E510E7281E7399A049BAE

Function 00465214 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044BB28: LoadLibraryA.KERNEL32(00000000,00000000,0044BF0B,?,?,?,?,00000000,00000000,?,0044FD4D,0049A4DA), ref: 0044BB8A
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BBA2
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BBB4
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BBC6
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BBD8
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBEA
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBFC
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BC0E
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BC20
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BC32
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BC44
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BC56
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BC68
Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BC7A

Part of subcall function 004651E8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004651FB

LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,0046528A,?,?,?,?,00000000,00000000,?,0049A502), ref: 0046525F
GetProcAddress.KERNEL32(00000000,00000000), ref: 00465265

Strings

SHPathPrepareForWriteA, xrefs: 00465231
shell32.dll, xrefs: 0046524C

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressProc$LibraryLoad$DirectorySystem
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 1442766254-2683653824
Opcode ID: 19c949dbb77f1a78b4d411d9c1a27eb2db95fd8b53bd2c0869d9e8e17518ae75
Instruction ID: 415eb7409d81aa8454bb2dd4c72fa8b3e514a75415032da6adba06dceafb32ff
Opcode Fuzzy Hash: 19c949dbb77f1a78b4d411d9c1a27eb2db95fd8b53bd2c0869d9e8e17518ae75
Instruction Fuzzy Hash: F5F04470640A08BFD700FB62DC53F5E7BACEB45718FA044B7B400B6591EA7C9E04892D

Function 00459B60 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459C9D,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459BAD

Strings

InstallRoot, xrefs: 00459B9C
.NET Framework not found, xrefs: 00459BBC
SOFTWARE\Microsoft\.NETFramework, xrefs: 00459B80

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: deea85188aa12689871c1150ceca2f68809688995ae8b7fb4ba5acb78cb4dab7
Instruction ID: 9ff5366a1843594bb80037a440052cb9e88b760eaf161db27522a6c9f4c26c6f
Opcode Fuzzy Hash: deea85188aa12689871c1150ceca2f68809688995ae8b7fb4ba5acb78cb4dab7
Instruction Fuzzy Hash: 2AF0AF31300121EBEB10EB17AC41B5E6789DB91316F18443BFA81C7253F6BCDC46862E

Function 0042DD40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004542C2,00000000,00454365,?,?,00000000,00000000,00000000,00000000,00000000,?,00454755,00000000), ref: 0042DD5A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DD60

Strings

GetSystemWow64DirectoryA, xrefs: 0042DD50
kernel32.dll, xrefs: 0042DD55

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 1646373207-4063490227
Opcode ID: 5abbe40046ba00350f24005cef1803a495b962ffc597d09d0b22329c5a666800
Instruction ID: 2c7f72bc3db4c40d16b1b765d912767d34fa58fe4c646cc18e222b4ed7f6fe44
Opcode Fuzzy Hash: 5abbe40046ba00350f24005cef1803a495b962ffc597d09d0b22329c5a666800
Instruction Fuzzy Hash: 0FE02660B60F1113D70071BA5C8379B208D4B84718F90043F3984F52C6DDBDD9490A6E

Function 0042EFA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EF20), ref: 0042EFB2
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EFB8

Strings

user32.dll, xrefs: 0042EFAD
ShutdownBlockReasonDestroy, xrefs: 0042EFA8

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: baf4c7a8591a40d7dc6da6f15e5b4dc27338d30cfca151258ddc16df194b77c5
Instruction ID: 02ec898c6c75b1ba26151a3eebd585b8454ae7040b346800783755fde70e6890
Opcode Fuzzy Hash: baf4c7a8591a40d7dc6da6f15e5b4dc27338d30cfca151258ddc16df194b77c5
Instruction Fuzzy Hash: 01D0A993302B3332AA1071FB3DC19BB02CC8D202AA3670033F600E2280EA8CCC4012AC

Function 0044FD1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049A4DA), ref: 0044FD57
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FD5D

Strings

NotifyWinEvent, xrefs: 0044FD4D
user32.dll, xrefs: 0044FD52

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NotifyWinEvent$user32.dll
API String ID: 1646373207-597752486
Opcode ID: 21449735c4530238711e5baf3f7e6c6119c4b5ed48e58139290ccade4ce38153
Instruction ID: af032255d430417ffea63134fe83afc5c4b4dbba1536058c56e775f9f11b8dd5
Opcode Fuzzy Hash: 21449735c4530238711e5baf3f7e6c6119c4b5ed48e58139290ccade4ce38153
Instruction Fuzzy Hash: B2E012E0E417449AFB00BBB96D467193AD0EF6471DF10007FB540A6291C77C44489B1D

Function 0049A250 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049A530,00000001,00000000,0049A554), ref: 0049A25A
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049A260

Strings

DisableProcessWindowsGhosting, xrefs: 0049A250
user32.dll, xrefs: 0049A255

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: 51550ffda035ac84042d4bddea94f20537adf7cd2f58fd56988f617bc6aacde1
Instruction ID: dac1c8ebddd32ae9bf6a035aad1c8d1f3cf840f271d0053423bdda14aa0d062e
Opcode Fuzzy Hash: 51550ffda035ac84042d4bddea94f20537adf7cd2f58fd56988f617bc6aacde1
Instruction Fuzzy Hash: 09B09281686A01509C4033F20C06A1B0E08484171871800B73400F12C6CE6E842404FF

Function 00476744 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 0042F2BC: GetTickCount.KERNEL32 ref: 0042F2C2

Part of subcall function 0042F0D8: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042F10D

GetLastError.KERNEL32(00000000,004768B9,?,?,0049E1E4,00000000), ref: 004767A2

Strings

MoveFileEx, xrefs: 00476807
LoggedMsgBox returned an unexpected value. Assuming Cancel., xrefs: 00476877
, xrefs: 004767DA, 004767F5

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CountErrorFileLastMoveTick
String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
API String ID: 2406187244-2685451598
Opcode ID: 60709b24bbd29ecba445f14f57d2c4ad189bd31ebd78b2e227524017e35208ed
Instruction ID: 03a236e7dc5f504d91790a0ce298dd5dba96fa6117a2cc3ee4ad00c9fc2b7c38
Opcode Fuzzy Hash: 60709b24bbd29ecba445f14f57d2c4ad189bd31ebd78b2e227524017e35208ed
Instruction Fuzzy Hash: 53418474A006098BCB00EFA5D882ADE77B9EF48314F52853BE414B7391D7389E05CBAD

Function 00414148 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00414196
GetDesktopWindow.USER32 ref: 0041424E

Part of subcall function 00419310: 6F59C6F0.COMCTL32(00000000,?,0041427E,?,?,?,?,00413F43,00000000,00413F56), ref: 0041932C
Part of subcall function 00419310: ShowCursor.USER32(00000001,00000000,?,0041427E,?,?,?,?,00413F43,00000000,00413F56), ref: 00419349

SetCursor.USER32(00000000,?,?,?,?,00413F43,00000000,00413F56), ref: 0041428C

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: cfce6284985b2a2f885b46e24aab87199b3bad27be3208afe6f8a3dae0a7e5f2
Instruction ID: 6a264f145c0982e92da272f414c83554030b66ece25ea6070dcdf00fca6814f6
Opcode Fuzzy Hash: cfce6284985b2a2f885b46e24aab87199b3bad27be3208afe6f8a3dae0a7e5f2
Instruction Fuzzy Hash: 30414170A10151AFC710EF6DDD89B5677E5ABA9318B05807BE409CB366C738DC81CB1D

Function 00408EA4 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408EC5
LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408F34
LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408FCF
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040900E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: 6a14109298dd6aa5b23f5014bc90c14a5f309fa4690e2bc273b58c6e1dd153b9
Instruction ID: d606a76aa49eec759d07c5becdfef17a6c6b9766ea912d15a143196380f0994c
Opcode Fuzzy Hash: 6a14109298dd6aa5b23f5014bc90c14a5f309fa4690e2bc273b58c6e1dd153b9
Instruction Fuzzy Hash: C73162706083815AD330EB65C945BDBB7D99F8A304F00483FB6C8D72D2DB799904876B

Function 0044EE9C Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044EEE5

Part of subcall function 0044D528: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044D55A

InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044EF69

Part of subcall function 0042C004: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042C018

IsRectEmpty.USER32(?), ref: 0044EF2B
ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044EF4E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
String ID:
API String ID: 855768636-0
Opcode ID: 975d6f0bacda975cfe83ce1eab8afcd9494905b79e3112c8c9d866416d3664bd
Instruction ID: 5be5a2c99a49a2f339bd726f9f517b743d06364a043e5a66e7e3b57b404dc1d6
Opcode Fuzzy Hash: 975d6f0bacda975cfe83ce1eab8afcd9494905b79e3112c8c9d866416d3664bd
Instruction Fuzzy Hash: 5B118C3170031027E610BA7E8C82B5F66C99B88748F01483FB60AEB387DDB8DC09835E

Function 0049720C Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,00000000), ref: 00497270
OffsetRect.USER32(?,00000000,?), ref: 0049728B
OffsetRect.USER32(?,?,00000000), ref: 004972A5
OffsetRect.USER32(?,00000000,?), ref: 004972C0

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: 1a73e688525ba1e930e3dbf3898af9d30e9465d405d6debb224a7eeb0afca85c
Instruction ID: e718e50738441f611e1ccbf74e0cde98489d487b8bfa6672397ae6e260ffa509
Opcode Fuzzy Hash: 1a73e688525ba1e930e3dbf3898af9d30e9465d405d6debb224a7eeb0afca85c
Instruction Fuzzy Hash: BE214FB67142016BCB00DF69CD85E5BB7EEEBD4340F14CA2AF544C728AD634E9448796

Function 00417668 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 004176B0
SetCursor.USER32(00000000), ref: 004176F3
GetLastActivePopup.USER32(?), ref: 0041771D
GetForegroundWindow.USER32(?), ref: 00417724

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: 6c3ac19022b264060b45d73ebcd70729185e734ffe6bab55d55db2cfe9612f2c
Instruction ID: dbcb3e4d6cdf237ebd373b45723c7518e1d79ef9827cdcdbbe1e0fb97faef126
Opcode Fuzzy Hash: 6c3ac19022b264060b45d73ebcd70729185e734ffe6bab55d55db2cfe9612f2c
Instruction Fuzzy Hash: 8121CF303086018BC710EF29D980ADB73B1AB44768F52447BE8688B392D73DEC81CA8D

Function 00496EC4 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(8B500000,00000008,?), ref: 00496ED9
MulDiv.KERNEL32(50142444,00000008,?), ref: 00496EED
MulDiv.KERNEL32(F6E65FE8,00000008,?), ref: 00496F01
MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 00496F1F

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865696dda9c04e972e54b31ac7a717d8d8d580924cf1526e353e6871edb84c7d
Instruction ID: e3308cc84e827548128d2b2e4dd5895a6eb2c6c5d9673f95432de963ba277a10
Opcode Fuzzy Hash: 865696dda9c04e972e54b31ac7a717d8d8d580924cf1526e353e6871edb84c7d
Instruction Fuzzy Hash: CB113372604204AFCF40DFA9D8C4D9B7BECEF4D324B15516AF918DB24AD634ED408BA4

Function 0041F8D0 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,0041F8C0,?), ref: 0041F8F1
UnregisterClassA.USER32(0041F8C0,00400000), ref: 0041F91A
RegisterClassA.USER32(0049B598), ref: 0041F924
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F95F

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 2c6c52059b860e5687bb0614cf61ad31389445ce60e69e295929954b72f96d02
Instruction ID: 2f8fb42507e3cd1bc96778dfed7eead12d65e2047fb8f4462c71738803dd6c65
Opcode Fuzzy Hash: 2c6c52059b860e5687bb0614cf61ad31389445ce60e69e295929954b72f96d02
Instruction Fuzzy Hash: B7012DB16141047BCB10FBA8ED81E9A379CD719318B11423BB505E72A1D739D8168BAC

Function 0040D460 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D477
LoadResource.KERNEL32(00400000,72756F73,0040AC18,00400000,00000001,00000000,?,0040D3D4,00000000,?,00000000,?,?,0047DE64,0000000A,00000000), ref: 0040D491
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040AC18,00400000,00000001,00000000,?,0040D3D4,00000000,?,00000000,?,?,0047DE64), ref: 0040D4AB
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040AC18,00400000,00000001,00000000,?,0040D3D4,00000000,?,00000000,?), ref: 0040D4B5

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 073da2e1467bd4923794a1699de9deb8666d8abafae58723814b459cf24724ae
Instruction ID: 736189130eb46f944708fe8ab0dcf7c2da2e7d83e7efdb8d5663637d3260b2f8
Opcode Fuzzy Hash: 073da2e1467bd4923794a1699de9deb8666d8abafae58723814b459cf24724ae
Instruction Fuzzy Hash: FCF04FB3A005046F8B04EE9DA881D5B76DCDE88364310013AFD08EB282DA38DD018B78

Function 004019CC Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0049D420,00000000,00401A82,?,?,0040222E,02152B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
RtlEnterCriticalSection.KERNEL32(0049D420,0049D420,00000000,00401A82,?,?,0040222E,02152B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
LocalAlloc.KERNEL32(00000000,00000FF8,0049D420,00000000,00401A82,?,?,0040222E,02152B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
RtlLeaveCriticalSection.KERNEL32(0049D420,00401A89,00000000,00401A82,?,?,0040222E,02152B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: af9432a4a2f11b04810e4d66a6e0dd8d5d7e21dce30ad7e75a74316efdc90f86
Instruction ID: 7339f3ebbe1eed2a5a633cb922c09bf0bd68a71b88021a6e55e3f3fb74b7268e
Opcode Fuzzy Hash: af9432a4a2f11b04810e4d66a6e0dd8d5d7e21dce30ad7e75a74316efdc90f86
Instruction Fuzzy Hash: AB01CCB0E482405EFB19AF699902B293FD4D799748F51803BF441A7AF1CA7C6840CB2E

Function 00456538 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288

RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045BFAA,?,?,?,?,?,00000000,0045BFD1), ref: 00456574
RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045BFAA,?,?,?,?,?,00000000), ref: 0045657D
RemoveFontResourceA.GDI32(00000000), ref: 0045658A
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0045659E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: 18bbce5fff6d48609ef0ee32c883151f01d971de8c147fc0902137a50bd33190
Instruction ID: 60fc6220e6421739c6cddc48edde2e304ed69df2a150d613f8e8855ad9854c81
Opcode Fuzzy Hash: 18bbce5fff6d48609ef0ee32c883151f01d971de8c147fc0902137a50bd33190
Instruction Fuzzy Hash: 27F054B174531076EA10B6B6AC47F5B22CC8F54749F54483A7604EB2C3D57CDD04966D

Function 00470C50 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 00470CA1

Strings

Setting NTFS compression on directory: %s, xrefs: 00470C6F
Unsetting NTFS compression on directory: %s, xrefs: 00470C87
Failed to set NTFS compression state (%d)., xrefs: 00470CB2

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
API String ID: 1452528299-1392080489
Opcode ID: dfbe84044b29f3d57c509b65a983513d49cbe1f7a65d8e2e78e9d92552162f9b
Instruction ID: 2f8c6a7a6e35e8588bbb9e762321129d74c961a1f58895d436786832a4f1a68a
Opcode Fuzzy Hash: dfbe84044b29f3d57c509b65a983513d49cbe1f7a65d8e2e78e9d92552162f9b
Instruction Fuzzy Hash: 04018B30D09248AACB15D7ED94812DDFBE89F0D305F54C1EFA459E7342DF790A08879A

Function 004713FC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000), ref: 0047144D

Strings

Unsetting NTFS compression on file: %s, xrefs: 00471433
Setting NTFS compression on file: %s, xrefs: 0047141B
Failed to set NTFS compression state (%d)., xrefs: 0047145E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
API String ID: 1452528299-3038984924
Opcode ID: fe182551a98f743fcb6dc7018ea21a6c51c49eaeb083c5d16317d3ad1726425c
Instruction ID: a30ff693f52cd42e459b797e94763e7277481e0955e0c4e592f957c66b82d28b
Opcode Fuzzy Hash: fe182551a98f743fcb6dc7018ea21a6c51c49eaeb083c5d16317d3ad1726425c
Instruction Fuzzy Hash: 41016730D0424866CB1497AD64422DDBBE89F4D315F94C1EFA458E7352DE790A0887AA

Function 0047944C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,?,00000001,00000000,00000002,00000000,00482671,?,?,?,?,?,0049A5C3,00000000,0049A5EB), ref: 00479455
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,00000001,00000000,00000002,00000000,00482671,?,?,?,?,?,0049A5C3,00000000), ref: 0047945B
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,00000001,00000000,00000002,00000000,00482671), ref: 0047947D
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,00000001,00000000,00000002,00000000,00482671), ref: 0047948E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 6d49464bdbc91184ad7f6ac62fff289a707b850c7d11bd8742fde9f2fb834cc3
Instruction ID: 6505384fcc0360b3c734b71afb4e1a1a4ab6f9baee95e57f14d901b11eacad59
Opcode Fuzzy Hash: 6d49464bdbc91184ad7f6ac62fff289a707b850c7d11bd8742fde9f2fb834cc3
Instruction Fuzzy Hash: 90F030716447006BD600EAB58D82E9B73DCEB44354F04883EBE98CB2C1D678DC08AB76

Function 00424690 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32(?), ref: 0042469C
IsWindowVisible.USER32(?), ref: 004246AD
IsWindowEnabled.USER32(?), ref: 004246B7
SetForegroundWindow.USER32(?), ref: 004246C1

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: 6de0995d0e447abcc63ecfbcb3df3be24c1d568dc5660fd48fcf8973f81aa8b9
Instruction ID: 92c4e0b2622c21c1aafdf32b5a5e60d634be871c9bac48645995030a32fad986
Opcode Fuzzy Hash: 6de0995d0e447abcc63ecfbcb3df3be24c1d568dc5660fd48fcf8973f81aa8b9
Instruction Fuzzy Hash: BBE01261B0293157AA31FA7AA885A9F118CDD47BC43460277BC41F7297DB2CDC1045FD

Function 0047B524 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047CE0D,?,00000000,00000000,00000001,00000000,0047B7C1,?,00000000), ref: 0047B785

Strings

Failed to parse "reg" constant, xrefs: 0047B78C
Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047B5F9

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
API String ID: 3535843008-1938159461
Opcode ID: 684bb0749049f9b56ef336efe55875cadaaeb758c41cb9d5aa092f380e5d2a32
Instruction ID: f1421b174eee6fc7f54e6f8e7a43c19df08b7389384ab18ee26f4796af10067b
Opcode Fuzzy Hash: 684bb0749049f9b56ef336efe55875cadaaeb758c41cb9d5aa092f380e5d2a32
Instruction Fuzzy Hash: 89815175E00208AFCB10DFA5D481BDEBBF9EF48354F50816AE454A7391DB38AE05CB99

Function 0046D8CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

Failed to proceed to next wizard page; showing wizard., xrefs: 0046D9F8
Failed to proceed to next wizard page; aborting., xrefs: 0046D9E4

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: add31560b0341e522612951ad2314b824f5c06f277653e44a4d324fe3becfdea
Instruction ID: 84e2974eb34e4f2dda2b8c8cb2eefec3d4715c8d151fead2dfc4afe0ae77ca03
Opcode Fuzzy Hash: add31560b0341e522612951ad2314b824f5c06f277653e44a4d324fe3becfdea
Instruction Fuzzy Hash: 4D319E70F04204EFD711EB69D989BA977F5EB05304F6500BBE408AB3A2D7786E44CB1A

Function 0045080C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004508A1
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004508D2

Strings

open, xrefs: 004508C5

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ExecuteMessageSendShell
String ID: open
API String ID: 812272486-2758837156
Opcode ID: ecebf72486316a37e3830fd15e4a4b51011a10e5760c3bac1abab3b5df80333e
Instruction ID: f57ce05e9eba324e121f638db0535f08eb0d68243c76b72727f5d658c61a4d86
Opcode Fuzzy Hash: ecebf72486316a37e3830fd15e4a4b51011a10e5760c3bac1abab3b5df80333e
Instruction Fuzzy Hash: 4C216075E00604BFDB00EFA9C981E9EB7F8EB44705F10817AB904F7292D7789A45CB88

Function 004559F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 00455A94
GetLastError.KERNEL32(0000003C,00000000,00455ADD,?,?,?), ref: 00455AA5

Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27

Strings

<, xrefs: 00455A4E

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <
API String ID: 893404051-4251816714
Opcode ID: d516e6598b8be20c8747e6ec9c3ac67b1ec18d9ef1beef7a885f0700c60fe9ff
Instruction ID: 1dd1e4a4b05f96b02f6cdc30b2026c57645841094811f513de853399c4f5318c
Opcode Fuzzy Hash: d516e6598b8be20c8747e6ec9c3ac67b1ec18d9ef1beef7a885f0700c60fe9ff
Instruction Fuzzy Hash: 482151B0A00649AFDB00DF65D8926AE7BE8EF08345F50413BF844E7281E7789E49CB58

Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049D420,00000000,)), ref: 004025C7
RtlLeaveCriticalSection.KERNEL32(0049D420,0040263D), ref: 00402630

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049D420,00000000,00401A82,?,?,0040222E,02152B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049D420,0049D420,00000000,00401A82,?,?,0040222E,02152B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049D420,00000000,00401A82,?,?,0040222E,02152B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049D420,00401A89,00000000,00401A82,?,?,0040222E,02152B20,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

), xrefs: 004025AE

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: )
API String ID: 2227675388-1084416617
Opcode ID: 6cd487279c882ad8b73ab70f6921dc77a3e8d3550fda99517b88d6d0f9ae5c50
Instruction ID: 570f99ef1d3d95e4b4d80a2adc1962b98f522b57bc72750d6ce688ebb538822c
Opcode Fuzzy Hash: 6cd487279c882ad8b73ab70f6921dc77a3e8d3550fda99517b88d6d0f9ae5c50
Instruction Fuzzy Hash: CE110131B042046FEB25AF799F1A62AAAD4D79575CB64087FF404F32D2D9BD9C02826C

Function 00498416 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00498451

Strings

@, xrefs: 0049841C
/INITPROCWND=$%x , xrefs: 0049847C

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: 3a83e6e038dbafd0e3ea01eb6dd6426255c1a8b46f58718dc6178500fe069b44
Instruction ID: a9318bdce5e824465d4436be78f64917a5ae5ef5b8220d929174e0d313b11457
Opcode Fuzzy Hash: 3a83e6e038dbafd0e3ea01eb6dd6426255c1a8b46f58718dc6178500fe069b44
Instruction Fuzzy Hash: EF119370A082059FDB01DBA9D851BAEBBE8EF49314F11847BE504E7292EA3C99058B58

Function 004478B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

SysFreeString.OLEAUT32(?), ref: 00447966

Strings

Unknown Method, xrefs: 0044793F
NIL Interface Exception, xrefs: 00447908

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: ea7a85b9692c4460c5906b58765fb64bf6ee6b5f46e4d7caecedcff591b2af5e
Instruction ID: 10ddd43a001eab7360299ad3f405319ab988bcee1c7d5b08318f9ee426dd8228
Opcode Fuzzy Hash: ea7a85b9692c4460c5906b58765fb64bf6ee6b5f46e4d7caecedcff591b2af5e
Instruction Fuzzy Hash: 9211E9716042089FEB10EFA58D51A6FBBBDEB09304F91403AF500F7281C7789D01C769

Function 00497C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00497D50,?,00497D44,00000000,00497D2B), ref: 00497CF6
CloseHandle.KERNEL32(00497D90,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00497D50,?,00497D44,00000000), ref: 00497D0D

Part of subcall function 00497BE0: GetLastError.KERNEL32(00000000,00497C78,?,?,?,?), ref: 00497C04

Strings

D, xrefs: 00497CD0

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: D
API String ID: 3798668922-2746444292
Opcode ID: a880bfa9a77c93c91fa9ab75ae7060b7f78cb32e3cfe05dc5138aae6885ad4e0
Instruction ID: a89f5070db7a5e6d261d16ca7c1b7ea99db6432e353ebe52f8e4aa70fd7af1a9
Opcode Fuzzy Hash: a880bfa9a77c93c91fa9ab75ae7060b7f78cb32e3cfe05dc5138aae6885ad4e0
Instruction Fuzzy Hash: 1001A1B0608248AFDB00DBA5DC42FAF7BACDF09704F60013BF504E72C1E6785E008668

Function 0042E1B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042E1C8
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042E208

Strings

Inno Setup: No Icons, xrefs: 0042E1C6

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: 5fa1588eb3983bc8147b11ac52db8119f930d32b550c0df0fd023eaaf2352da0
Instruction ID: e7333c3f072e055346127a6a42ec618886ffe365ff3054ef7f5207155727e60c
Opcode Fuzzy Hash: 5fa1588eb3983bc8147b11ac52db8119f930d32b550c0df0fd023eaaf2352da0
Instruction Fuzzy Hash: 3C01DB32745371A9F73145137D41B7B65CC8B42B60F64057BF941FA2C1DA68AC0592BE

Function 004535CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,?,00000000,0045362D,?,?,-00000001,?), ref: 00453607
GetLastError.KERNEL32(00000000,?,00000000,0045362D,?,?,-00000001,?), ref: 0045360F

Strings

@8H, xrefs: 0045363D

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: @8H
API String ID: 1799206407-3762495883
Opcode ID: 65c44507f9335e4e2a077e4ee2190135d3d5d768f820153090acd923ffb3f295
Instruction ID: 2a718f5fbeded0ca4f0ca1a684ecb9b724474f3cd93569f9f0dcaab09f3de9c7
Opcode Fuzzy Hash: 65c44507f9335e4e2a077e4ee2190135d3d5d768f820153090acd923ffb3f295
Instruction Fuzzy Hash: 49F0F971A04204BBCB10DF7AAC4249EF7ECDB49362711457BFC14D3342E6784E088598

Function 004998EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0047E3D0: FreeLibrary.KERNEL32(00000000,00482E1B), ref: 0047E3E6

Part of subcall function 0047E0A8: GetTickCount.KERNEL32 ref: 0047E0F2

Part of subcall function 00457A90: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 00457AAF

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049A243), ref: 00499941
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049A243), ref: 00499947

Strings

Detected restart. Removing temporary directory., xrefs: 004998FB

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: cf4eeb9d2890f889123e5d43942b6b9d65dcdfa64d28096ccc0edee5f77a06bc
Instruction ID: 3ff60914118e938cb0b4ccf38de38d34f2fcffefe5e82e60aedbfe03ba6cc694
Opcode Fuzzy Hash: cf4eeb9d2890f889123e5d43942b6b9d65dcdfa64d28096ccc0edee5f77a06bc
Instruction Fuzzy Hash: 7DE0E5B12086446EDE1277AB6C1796B3F8CD74A76CB11447FF80491652E82D4C108A3D

Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0049A49E), ref: 0040334B
GetCommandLineA.KERNEL32(00000000,0049A49E), ref: 00403356

Strings

`6V, xrefs: 0040335B

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: `6V
API String ID: 2123368496-3162666886
Opcode ID: 4c2fff2b42c352919ceac1b40f57867521b0a3bfc58f22e25f1018fd897ed554
Instruction ID: 62cda813ad8590bce7ae974c015f7103e9ff33e1479b40d519804c4e019ae8dd
Opcode Fuzzy Hash: 4c2fff2b42c352919ceac1b40f57867521b0a3bfc58f22e25f1018fd897ed554
Instruction Fuzzy Hash: 26C00260D012059AE750AFB6A846B152A94A75934DF8044BFB104BA2E2DA7C82066BDE

Function 00455E10 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 00455E2F
Sleep.KERNEL32(?), ref: 00455E3F
GetLastError.KERNEL32 ref: 00455E52
GetLastError.KERNEL32 ref: 00455E5C

Memory Dump Source

Source File: 00000001.00000002.2030314553.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2030240390.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030375236.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030393926.000000000049C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030410711.000000000049D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2030427859.00000000004E6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_msgtopstdemo.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 162f6e589a9a3ecbf727cd3144cb36b5133ad9a431805f826c669b7668a8d72d
Instruction ID: 0e0098d5c51f6c3332c54b3c49cab550602dc5c9badc8da443834b62d3c24bba
Opcode Fuzzy Hash: 162f6e589a9a3ecbf727cd3144cb36b5133ad9a431805f826c669b7668a8d72d
Instruction Fuzzy Hash: BCF02B32F00914E74F30A76AA88393F628CDA417A6720012BFC04DB303D53CDE0586A8

Analysis Process: MsgToPst.exePID: 7752, Parent PID: 7304COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	105
Total number of Limit Nodes:	10

Executed Functions

Function 00DCD129 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00DCD1B6
GetCurrentThread.KERNEL32 ref: 00DCD1F3
GetCurrentProcess.KERNEL32 ref: 00DCD230
GetCurrentThreadId.KERNEL32 ref: 00DCD289

Strings

/fdR, xrefs: 00DCD154

Memory Dump Source

Source File: 00000005.00000002.2952098148.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_dc0000_MsgToPst.jbxd

Similarity

API ID: Current$ProcessThread
String ID: /fdR
API String ID: 2063062207-297486749
Opcode ID: ca09291f75a98544c4f994e63eca10ad85e6e8a3dd9a094f3f35225de7d1433f
Instruction ID: fbb5d9eb84b0260666e032c1507b38eb13c5cba5264d817e09468e0120f5930b
Opcode Fuzzy Hash: ca09291f75a98544c4f994e63eca10ad85e6e8a3dd9a094f3f35225de7d1433f
Instruction Fuzzy Hash: 005155B09003498FDB14DFA9D948BEEBBF1AF48314F2484ADE449A7360DB349984CB65

Function 00DCD138 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00DCD1B6
GetCurrentThread.KERNEL32 ref: 00DCD1F3
GetCurrentProcess.KERNEL32 ref: 00DCD230
GetCurrentThreadId.KERNEL32 ref: 00DCD289

Strings

/fdR, xrefs: 00DCD154

Memory Dump Source

Source File: 00000005.00000002.2952098148.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_dc0000_MsgToPst.jbxd

Similarity

API ID: Current$ProcessThread
String ID: /fdR
API String ID: 2063062207-297486749
Opcode ID: 141aec2fe6e17159686557a9a1e58472843a8dde4a53789276bfe8b45e8f69ed
Instruction ID: 5d1b61d73ab33aea7ebe556a2ea7f265ccb1573dcfc42a02895aff687bdde462
Opcode Fuzzy Hash: 141aec2fe6e17159686557a9a1e58472843a8dde4a53789276bfe8b45e8f69ed
Instruction Fuzzy Hash: 1B5124B09003099FDB14DFA9D948BAEBBF1BF88314F24846DE419A7360DB749984CB65

Function 00DCAEB0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00DCB106

Strings

/fdR, xrefs: 00DCB0BF

Memory Dump Source

Source File: 00000005.00000002.2952098148.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_dc0000_MsgToPst.jbxd

Similarity

API ID: HandleModule
String ID: /fdR
API String ID: 4139908857-297486749
Opcode ID: 1976dbe517c9328e203d637796468c07ce0124658916142ab931f0bedb034234
Instruction ID: 789d1b4ba2bc8af978913d36de1f185c5de717d285252fc4ed7b6ce5f2ddae61
Opcode Fuzzy Hash: 1976dbe517c9328e203d637796468c07ce0124658916142ab931f0bedb034234
Instruction Fuzzy Hash: 52714870A00B068FD724DF29D145B5ABBF1FF48304F148A2DE48AD7A50D775E949CBA1

Function 00DC4528 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00DC5A59

Strings

/fdR, xrefs: 00DC59DC

Memory Dump Source

Source File: 00000005.00000002.2952098148.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_dc0000_MsgToPst.jbxd

Similarity

API ID: Create
String ID: /fdR
API String ID: 2289755597-297486749
Opcode ID: b714828550814fdb503b596d8ffcee1d337455419e5112fd5dba6b5d5b0e8a45
Instruction ID: 7715f7cf30b5e652d880e4efbe680cafc4f33aa053b63ee6056ce2294e1ba91a
Opcode Fuzzy Hash: b714828550814fdb503b596d8ffcee1d337455419e5112fd5dba6b5d5b0e8a45
Instruction Fuzzy Hash: 6341E2B0C00719CADB24DFAAC884B9EBBF5BF48304F24815AD409AB255DB756985CF91

Function 00DC599D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00DC5A59

Strings

/fdR, xrefs: 00DC59DC

Memory Dump Source

Source File: 00000005.00000002.2952098148.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_dc0000_MsgToPst.jbxd

Similarity

API ID: Create
String ID: /fdR
API String ID: 2289755597-297486749
Opcode ID: c92fba1aa649ac35257b5308a6c142abca49c9be0e0f62474eac10a39f390dc9
Instruction ID: 3ba2051c21e5bfd6b79d6e40aa3ed0ffa8f07f5dcab82d544bd13508bc86d14b
Opcode Fuzzy Hash: c92fba1aa649ac35257b5308a6c142abca49c9be0e0f62474eac10a39f390dc9
Instruction Fuzzy Hash: 0341F3B0C00719CEDB24DFAAC984B8DBBF5BF48304F24816AD409AB255DB756986CF90

Function 00DCD378 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DCD407

Strings

/fdR, xrefs: 00DCD39F

Memory Dump Source

Source File: 00000005.00000002.2952098148.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_dc0000_MsgToPst.jbxd

Similarity

API ID: DuplicateHandle
String ID: /fdR
API String ID: 3793708945-297486749
Opcode ID: d960fa55113fe2b6d6fd8cde691cb9a95e30b4735f7ddd9a043f74c22e68ea39
Instruction ID: d7ffa5ca242be031e497998b0f74bbdbab3a034997a09d561bad30e5a587b783
Opcode Fuzzy Hash: d960fa55113fe2b6d6fd8cde691cb9a95e30b4735f7ddd9a043f74c22e68ea39
Instruction Fuzzy Hash: FA2103B5D002499FDB10CFAAD984AEEBFF5EB48310F14802AE958A7310C374A941CF60

Function 00DCD380 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DCD407

Strings

/fdR, xrefs: 00DCD39F

Memory Dump Source

Source File: 00000005.00000002.2952098148.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_dc0000_MsgToPst.jbxd

Similarity

API ID: DuplicateHandle
String ID: /fdR
API String ID: 3793708945-297486749
Opcode ID: c1ca0c36331ac01671df30b6422c9c37bd97d0cb345bf4875af54562cf39dfef
Instruction ID: 39e48f3ff74ccb41d990ae48f643f9bcf3c93fd75859e055a63f6642563228ca
Opcode Fuzzy Hash: c1ca0c36331ac01671df30b6422c9c37bd97d0cb345bf4875af54562cf39dfef
Instruction Fuzzy Hash: FB21E4B5D002099FDB10CF9AD984ADEFFF5EB48310F14802AE954A3310D374A940CFA5

Function 00DCB0A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00DCB106

Strings

/fdR, xrefs: 00DCB0BF

Memory Dump Source

Source File: 00000005.00000002.2952098148.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_dc0000_MsgToPst.jbxd

Similarity

API ID: HandleModule
String ID: /fdR
API String ID: 4139908857-297486749
Opcode ID: 83dec34a0216e4c0b79f5da1d116ad15b89ecfc17994e45d1f945e6e113dc80f
Instruction ID: abbef178a427aacaeed72807c66c8eccef2a50112362534b290ab837c0fbe101
Opcode Fuzzy Hash: 83dec34a0216e4c0b79f5da1d116ad15b89ecfc17994e45d1f945e6e113dc80f
Instruction Fuzzy Hash: B9110FB5C003498FCB10DF9AD444BDEFBF4AB89320F14842AD468B7210C375A545CFA1

Function 00D6D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2951770407.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d6d000_MsgToPst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428792d3ce0876344459068973f4a7e65ec61375ad562962ca9e458faa4e7fb5
Instruction ID: 578bef2445d15ed72d9afd4ef79b19407bfec6bf00aa6392f1ac97df933069f9
Opcode Fuzzy Hash: 428792d3ce0876344459068973f4a7e65ec61375ad562962ca9e458faa4e7fb5
Instruction Fuzzy Hash: 4B212571A04240DFCB05DF14E9C0B26BF66FB98318F24C569E84A4B656C336D856CAB1

Function 00D7D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2951853661.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d7d000_MsgToPst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25959ccc7c8779c06816754e6eb84f9e2c104161c644a2b9e5931e862c4ebf1
Instruction ID: 74121fcdcd5e1bb8b656c8a61d8cb4748368cefb1ba7affc418070104a34d82f
Opcode Fuzzy Hash: b25959ccc7c8779c06816754e6eb84f9e2c104161c644a2b9e5931e862c4ebf1
Instruction Fuzzy Hash: FE21D071604200EFDB05DF14D980B26BBB6FF84314F24C6ADE94D4B296D336D846CA75

Function 00D7D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2951853661.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d7d000_MsgToPst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081adc72137cec5f7916660067bbb231f3cd26a9082a832100d8be171409a9ee
Instruction ID: 56203368ea0473104d3c94760e698ca405fb329a28998851b324bd97a3c62ae3
Opcode Fuzzy Hash: 081adc72137cec5f7916660067bbb231f3cd26a9082a832100d8be171409a9ee
Instruction Fuzzy Hash: A021FF75604200DFCB14DF24D984B26BBB6EF88314F24C56DE84E4B296D33AD847CA71

Function 00D7D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2951853661.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d7d000_MsgToPst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee4d31e2bc85eab346fbf3eaa793b278f0df2564cc00b28ba072a908988a134
Instruction ID: 268f4b3e82eacaa02429424ac1a371da7bb332cc84f9fa87ec42cabc722aff08
Opcode Fuzzy Hash: 4ee4d31e2bc85eab346fbf3eaa793b278f0df2564cc00b28ba072a908988a134
Instruction Fuzzy Hash: 7F214F755093808FDB12CF24D994715BF72EF46214F28C5EAD8498B6A7D33A980ACB62

Function 00D6D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2951770407.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d6d000_MsgToPst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 1a401bb2287d2da130b23acbf9884f837d99b200a1df7f0944a7e2f39fb48a0f
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: E311D376904280CFCB16CF14D5C4B16BF72FB94318F28C6AAD84A0B656C336D85ACBA1

Function 00D7D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2951853661.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d7d000_MsgToPst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: bb2caeefd7f02f0d9a746c436e3c87cd2bc35644997d995090523eaebba34909
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 6C117975504280DFDB16CF14D5C4B15BBB2FB84314F28C6AAD8494B696D33AD84ACB61

Function 00D6D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2951770407.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d6d000_MsgToPst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a71d3aa9ab48de80a5775601a41d03adcf03785be2a09058722eeae4505dc79
Instruction ID: 5e4deef1718122d4f2aaff8b99f57a5db27efa0f456cd43be8ed1998339e0648
Opcode Fuzzy Hash: 6a71d3aa9ab48de80a5775601a41d03adcf03785be2a09058722eeae4505dc79
Instruction Fuzzy Hash: 7801F731A083449BE7104A25DDC4767BF99EF40325F2CC429EC4A4A182C678D840C6B3

Function 00D6D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2951770407.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d6d000_MsgToPst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2acc919789b5680dc8e6a9381ce355a364a7c0f2b9a81215cd15f9826a192a
Instruction ID: 1f77897377b8d2398716c901211e7249db758a38f4a2857b328d1b97df960050
Opcode Fuzzy Hash: fc2acc919789b5680dc8e6a9381ce355a364a7c0f2b9a81215cd15f9826a192a
Instruction Fuzzy Hash: 25F0C2715043449BE7108A16D8C4B62FFA8EF90334F28C45AED090E282C2799840CAB1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report msgtopstdemo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\Aspose.Email.dll (copy)

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\Config.txt (copy)

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe (copy)

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-01BK0.tmp

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-0L47Q.tmp

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-4AED4.tmp

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-4FDGP.tmp

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-SNPO1.tmp

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\unins000.dat

C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\unins000.exe (copy)

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Datavare MSG to PST Converter - Demo Version.lnk

C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\isxdl.dll

C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
msgtopstdemo.exe

Function 00404654 Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 174
libraryloaderCOMMON

Function 0040A018 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Function 00409520 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56
libraryloaderCOMMON

Function 0040AF57 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
COMMON

Function 0040AF42 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Function 00409E8C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59
COMMON

Function 0040ACB4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117
windowCOMMON

Function 0040ACCF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113
windowCOMMON

Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
windowCOMMON

Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Function 004097D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Function 00409978 Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122
COMMON

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre